Remotely Crash OpenBSD

*no comment* writes "If you are running OpenBSD on your IPv6 install, it might be time to upgrade to -current. (just kidding) There is, however, a way to crash OpenBSD 3.4 with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Theo, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

Double standards?

[Threni]

I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

Oh wow

[The Bungi]

To quote Theo, 'it is just a crash.'

Maybe the next time Bashdork reports the new evil IE vulnerability that allows my desktop wallpaper to be changed by a hacker in Romania I'll se a quote like this one. "To quote [whomever], head of [whatever] at Microsoft, it's just a crash".

I'm sure.

Re:Does this count?

[inertia187]

I don't think the IPv6 install is the default. Even if it is, 'it's just a crash' not a remote hole. So, yes they can still boast.

Re:Double standards?

[jwthompson2]

"It's Just a crash" is among the dumbest things anyone could say about a bug. Not quite as bad as "It's just a remote root exploit" but very disturbing none the less. The only thing that seems to offer any reassurance is that it requires a patched kernel or custom stack to exploit but a person bent on bringing down a system *could* do these things without too much trouble I would think. My question is for a serious cracker wouldn't taking down a system in a manner like this be much more inviting if all they want to do is bring a system down?

Re:Oh wow

[lxs]

I'd rather have a box crashed than a box rooted. But maybe I'm just funny that way.

Re:Patch for production systems?

[Anonymous Coward]

Are you on an IP6 network? I'm betting you aren't....
But if you are just wait a little while for the fix.

Re:Does this count?

[timeOday]

Guess it depends on how you define "hole."

Personally I don't like random people crashing my servers, so I'd call it a hole!

It's called selective quoting

[Flower]

Without seeing Theo's complete statement you can't tell if the statement is dismissive (something I find difficult to believe) or if it is qualifying - i.e. the exploit only produces a crash.

Fwiw, I wouldn't go into riot mode over four monosyllable words taken out of context be it from MS or OBSD. Of course, this is /. and that nice little blurb will most certainly cause a lot of banner hits as people will just have to comment. I can personally attest to 3 to get this post up.

"Crash" vs. "Root Exploit"

[billstewart]

Yes, it's disturbing, but only because it happened, not because Theo's clueless. But the point of such a comment is that "It's NOT a root exploit". By contrast, with Microsoft, major exploits happen Too Frequently and crashes happen too often to bother reporting.

A non-serious cracker might have fun taking down OpenBSD a few times with an exploit like this. A more serious cracker would do this to try to convince some number of systems to stop running the most secure OS that's reasonably available and replace it with more vulnerable systems that aren't getting spanked a lot.

Re:Maybe time to drop this "securitier than thou"

[ScottSpeaks!]

I'd find the OpenBSD crew's haughty "more secure than thou" attitude a lot more annoying if it weren't for the fact that their track record actually justifies it. The fact that you can still count the number of remote exploits using a two-bit register is pretty impressive.

Comparing MS to OpenBSD?

[chadm1967]

I've read a bunch of posts comparing this "possible" hole in OpenBSD to those in MS. There's NO comparison! I bet Theo and the OpenBSD developers are already working on a fix. Actually, they probably already have one. With MS, it takes much, much longer! And sometimes, the "fixes" that MS so-called developers come up with break something else.

Re:Maybe time to drop this "securitier than thou"

[Richard_at_work]

yes, when I saw this and noticed people commenting on the "Securer than tho" stance taken, my immediate thought was

"Hmm, well if we have gotten to the point where people have to roll their own net stack or patch a kernel to bring an issue to the for, then hasnt hte OpenBSD project succeeded in its goal?"

Re:Double standards?

[gid13]

If Microsoft had few enough exploits that they had a security record worth protecting by saying "it's just a crash", perhaps the editors wouldn't feel it necessary to be so sarcastic?

Especially given that Microsoft is a company that charges for their product, where OpenBSD is free.

Track record

[AvantLegion]

I'm thinking that if someone from Microsoft stated "It's just a crash" the editors here would be just a touch more sarcastic...

The day Microsoft has half the kind of security track record as OpenBSD, they'll be cut some slack.

OpenBSD had earned a little slack. MS still has a long way to go in system security/stability before they deserve the same treatment.

Re:Oh wow

[Nimrangul]

What crackpipe have you been using? It must greatly enhance the smoking experience. The funding was not pulled "pulled moments before it was to be paid," the funds were already greatly used. There was about three months left before the funding from POSSE was ended. Theo does not seem like an ass to me, he does instead seem like someone that dismisses stupid shit that random people say because he has better things to do.

Why does "remote hole" == elevation of privilege?

[xswl0931]

A "remote hole" doesn't have to just be obtaining root access. Being able to remotely crash a server is almost as bad. So no, they cannot boast.

Just a crash..

[fven]

As a sysadmin of a college network, "just a crash" *really* helped me.

I replaced all firewalls with OpenBSD filtering bridges. One rather persistent script kiddie (unfortuneately a legitimite $luser on the network) decided to send a few malformed packets here, there and everywhere. One of these crashed the filtering bridge at the edge of that particular subnet.

Immediately no packets enter or leave that subnet and I get about 40 phone calls "the internet is broken / my session crashed..." and go and deal with it.

Just a crash, saved several boxes. By contrast, accessible linux machines, privelege escalation - root exploit. All over.

Now if only the average windows box would *only* bluescreen in response to being cracked/ infection with the latest...rather than sending mal packets everywhere. Then infection would be self limiting and the world would be a better place.

Re:Double standards?

