[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details)




As I received a lot of feedback on this bug, I thought I'd update you. After not replying
to my notifications and subsequent forced partial disclosure, IBM stated
officially on their website that they where not affected and to my surprise
IBM got in contact immediately after disclosure to "coordinate"

If your read the Timeline till the end, the story has a nice swing.., Drama, insults,
everything. You could make a soap opera out of it. And you don't even have all the mails.

What happened during this "coordination" even surprised myself. I am used to discussions,
I am used to stupid answers. However what happened here bears no description.


Short Guerilla Version of the Timeline  (complete timeline below):
-------------------------------------------------------------------
- Hey Thierry sorry, we did not get your report, we'll keep you updated!
We have IBM written on the proventia boxes but don't send reports to IBM!!

- Post official statement to IBM website that IBM is NOT affected and 
forgetting to inform Thierry

- Thierry, You cannot evade proventia, because we use special propretary
ingredients!

> What are these ingredients?

- We won't tell !! and by the way you suck! your test methods suck! You aren't even
EAL2 ! A test team costs too much to tests your POCs! Your mails suck! Learn from 
the big mighty IBM. 

> Sorry, the same poc evaded proventia last year! So you mus miss something!!

- Thierry, stop sending us POC files, YOU CANNOT EVADE PROVENTIA, IT is
IMPOSSIBLE, IRREVQUABLE, PERIOD !!!!

>Silence

- Thierry here is our report, you DID evade all our proventia products, we will
credit you.



In the timeline below you find my summary
-----------------------------------------
02.04.2009 - Forced partial disclose
02.04.2009 - An known contact at IBM asks for the POC
02.04.2009 - POC is resend
02.04.2009 - An third person is added to the coordination "list"
04.04.2009 - Sending another POC file (RAR)
06.04.2009 - POC is acknowledged and promise is made to get back
             once the material has been analysed.
10.04.2009 - Sending another POC file (ZIP)
10.04.2009 - The third person ergo the "Cyber
Incident & Vulnerability Handling PM" is taking over coorindation

14.04.2009 - A comment was made to my blog that indicated IBM did
answer the Bugtraq posting and negate my findings, having 
received no response from them personaly I ask
"Dear Peter, I was refered to this url in a comment posted to my blog:
http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=5417
can you confirm this ?"

15.04.2009 -  IBM responds:
"[..] we
apologize that the path of communicating the disclosure was somewhat
confusing.  [..]  The IBM contact address in the
OSVDB is typically used for software products that are in another division
of IBM, and thus, your report was not routed to us in a timely manner.  In
the future, we'd prefer that you contact myself directly"

"We have now investigated the TZO-04-2009-IBM incident you reported and have
found that we are not susceptible to this evasion."
"[..]in  this  case,  there  are  other  components in our Proventia
products that prevent this evasion from occurring"
"Testing our production products, rather than testing this one
piece of our technology, then you would have been able to see the same
results"

16.04.2009 - As my tests indicate otherwise I ask "Could you please  
specify which >components< would prevent the evasion, as it is
hard  to see how to prevent it when the unarchiver code cannot extract
the code itself" and
"I  would  be  glad  to do so [Red:test production products] : 
Please send the respective appliances to <my adress>"


16.04.2009 - IBM answers
[..] "We are not an open source company, so the internal workings of 
our proprietary software is not something we publicly disclose.  
We do not provide our products for free to all of the independent 
testers that might be interested in our product lines--the number 
of requests simply would not be scalable or manageable if
we did"

17.04.2009 - As I have no way to reproduce and IBM gives no details
about their OH-SO Secret propretary software I state that 
"I  cannot  verify  nor  reproduce your statements as such I will leave
this CVE entry as disputed." "Please provide tangible proof that 
you detect the samples. Screenshots, logs, outputs."
AND
"My  worktime  is not open source either[..] Yet I
am currently working for your interests and customers, for free. I can
stop reporting responsibly  if this is what you are trying to achieve."

21.04.2009 - As their was no reply, I resend the previous mail

22.04.2009 - IBM acks receipt and promises to reply soon.

