Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details) Jul 15 2009 08:02PM
Thierry Zoller (Thierry zoller lu) (1 replies)


As I received a lot of feedback on this bug, I thought I'd update you. After not replying
to my notifications and subsequent forced partial disclosure, IBM stated
officially on their website that they where not affected and to my surprise
IBM got in contact immediately after disclosure to "coordinate"

If your read the Timeline till the end, the story has a nice swing.., Drama, insults,
everything. You could make a soap opera out of it. And you don't even have all the mails.

What happened during this "coordination" even surprised myself. I am used to discussions,
I am used to stupid answers. However what happened here bears no description.

Short Guerilla Version of the Timeline (complete timeline below):
-------------------------------------------------------------------
- Hey Thierry sorry, we did not get your report, we'll keep you updated!
We have IBM written on the proventia boxes but don't send reports to IBM!!

- Post official statement to IBM website that IBM is NOT affected and
forgetting to inform Thierry

- Thierry, You cannot evade proventia, because we use special propretary
ingredients!

> What are these ingredients?

- We won't tell !! and by the way you suck! your test methods suck! You aren't even
EAL2 ! A test team costs too much to tests your POCs! Your mails suck! Learn from
the big mighty IBM.

> Sorry, the same poc evaded proventia last year! So you mus miss something!!

- Thierry, stop sending us POC files, YOU CANNOT EVADE PROVENTIA, IT is
IMPOSSIBLE, IRREVQUABLE, PERIOD !!!!

>Silence

- Thierry here is our report, you DID evade all our proventia products, we will
credit you.

In the timeline below you find my summary
-----------------------------------------
02.04.2009 - Forced partial disclose
02.04.2009 - An known contact at IBM asks for the POC
02.04.2009 - POC is resend
02.04.2009 - An third person is added to the coordination "list"
04.04.2009 - Sending another POC file (RAR)
06.04.2009 - POC is acknowledged and promise is made to get back
once the material has been analysed.
10.04.2009 - Sending another POC file (ZIP)
10.04.2009 - The third person ergo the "Cyber
Incident & Vulnerability Handling PM" is taking over coorindation

14.04.2009 - A comment was made to my blog that indicated IBM did
answer the Bugtraq posting and negate my findings, having
received no response from them personaly I ask
"Dear Peter, I was refered to this url in a comment posted to my blog:
http://iss.custhelp.com/cgi-bin/iss.cfg/php/enduser/std_adp.php?p_faqid=
5417
can you confirm this ?"

15.04.2009 - IBM responds:
"[..] we
apologize that the path of communicating the disclosure was somewhat
confusing. [..] The IBM contact address in the
OSVDB is typically used for software products that are in another division
of IBM, and thus, your report was not routed to us in a timely manner. In
the future, we'd prefer that you contact myself directly"

"We have now investigated the TZO-04-2009-IBM incident you reported and have
found that we are not susceptible to this evasion."
"[..]in this case, there are other components in our Proventia
products that prevent this evasion from occurring"
"Testing our production products, rather than testing this one
piece of our technology, then you would have been able to see the same
results"

16.04.2009 - As my tests indicate otherwise I ask "Could you please
specify which >components< would prevent the evasion, as it is
hard to see how to prevent it when the unarchiver code cannot extract
the code itself" and
"I would be glad to do so [Red:test production products] :
Please send the respective appliances to <my adress>"

16.04.2009 - IBM answers
[..] "We are not an open source company, so the internal workings of
our proprietary software is not something we publicly disclose.
We do not provide our products for free to all of the independent
testers that might be interested in our product lines--the number
of requests simply would not be scalable or manageable if
we did"

17.04.2009 - As I have no way to reproduce and IBM gives no details
about their OH-SO Secret propretary software I state that
"I cannot verify nor reproduce your statements as such I will leave
this CVE entry as disputed." "Please provide tangible proof that
you detect the samples. Screenshots, logs, outputs."
AND
"My worktime is not open source either[..] Yet I
am currently working for your interests and customers, for free. I can
stop reporting responsibly if this is what you are trying to achieve."

21.04.2009 - As their was no reply, I resend the previous mail

22.04.2009 - IBM acks receipt and promises to reply soon.

