FreeBSD UFS "vulnerability": Is NIST off its medication, or am I missing something?

Bill Moran wmoran at collaborativefusion.com
Tue Nov 14 14:14:33 UTC 2006 

In response to Colin Percival <cperciva at freebsd.org>:

> Bill Moran wrote:
> > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824
> > 
> > Following the links around, it seems that you would have to mount a "corrupt" or
> > "malicious" filesystem in order to exploit this "vulnerability".
> > 
> > Yes, NIST claims there is no authentication required to exploit?  Are new versions
> > of FreeBSD suddenly allowing unauthenticated users to mount filesystems by default?
> > If so, something's wrong with my 6.1 workstation!
> > 
> > It seems like this is the 2nd or 3rd "vulnerability" I've seen that's been blown
> > out of proportion by NIST, or am I missing something?
> 
> CVE names are assigned, and NIST creates an entry in its database, whenever
> someone claims that a security problem exists; their purpose is to provide
> a consistent name for whatever people are talking about, not to decide what
> exactly constitutes a security issue (as I explained in my BSDCan'06 paper,
> different vendors have many different policies about what constitute security
> issues).
> 
> In this case (and another very similar bug found by the MoKB people), the
> FreeBSD security team has no intention to handle the bug as a security issue;
> obviously this is a kernel bug and deserves to be fixed, but no more so than
> any other kernel bug, and in fact this bug seems far less important than most.

That was my thought.  In my opinion, anything that requires root access to
exploit doesn't constitute a security issue, since someone with root
privvies can do whatever they want anyway, by definition.

It looks as if MoKB has an axe to grind ... I expect we'll see a lot more
exaggerated "security problems" come out of them before November is over ...

Thanks for the feedback, Colin.

-- 
Bill Moran
Collaborative Fusion Inc.



IMPORTANT: This message contains confidential information and is intended only for the individual named. If the reader of this message is not an intended recipient (or the individual responsible for the delivery of this message to an intended recipient), please be advised that any re-use, dissemination, distribution or copying of this message is prohibited.  Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.

More information about the freebsd-questions mailing list