Report states that OpenBSD developers played down critical vulnerability [Update]
There is more to the bug in OpenBSD reported yesterday than was thought, according to more detailed information. It is apparently possible to obtain control of a system with a single ICMP6 packet. As a minimum it is possible to crash the system, which for many people running an internet server is in itself unacceptable. The OpenBSD team did not initially give any detailed information on the problem. However, Core Security, discoverers of the vulnerability, today supplied further information on the problem and disclosed that the developers wanted to play it down.
The OpenBSD team did publish a patch shortly after being informed of the bug, but were not willing to categorise the bug as a vulnerability or security issue. Core Security had sent them only one exploit, which caused a kernel panic. According to OpenBSD's reading, bugs which crash a server, even where they can be exploited remotely, are not vulnerabilities. A bug is only a vulnerability where it allows the system to be compromised. The developers of FreeBSD, who decline to provide updates for local DoS vulnerabilities, have a similarly idiosyncratic definition of security problems.
OpenBSD's assessment was not, however, shared by Core Security, who continued to talk of a security vulnerability. In addition, it had not been definitively clarified whether or not the bug could be used to inject and execute code. The OpenBSD developers denied this - their analysis revealed that the bug could only cause a memory violation and could not be used to infiltrate data in a targeted manner. In response Core Security supplied the ultimate riposte - an exploit which could be used to execute code with kernel privileges. According to the advisory, the developers still refused to concede the point and classified the patch as a "reliability fix" - i.e. a patch to improve system stability. Only after further bickering did OpenBSD class the fix as security related - Core Security first had to agree to indicate in the security advisory that the bug could only be exploited in IPv6 networks, which at present considerably reduces attack possibilities.
Henning Brauer of OpenBSD has pointed out that at the time the patch was released his team only had Core Security's claim that code could be injected through this hole. He said that it was not clear whether this claim was justified. His team therefore went ahead and released the patch as a "reliability fix" so as not to delay publication any further. When it finally turned out that the flaw was indeed critical, the matter was immediately documented. Brauer therefore rejects claims that he was downplaying anything.
And yet, Core Security had informed the OpenBSD team about the proof-of-concept exploit two days before the reliability fix was published. Brauer was not able to explain why his team was not able to investigate the claims within those two days.
- OpenBSD's IPv6 mbufs remote kernel buffer overflow, security advisory from Core Security
- Security update for OpenBSD fixes problem with ICMP6 packets, report on heise Security