[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenSSH security advisory: cbc.adv

On Fri, Nov 21, 2008 at 03:19:03AM -0700, Damien Miller wrote:

> OpenSSH Security Advisory: cbc.adv
> Regarding the "Plaintext Recovery Attack Against SSH" reported as
> CPNI-957037[1]:
> The OpenSSH team has been made aware of an attack against the SSH
> protocol version 2 by researchers at the University of London.
> Unfortunately, due to the report lacking any detailed technical
> description of the attack and CPNI's unwillingness to share necessary
> information, we are unable to properly assess its impact.

It is really sad researchers are prevented to share details with
developers by some lame institute. The OpenSSH developers were asked to
undersign the document below. Apart from asking to be cited as the
discoverer of a vulnerability, I would say that "you will only get
details if you do X" is a form of blackmail.

So the result is that the developers of the main implementation of the
SSH protocol are without the details of the vulnerability, all in the
cause of "protecting national security".



Centre for the Protection of National
      Framework for Vulnerability Information

CPNI was formed from the merger of the National Infrastructure
Security Co-ordination Centre (NISCC) and the National Security
Advice Centre (NSAC).

CPNI provides integrated security advice (combining information,
personnel and physical) to the businesses and organisations which
make up the national infrastructure. Through the delivery of this
advice, we protect national security.

One of the primary CPNI functions is to establish long-term
partnerships with those companies that provide CNI services. This
relationship is reinforced on a regular basis by the provision of various
CPNI advisory materials on IT-related threats and vulnerabilities.
CPNI conducts extensive research into vulnerabilities, the results of
which we share with both CNI organisations and product suppliers. To
enable us to share such information in confidence, CPNI provides this
non-legally binding Framework as a mechanism to establish trusted

This Framework is intended to help CPNI and commercial organisations
to work in partnership to discuss and resolve issues arising from
vulnerability disclosures. By adhering to this framework you will be
part of a mechanism through which technical and commercial
vulnerability information can be shared between partners.
This Framework is intended to increase the flow of vulnerability
information within a trusted environment whereby issues can be
solved quickly and easily, while at the same time limiting the likelihood
of uncontrolled public release.

The Traffic Light Protocol

CPNI has agreed a labelling mechanism known as the "Traffic Light
Protocol" (TLP) with members of its Information Exchanges. This same
protocol has now been accepted as a model for trusted information
exchange by over 30 other countries. The protocol provides for four
"information sharing levels" for the handling of sensitive information.
The four information sharing levels are:
   #  RED - Personal for named recipients only. In the context of a
      meeting, for example, RED information is limited to those
      present. In most circumstances RED information will be passed
      verbally or in person.
   #  AMBER - Limited distribution. The recipient may share AMBER
      information with others within their organization, but only on a
      "need-to-know" basis.
   #  GREEN - Community wide. Information in this category can be
      circulated widely within a particular community. However, the
      information may not be published or posted on the Internet, nor
      released outside of the community.
   #  WHITE - Unlimited. Subject to standard copyright rules, WHITE
      information may be distributed freely, without restriction.

Framework for the exchange of Vulnerability Information

This framework is not a legal contract. It is a statement of the
requirements for information sharing between CPNI and the receiving
The Centre for the Protection of National Infrastructure (CPNI) and the
receiving organization jointly agree:
   #  to label vulnerability information to be shared with one of the
      four "information sharing levels" identified in the Traffic Light
      Protocol (TLP);
   # where necessary and appropriate to protectively mark the
     information in line with their own internal security policies and in
     accordance with the TLP;
   # to use the same degree of care to maintain confidentiality of
     shared vulnerability information as is used for their own internal
     or commercially sensitive information;
   # neither directly nor indirectly disclose to a third party in advance
     of the agreed public disclosure date, either the existence of, or
     details pertaining to, vulnerability information supplied under
     this framework without the prior written approval of the
     originating organization;
   # not to use the vulnerability information disclosed for commercial
     advantage or marketing purposes;
   # to restrict the release of vulnerability information solely to those
     persons within the organization with a legitimate need to know
     by virtue of their job or role.            Such persons must be
     appropriately briefed on, and bound by, the meaning of the TLP
     sharing mechanism;
   # to destroy vulnerability information that is no longer required;
   # to disclaim liability for any damages arising from the use of the
     vulnerability information;
   # that access to vulnerability information is offered free of any
     financial charge and without warranty of any kind;
   # not to employ legal remedy to address any conflict arising from
     the disclosure or use of any vulnerability information provided.

February 2007