Shostack + Friends Blog Archive

 

NISCC Does It Their Way: Poorly

A post by Paul Wouters to the DailyDave list drew attention to “Vendor response of the Openswan project” to “NISCC Vulnerability Advisory 273756/NISCC/ISAKMP.” I feel like its 1997 again.

The Oulu University Secure Programming Group (OUSPG) discovered a number of flaws with the ISAKMP/IKE portions of the IPSec protocols. OUSPG built a tool, and either OUSPG or NISCC notified and distributed the tools to some subset of vendors.
That tool is now available from “PROTOS Test-Suite: c09-isakmp.” (That page also contains the best explanation I’ve seen yet of the issues.)

According to “CERT-FI and NISCC Joint Vulnerability Advisory ISAKMP,” (9 pp pdf) the following vendors provided a response: 3Com, Secgo, Cisco, Stonesoft Corp, Entrust, strongSwan, IBM, TeamF1 Inc, Intoto Inc, Juniper Networks, Microsoft, Mitel Corporation.
It’s not clear who else was notified. This is in keeping with the irresponsible disclosure technique of protecting those who don’t respond to or acknowledge a bug. That technique is irresponsible because it requires each user of a product to independently validate the state of their systems.

What is clear is that at least one major open source vendor (OpenSwan) was not notified, or was given less information than the commercial vendors. Paul, maybe you need a “CERT liason” with a miniskirt?

I’d list a CVE for the vuln, but the advisory contains no CVE. This is really quite poor coordination, and I urge all national CERTS to avoid coordination with NISCC until they get their act together.

The OSVDB blog has a bit more. [link to http://www.osvdb.org/blog/?p=62 no longer works]