Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Proverbial appliance vs. software based firewall

From: "Bill Royds" <broyds () rogers com>
Date: Sun, 27 Oct 2002 10:04:40 -0500
These vulnerabilities in QNX also showed up when they decided to release their code as source and allow download of 
binary for personal use. Is it also possible that the many eyes theory did work in this case, finding bugs that had 
been long hidden in closed source.
  QNX and VxWorks are both used in far more infrastructure critical systems than Linux or Windows. They really deserve 
the kind of Orange Book scrutiny that Argus Pitbull gets. But because QNX is relatively small and modular, that may be 
easier than for Linux or Windows.

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of Mikael
Olsson
Sent: Sat October 26 2002 21:08
To: Marcus J. Ranum
Cc: firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Proverbial appliance vs software based firewall




"Marcus J. Ranum" wrote:


[...] they use smaller
kernels like VXworks or QNX or whatever. But there's a kernel
(that's "software", see?) running down in there, you betcha.
Do they look at the OS line by line? Hell no. Do they strip out
security flaws? Hell no. 


And, alas, "small" doesn't necessarily mean "secure".  At least not for 
high values of "secure". (Yes, you did hint as much; I just thought I'd 
chime in and provide some hard facts.)

Lookie what happened when QNX tried to Go Internet:
(this is all from late May this year and on)


Multiple QNX Local Buffer Overflow Vulnerabilities
   http://online.securityfocus.com/bid/5000

QNX Ptrace Arbitrary Process Modification Vulnerability
   http://online.securityfocus.com/bid/4919

QNX RTOS PKG-Installer Buffer Overflow Vulnerability
   http://online.securityfocus.com/bid/4918

QNX RTOS phlocale Environment Variable Buffer Overflow Vulnerability
   http://online.securityfocus.com/bid/4917

QNX RTOS phgrafx-startup Privilege Escalation Vulnerability
   http://online.securityfocus.com/bid/4916

QNX RTOS phgrafx Privilege Escalation Vulnerability
   http://online.securityfocus.com/bid/4915

QNX RTOS su Password Hash Disclosure Vulnerability
   http://online.securityfocus.com/bid/4914

QNX RTOS dumper Arbitrary File Modification Vulnerability
   http://online.securityfocus.com/bid/4904

QNX RTOS monitor Arbitrary File Modification Vulnerability
   http://online.securityfocus.com/bid/4902

QNX RTOS Watcom Sample Utility Argument Buffer Overflow Vulnerability
   http://online.securityfocus.com/bid/4905

QNX RTOS Watcom Sample Utility Privileged File Overwriting Vulnerability
   http://online.securityfocus.com/bid/4903

QNX RTOS CRTTrap File Disclosure Vulnerability
   http://online.securityfocus.com/bid/4901

QNX RTOS int10 Buffer Overflow Vulnerability
   http://online.securityfocus.com/bid/4906


Couple this with the amount of people likely to be scrutinizing QNX
code the way that people are doing with *nix / windows.

-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: