Secunia: It's not a flaw if it's a feature

Summary:When I reported on the Vocera certificate security bypass flaw, SecurityFocus picked up on it and created Bugtraq ID 27935 to warn their customers about the vulnerability.  I dropped a note to Secunia about the flaw but they seem to believe that a flaw is only a flaw if it was accidental and not an irresponsible design choice.

When I reported on the Vocera certificate security bypass flaw, SecurityFocus picked up on it and created Bugtraq ID 27935 to warn their customers about the vulnerability.  I dropped a note to Secunia about the flaw but they seem to believe that a flaw is only a flaw if it was accidental and not an irresponsible design choice.  Here was Secunia's reply to me:

Thank you for giving us a heads up on your research on the Vocera implementation of the PEAP.

However, Secunia has decided not to publish an advisory for this issue, as the Vocera documentation makes it clear that not validating certificates was a design decision (as you yourself pointed out in your article). In addition, Vocera also states that their handsets support other protocols, including the protocol you encouraged users to use, WPA-PSK (http://www.vocera.com/downloads/InfrastructureGuide.pdf page 55). Hence the issue isn't really in the handset, as much as in the protocol that a users chooses.

As such, the impact for a user is minimized, as the user should be responsible enough to choose a protocol that meets his or her security needs.

We do appreciate your contacting us personally to bring this issue to our attention. Please feel free to do the same for issues you may feel strongly about in the future.

I find Secunia's response strange since PEAP is regarded as a very secure authentication protocol when it's implemented properly.  This is also inconsistent since Secunia listed a very similar flaw for Cisco's ACS RADIUS server where it too skipped the cryptographic verification of digital certificates.  I also wonder how Secunia will handle the exact same vulnerability in the Cisco 7921 IP Phone confirmed 2 days after the Vocera vulnerability disclosure since Cisco has not stated it was a design choice and didn't disclose this ahead of time on their website.  [Update 3/10/2008 - Secunia now lists Cisco 7921 as vulnerable but not Vocera for the exact same vulnerability.]

One has to wonder what the implications of this is if vendors simply claim a flaw was a design choice and the user merely needs to work around it.  I also have to wonder what other flaws Secunia is omitting that they deem design "features" and not "flaws" and it makes me less confident in relying on Secunia for security information.  Perhaps it would be wise to start using SecurityFocus instead.

Topics: Security

About

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.