==
In the mean time, as I thanked AV-TEST gmbh in my advisory, 
somebody complains directly at AV-TEST Gmbh as force them to 
no longer give me access to their test clusters. AV-TEST Gmbh 
subsequently asks me to stop testing using their systems.
As a note: Anybody spots a paralel to the mob?
==

23.04.2009 - I inform IBM that 
"Interestingly instead of spending the time cooperating with me
some think it might be more usefull to complain at AVTest." [..]
"I perceive the complaints as a direct attack against myself"

23.04.2009 -  IBM informs me that it wasn't them that complained and
that 
"[..] We processed your claim.   You do NOT evade our products.   
You are talking about a component that never deploys singularly.  
Hence you cannot evade."

"As for testing our products, we have organizations that do that from
time-to-time.   Those are contractual agreements.   Since you published
incomplete data previously, I see no reason to engage for such a test."

"You ask for cooperation, but yet
you only have leveled insinuations and have attempted to turn what has
taken place into something else.   Hardly following responsible disclosure
as you have listed it."

"I welcome your thoughts and your input as there is always something to
reflect upon and to learn about.   But this is a two way street,  and I ask
you to learn from us that how we deploy our products is not what you
tested/researched."

"Further, we are not going to loan a Proventia device for you to learn upon."


23.04.2009 - I answer that 
"[..] I asked for
screenshots  or  logs,  something,  if  test have been done, should be
readily available anyways" "You seem not be be acustomed to handling 
vulnerability reports, if negative finding  is  reported  a  vendor 
usualy responds that the finding was negative he usualy attaches a 
log, screenshot or similar."

>You do NOT evade our products.You are talking about a component 
>that never deploys singularly.  
>Hence you cannot evade."
"Hmm, that might be the case, or might not -
I  have  an  email from last year that states that a sample I provided
evaded  proventia,  using the very same methods of tests as this time."

>Further, we are not going to loan a Proventia device for you to learn upon.
"I   have   not   asked  to  be  *loaned*  a proventia device. You will
have  to  find  the balance yourself. It's interesting to see that you
think I could somehow "learn" something from an appliance.

Anyways, if you don't provide me with guidance I can only sent in more
and  more  samples  (that may be more and more false positives). Again
trying to help, but if you don't need help that's fine with me too."

24.04.2009 - I inform IBM that 
"Please note that I just made changes to my terms and policy to be able
to  republish  mails  that  happen  during  notification  in  full  or
partially"

24.04.2009 - IBM states that
 "Thierry,
Changes you make should be effective for new issues going forward.  Period."

"We have reported to you that your issues DO NOT EVADE PRODUCTS.   That is
unequivocable.   You have not proven an evasion of a product. "

"We
have conducted that research and the report is negative, your issues do not
evade the product.   [..] Further, we do
not for obvious reasons ever provide architectural details except in cases
of NIAP review under Common Criteria for EAL 2 or Higher, then in only
certain aspects.    Your research does not attain that benchmark."

08.05.2009 - Sending a new POC evading proventia (CAB)
no reply

11.05.2009 - Re-sending asking for an acknowledgement

15.05.2009 -
"We are in the final stages of completing the write up on our review of all
your reports.   It may take until early AM US EDT to complete or possibly
early AM Central European Time."

22.05.2009 - IBM sends in the results, and *surprise* it DID evade proventia.
Quote:"
IBM Proventia Desktop Endpoint Security - susceptible
IBM Proventia Network Multi-Function Security (MFS) - susceptible

Multiple engines are susceptible to this evasion. We are working internally
and with third-party OEM vendors to create a fix for this evasion. For our
own engine, we have placed a fix on our long-term development roadmap, but
this is a low priority for us because this engine runs in a desktop
environment where malicious code in these archives will be detected upon
extraction or execution. If and when an update addressing this issue is
delivered for our engine, we will credit you."

Ignoring that the end-point argument doesn't hold true for the network
device, isn't this incredible?

22.05.2009 - I respond that 
"[..] The files
bypass your protection - to argue with client-side protection (if any)
is reserved for the clients that use your products. You should rate it
as what it is. A bypass of your AV detection"


Heard, nothing back since the 23th may. I trust IBM to disclose and fix,
and maybe credit, but I thought I let IBM customers know where your 
millions license fees are spent on.