On MovieTome: The 10 worst movies of 2009 so far!
BNET Business Network:
BNET
TechRepublic
ZDNet

February 28th, 2008

Secunia: It's not a flaw if it's a feature

Posted by George Ou @ 1:21 am

Categories: Cisco, Responsible disclosure, Vulnerability research, Wi-Fi security, Wireless

Tags: Vocera Communications, Secunia, Flaw, Security, George Ou

When I reported on the Vocera certificate security bypass flaw, SecurityFocus picked up on it and created Bugtraq ID 27935 to warn their customers about the vulnerability.  I dropped a note to Secunia about the flaw but they seem to believe that a flaw is only a flaw if it was accidental and not an irresponsible design choice.  Here was Secunia’s reply to me:

Thank you for giving us a heads up on your research on the Vocera implementation of the PEAP.

However, Secunia has decided not to publish an advisory for this issue, as the Vocera documentation makes it clear that not validating certificates was a design decision (as you yourself pointed out in your article). In addition, Vocera also states that their handsets support other protocols, including the protocol you encouraged users to use, WPA-PSK (http://www.vocera.com/downloads/InfrastructureGuide.pdf page 55). Hence the issue isn’t really in the handset, as much as in the protocol that a users chooses.

As such, the impact for a user is minimized, as the user should be responsible enough to choose a protocol that meets his or her security needs.

We do appreciate your contacting us personally to bring this issue to our attention. Please feel free to do the same for issues you may feel strongly about in the future.

I find Secunia’s response strange since PEAP is regarded as a very secure authentication protocol when it’s implemented properly.  This is also inconsistent since Secunia listed a very similar flaw for Cisco’s ACS RADIUS server where it too skipped the cryptographic verification of digital certificates.  I also wonder how Secunia will handle the exact same vulnerability in the Cisco 7921 IP Phone confirmed 2 days after the Vocera vulnerability disclosure since Cisco has not stated it was a design choice and didn’t disclose this ahead of time on their website.  [Update 3/10/2008 - Secunia now lists Cisco 7921 as vulnerable but not Vocera for the exact same vulnerability.]

One has to wonder what the implications of this is if vendors simply claim a flaw was a design choice and the user merely needs to work around it.  I also have to wonder what other flaws Secunia is omitting that they deem design “features” and not “flaws” and it makes me less confident in relying on Secunia for security information.  Perhaps it would be wise to start using SecurityFocus instead.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 10 Talkback(s)
I wish it were April fools
I wish it were April fools. Yup, their quote was cut-paste out of their email reply to me. They have not gotten back to me after I voiced my shock and complained.

Even after writing this blog... (Read the rest)
Posted by: georgeou Posted on: 03/02/08 You are currently: a Guest | | Terms of Use
"It?s not a flaw if it?s a feature"... Sounds like Microsoft!  Mikael_z | 02/28/08
How would Secunia handle this?  MGP2 | 02/28/08
Haha, good one  georgeou | 02/28/08
Additional Features  nucrash | 02/28/08
In need of a strongly worded reply  nucrash | 02/28/08
Have to, mirabile dictu, fully agree with  mhenriday | 02/28/08
I agree with Secunia....  dunn@... | 02/28/08
That's not a huge bug?  doodlius | 02/28/08
I had to double-check...  JonathonDoe | 02/29/08
I wish it were April fools  georgeou | 03/02/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here