Secunia: It's not a flaw if it's a feature

Secunia: It's not a flaw if it's a feature

Summary: When I reported on the Vocera certificate security bypass flaw, SecurityFocus picked up on it and created Bugtraq ID 27935 to warn their customers about the vulnerability.  I dropped a note to Secunia about the flaw but they seem to believe that a flaw is only a flaw if it was accidental and not an irresponsible design choice.

SHARE:
TOPICS: Security
10

When I reported on the Vocera certificate security bypass flaw, SecurityFocus picked up on it and created Bugtraq ID 27935 to warn their customers about the vulnerability.  I dropped a note to Secunia about the flaw but they seem to believe that a flaw is only a flaw if it was accidental and not an irresponsible design choice.  Here was Secunia's reply to me:

Thank you for giving us a heads up on your research on the Vocera implementation of the PEAP.

However, Secunia has decided not to publish an advisory for this issue, as the Vocera documentation makes it clear that not validating certificates was a design decision (as you yourself pointed out in your article). In addition, Vocera also states that their handsets support other protocols, including the protocol you encouraged users to use, WPA-PSK (http://www.vocera.com/downloads/InfrastructureGuide.pdf page 55). Hence the issue isn't really in the handset, as much as in the protocol that a users chooses.

As such, the impact for a user is minimized, as the user should be responsible enough to choose a protocol that meets his or her security needs.

We do appreciate your contacting us personally to bring this issue to our attention. Please feel free to do the same for issues you may feel strongly about in the future.

I find Secunia's response strange since PEAP is regarded as a very secure authentication protocol when it's implemented properly.  This is also inconsistent since Secunia listed a very similar flaw for Cisco's ACS RADIUS server where it too skipped the cryptographic verification of digital certificates.  I also wonder how Secunia will handle the exact same vulnerability in the Cisco 7921 IP Phone confirmed 2 days after the Vocera vulnerability disclosure since Cisco has not stated it was a design choice and didn't disclose this ahead of time on their website.  [Update 3/10/2008 - Secunia now lists Cisco 7921 as vulnerable but not Vocera for the exact same vulnerability.]

One has to wonder what the implications of this is if vendors simply claim a flaw was a design choice and the user merely needs to work around it.  I also have to wonder what other flaws Secunia is omitting that they deem design "features" and not "flaws" and it makes me less confident in relying on Secunia for security information.  Perhaps it would be wise to start using SecurityFocus instead.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • "It?s not a flaw if it?s a feature"... Sounds like Microsoft!

    =}
    Mikael_z
  • How would Secunia handle this?

    (Fictitious situation, of course)

    "Our anti-virus scanner doesn't actually scan for viruses. This way a virus scan won't utilize valuable resources you need for other applications."

    Isn't THAT a nice "feature"?
    MGP2
    • Haha, good one

      That would actually be more valuable AV software as it won't have any HEAP vulnerabilities either :).
      georgeou
    • Additional Features

      Additional Features that Securnia as to offer include:

      Nonexistent foot print to avoid taking up precious disk space

      No Updates to reduce the need of your network connection overhead that may be cut by Comcast.
      nucrash
  • In need of a strongly worded reply

    Dear Securnia:
    From what I understand, your company's ambition is to be the leading vulnerability intelligence provider and distributor in the world - second to none.

    Yet your choice in this matter is to disregard an obvious flaw. Many of your exploits have the simple resolution of unplugging from the network, but for some reason or another such a method is not considered acceptable. Please reconsider your choice in this matter so that your customers are properly notified of the problem.
    nucrash
  • Have to, mirabile dictu, fully agree with

    [b]George Ou[/b] here - [b]Secunia[/b]'s response is not satisfactory. A flaw is a flaw and a bug a bug, whether inadvertent or not, and must be flagged as such....

    Henri
    mhenriday
  • I agree with Secunia....

    If it's designed-in and documented then the only flaw is if the user decides to ignore the documentation.
    You can't protect users from themselves all the time. When a user purchases a device it is their responsibility to either learn about the device or have someone configure it for them.
    Don't blame Secunia blame either Vocera or the user that ignores Vocera's documentation.

    Otherwise nearly everything such as a common hammer is flawed since you can actually hit yourself with it. Too simple an analogy but you get my point.
    dunn@...
  • That's not a huge bug?

    As a QA guy, I'd just like to point out that some of the worst bugs are the ones that result from poor design. These are also frequently the hardest and most expensive to correct.
    doodlius
  • I had to double-check...

    just to be sure it wasn't April 1st. Secunia actually said that? So much for their security advisories. As a customer I don't care if the vulnerability is due to poor design, bad coding, or criminal misconduct -- it's still a vulnerability and I still need to know about it.

    Am I to conclude that by their standard they don't need to alert me to a trojan rootkit installer because it's acting exactly as it was designed to?

    Regards,
    Jon
    JonathonDoe
    • I wish it were April fools

      I wish it were April fools. Yup, their quote was cut-paste out of their email reply to me. They have not gotten back to me after I voiced my shock and complained.

      Even after writing this blog exposing their practice and asking them to comment, they've refused. I guess they really don't care.
      georgeou