==
In the mean time, as I thanked AV-TEST gmbh in my advisory,
somebody complains directly at AV-TEST Gmbh as force them to
no longer give me access to their test clusters. AV-TEST Gmbh
subsequently asks me to stop testing using their systems.
As a note: Anybody spots a paralel to the mob?
==

23.04.2009 - I inform IBM that
"Interestingly instead of spending the time cooperating with me
some think it might be more usefull to complain at AVTest." [..]
"I perceive the complaints as a direct attack against myself"

23.04.2009 - IBM informs me that it wasn't them that complained and
that
"[..] We processed your claim. You do NOT evade our products.
You are talking about a component that never deploys singularly.
Hence you cannot evade."

"As for testing our products, we have organizations that do that from
time-to-time. Those are contractual agreements. Since you published
incomplete data previously, I see no reason to engage for such a test."

"You ask for cooperation, but yet
you only have leveled insinuations and have attempted to turn what has
taken place into something else. Hardly following responsible disclosure
as you have listed it."

"I welcome your thoughts and your input as there is always something to
reflect upon and to learn about. But this is a two way street, and I ask
you to learn from us that how we deploy our products is not what you
tested/researched."

"Further, we are not going to loan a Proventia device for you to learn upon."

23.04.2009 - I answer that
"[..] I asked for
screenshots or logs, something, if test have been done, should be
readily available anyways" "You seem not be be acustomed to handling
vulnerability reports, if negative finding is reported a vendor
usualy responds that the finding was negative he usualy attaches a
log, screenshot or similar."

>You do NOT evade our products.You are talking about a component
>that never deploys singularly.
>Hence you cannot evade."
"Hmm, that might be the case, or might not -
I have an email from last year that states that a sample I provided
evaded proventia, using the very same methods of tests as this time."

>Further, we are not going to loan a Proventia device for you to learn upon.
"I have not asked to be *loaned* a proventia device. You will
have to find the balance yourself. It's interesting to see that you
think I could somehow "learn" something from an appliance.

Anyways, if you don't provide me with guidance I can only sent in more
and more samples (that may be more and more false positives). Again
trying to help, but if you don't need help that's fine with me too."

24.04.2009 - I inform IBM that
"Please note that I just made changes to my terms and policy to be able
to republish mails that happen during notification in full or
partially"

24.04.2009 - IBM states that
"Thierry,
Changes you make should be effective for new issues going forward. Period."

"We have reported to you that your issues DO NOT EVADE PRODUCTS. That is
unequivocable. You have not proven an evasion of a product. "

"We
have conducted that research and the report is negative, your issues do not
evade the product. [..] Further, we do
not for obvious reasons ever provide architectural details except in cases
of NIAP review under Common Criteria for EAL 2 or Higher, then in only
certain aspects. Your research does not attain that benchmark."

08.05.2009 - Sending a new POC evading proventia (CAB)
no reply

11.05.2009 - Re-sending asking for an acknowledgement

15.05.2009 -
"We are in the final stages of completing the write up on our review of all
your reports. It may take until early AM US EDT to complete or possibly
early AM Central European Time."

22.05.2009 - IBM sends in the results, and *surprise* it DID evade proventia.
Quote:"
IBM Proventia Desktop Endpoint Security - susceptible
IBM Proventia Network Multi-Function Security (MFS) - susceptible

Multiple engines are susceptible to this evasion. We are working internally
and with third-party OEM vendors to create a fix for this evasion. For our
own engine, we have placed a fix on our long-term development roadmap, but
this is a low priority for us because this engine runs in a desktop
environment where malicious code in these archives will be detected upon
extraction or execution. If and when an update addressing this issue is
delivered for our engine, we will credit you."

Ignoring that the end-point argument doesn't hold true for the network
device, isn't this incredible?

22.05.2009 - I respond that
"[..] The files
bypass your protection - to argue with client-side protection (if any)
is reserved for the clients that use your products. You should rate it
as what it is. A bypass of your AV detection"

Heard, nothing back since the 23th may. I trust IBM to disclose and fix,
and maybe credit, but I thought I let IBM customers know where your
millions license fees are spent on.

[ reply ]
Re: Update: [TZO-06-2009] IBM Proventia - Generic bypass (Limited disclosure - see details) Jul 16 2009 11:39AM
Vladimir '3APA3A' Dubrovin (3APA3A SECURITY NNOV RU)


 

Privacy Statement
Copyright 2010, SecurityFocus