[Info-vax] DCL vulnerability write up on The Register
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Feb 9 08:32:03 EST 2018
On 2018-02-08, Simon Clubley <clubley at remove_me.eisner.decus.org-Earth.UFP> wrote:
> On 2018-02-08, Bill Gunshannon <bill.gunshannon at gmail.com> wrote:
>>
>> This should be sent to the Register as well. This kind of bad
>> performance is just up their alley for reporting.
>>
>
> Then you would have to include VSI management. If the HPE information
> is at all recent, then neither VSI management or HPE have exactly
> covered themselves in glory here.
>
> 1) Trying to get a CVE out of VSI was a very long painful drawn out process.
>
> 2) There's no information on the VSI website about security incidents,
> fixes and workarounds.
>
To VSI Management:
This is an example of how other vendors handle this:
https://kb.netgear.com/000048998/Security-Advisory-for-Authentication-Bypass-on-Some-Routers-or-Modem-Routers-PSV-2017-1208
Note in particular how they provide you with a range of information and
links and also note how Netgear doesn't have any problem with giving credit
to the person who found this. As Mitre have already told you, it is
expected that the vendor will assign credit to the discoverer (unless the
discoverer requests otherwise).
While I am not especially annoyed that you have decided not to assign
credit in this case (that's not why I did this work), if you try the
same stunt with the third party researchers, _they_ are likely to get
rather annoyed with you.
To everyone else:
While Netgear's security response was a nice grown up response, you
unfortunately can't say the same about the people who wrote the code
that caused the problems:
https://www.theregister.co.uk/2018/02/09/netgear_security_patches/
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980s technology to a 21st century world
More information about the Info-vax
mailing list