[spitzak]

He IS being sarcastic. If this was a Microsoft bug and they said "It's just a crash" it surely would be quoted exactly the same way, because it is a silly statement. Let's see:

*no comment* writes "If you are IPv6 on WinXP, it might be time to upgrade to Linux (just kidding). There is, however, a way to crash WinXP with a couple of simple IPv6 commands. Georgi Guninski, found the problem. To quote Bill Gates, 'it is just a crash.'" It is unknown if the bug could be used to execute arbitrary code, but it does require patching a Linux kernel (or rolling your own network stack) to exploit.

Okay, now that the wording has been changed to Microsoft, doesn't it suddenly look like a typical rabid-anti-Microsoft Slashdot article? You are so blinded by the belief that everything is anti-Microsoft that you cannot even see people being sarcastic about anything not Microsoft!

Re:IPv7?

[weicco]

Maybe because 6 bytes can't fit in address field which length is 4 bytes, you would trash the option-field or data :P

Re:about ipv6

[burns210]

ipv6 is a must-upgrade solution... it IS newer code, it does get rid of NAT(which is partially used for security) and ipv4 DOES have some hacks to make it scale higher... however, once all of china connects to the net, all of india, all of everyone, there just physically isn't enough. And NAT just ins't a clean solution when used with private addressing, it works, but it is a hack to an unavoidable fix.

ipv6 has security built into it, more addresses then particles in the universe, and eliminates the need for private addressing and nat... we should move to ipv6 if for no other reason than it is a cleaner, better solution to internet addressing.

Re:Does this count?

[edhall]

Just because they fixed it before it was reported doesn't mean it never existed -- or that it was never quietly exploited. This sort of semantic game detracts from the hard work that goes into OpenBSD. It may be no worse than the sort of word games used to market other software, but in an area like security where trust is paramount it needlessly raises suspicion.

-Ed

Re:Maybe time to drop this "securitier than thou"

[tiger99]

Tha analogy would be the way the press treat road and rail accidents. In the UK (BTW no passengers at all were killed in crashes last year) it is headline news for weeks, and then again all through the inevitable pubilc enquiry if 4 people are killed in a train crash, yet IIRC on the same day, or maybe the bnext day as 4 were killed in the crash I am thinking of, at least 10 died on the roads, 6 in one vehicle. That one got a small paragraph.... The average is 10 a day in the UK on the roads, about 2 or 3 per year in trains.

Now the specialist press, including web sites, who know of the existence of OpenBSD, are likely to treat this in much the same way. A BSD crash, any variant, is a rarity, 1000 times or more less likely to happen than a BSOD. Same sort of ratio fro security holes also. So, the same thing happens, the uncommon major event gets the attention, although it does far, far less harm overall than the very common everyday event.

Of course in this case the normal press remain in utter ignorance, some of them may know that Windoze is not the same as a MAC, a few will know of Linux, and very few indeed will know what BSD is, they probably think it is a shorter abbreviation for BSOD. So, the mainstream press will leave this well alone.

It is quite right and proper that crashes should be reported, and certainly it is only fair that a problem with a secure OS gets to be known, and fixed, but like the train crash, it needs to be kept in perspective.

I know that Theo allegedly has an attitude problem, however those who extrapolate from his remark that it is only a crash to suggest that he does not care are IMHO quite wrong. I think he was only putting the event in its true perspective, as being of slightly less importance than a security breach. I think he does care, very much, that "his" software works properly, that is what drives such people, who could earn much more financial reward elsewhere.

All of this is a matter of seeing the thing in its true perspective. If people did that, no-one at all would use the products of the Convicted Monopolist, and the world would be a very much safer place as regards computer security, and much more productive because there would probably be only one crash for 1000 or even 1000000 BSODs in inferior systems, which are riddled with fundamental design errors.

Re:Does this count?

[Anonymous Coward]

It does to me because that's how it's always been done with OBSD. Look, when someone says something, you have the opinion and right to look at the veracity or underlying premise of -what- is being said. It's been pretty clear for a couple of years what OBSD's standard for that statement is.

iow, if it doesn't make sense to you, that's completely fine. But it's not like OBSD is being hush hush, nudge wink with how they come up with their count.

imnsho, at least they have a standard or policy or rules or what have you for determining their remote hole count. Of all other OS makers, groups, and mfgs out there, I don't know of one other that keeps count, has a public statement of that count, gives publicly accessible rules for determining that count, and follows those rules. Linux sure doesn't--the sheer variation, number of distros, etc. has no one keeping a firm count. OBSD is more limited and applies it to their default install.

Personally, I like OBSD's claim and think it's valid, both in the areas of valid to make and valid as valuable to the OS user.

Compare them to other OS makers. When MS releases a security patch and months later, Melissa or some other virus comes along and exploits it because people were too lazy to plug up their systems, I don't say "That's MS's fault." I consider that on incompetent or lazy users. Now, I realize many here on this forum will blame MS, and they do get boatloads of blame, but they also patched the damn thing. Sometimes with these patches, the patch itself reveals the error and makes it widely known; virus or exploit writers then go about taking advantage of that, comparing differences between a patched and unpatched systems.

When Samba had that "caught in the wild" ecurity issue last year, I don't say "well that's been in the wild 5 years" and then count that one bug multiple times against them for every Samba version released since then, or every update. Why not? Because that would be ludicrous. Likewise with OBSD, I don't say "well, that was out there since release X when Y code was added, hence that counts for every release since X until current as a bug".

Note with the last, this also reveals that people and communities innately have their own idea or standards on how "bugs" are counted against to versions or releases. Most people would say Samba's bug they caught in the wild counts as 1 bug. And they'd be right. Not several via very Samba release since that code was written.

Same with OBSD. They have a standard, they found an issue, so does it apply to their policy for determining that count? No. Count doesn't go up.