OpenBSD security flaw

[gore]

Ahhh moments like this. After hearing "OpenBSD is the most secure OS in the world" like 90 times in the past week, I get this in my inbox:

______________________________________________________________________________________________________________________
Georgi Guninski posted an advisory on his site about a remote crash in
the OpenBSD kernel caused by connecting with a small IPv6 MTU.

http://www.guninski.com/obsdmtu.html

The error was present in revision 1.81 of /src/sys/netinet6/ip6_output.c
and is fixed in revision 1.82 ( 2004/02/04 08:47:41 ), you can see the
colored diffs at

http://www.openbsd.org/cgi-bin/cvswe..._output.c.diff
?r1=text&tr1=1.81&r2=text&tr2=1.82&f=h


OpenBSD administrators should pull the revised code from CVS and
recompile their kernels.




Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines "Proactive Threat Mitigation". Get a FREE Beta Version of
Qwik-Fix
<http://www.qwik-fix.net>

______________________________________________________________________________________________________________________

[cgkanchi]

OpenBSD changed their page to say

Only one remote hole in the default install, in more than 7 years!

Cheers,
cgkanchi

[R0n1n]

Guninski's hole is a new one I think, so they may need to changed that to "only two remote holes in the default install"

[MrLinus]

Uhh... I think the one remote hole is a reference to Gunski's hole, not to a previous one. This is the only one I've ever heard of, remote or local.

[R0n1n]

I thought the first hole was an OpenSSH related exploit that appeared in 2002?(As OpenSSH is in the default installtion of OpenBSD I believe). This one is a new IPv6 hole

[R0n1n]

There are some other exploits out there for it as well, but they seem to get around them by using that "default install" line.

[MrLinus]

I thought the first hole was an OpenSSH related exploit that appeared in 2002

That would be a flaw in OpenSSH rather than OpenBSD and that particular flaw, IIRC, affected all OSes that had/used OpenSSH. This one seems specific to the OpenBSD itself.

[ammo]

The "one remote hole" is indeed the OpenSSH one. That score referes to OpenBSD's default install, so OpenSSH is/was fare game.

The new bug isn't considered a hole because it can't be exploited (give shell), it only crashes the box, as far as we know for now.

Ammo

[gore]

Opeb BSD is nice. There is no doubt in that. But Some people take it a bit extreme at times thinking it's un hackable. No OS is like that. It's still all code waiting to crack exploited. I do like the idea of the code audits, and I think that is a reason that it has become so secure.

Did you guys know Linux was the first OS (and perhaps it still is) the first/only OS to have a completely RFC compliant IPv4 stack? Linux's IP stack is still regarded as one of the best around.

I posted the web site I found this on in the OS forum. It's located here:

http://digital-domain.net/lug/unix-linux-history.html

[Maestr0]

When compared to the track record of other OS's, OpenBSD still holds the champions belt. I think 1 remotely exploitable bug and one remote DoS bug in seven years is a record I can live with (Especially given some of the competitions record). Since OpenBSD isnt used near as much as other OS's its hard to get a real accurate statistical depiction of where they fit in in the security scale, but overall there are alot of details I appreciate about the OS, for instance the IP sequence (PRNG) for OpenBSD and Linux kicks the **** out of other OS's and thats just one of many security conscious features BSD employs. No one ever said programmers didnt make mistakes, but its nice when they at least look for them BEFORE they distribute their software. (*ahem* Microsoft *ahem*)

-Maestr0