| |
 |
 |
 |
|
|
|
|
Date: 15 July 2011
Click here for printable version
As a CSIRT, AusCERT makes it its business to find out about security
issues before most Internet users, so that its Coordination Centre
is better able to prepare for the almost-inevitable public release
of software vulnerabilities. We find out about vulnerabilities
before most people and we're often aware of their active exploitation.
Often, we're given advance notice of a patch release so that we're
able to prepare a security bulletin, ready for release to our members
as well as the general public when the time is right. We enjoy the
trust of vendors, other CSIRTs, government agencies and various law
enforcement authorities and we take this responsibility seriously.
Last week, we broke that trust.
As part of the phased release for the BIND vulnerabilities described
by CVE-2011-2465 and CVE-2011-2464, AusCERT received advance notice
of the upcoming release and a copy of the ISC bulletins. In the
daily processing of security bulletins, messages, blogs and other
information that AusCERT filters to provide what we think is important
to its members, the ISC embargo warning was overlooked and these
ISC bulletins were sent out, as an AusCERT External Security Bulletin
(ESB), before the embargo clearance date. The bulletin was authored
and checked separately, yet the error slipped through.
The people at ISC who created the Berkeley Internet Name Domain
(BIND) software have designed an extremely rigorous process for
releasing information about updates to their software. The BIND
daemon is depended upon by most of the entire Internet community,
with some of the most heavily trafficked DNS servers depending on
it to reliably serve requests from end users and DNS servers.
When a vulnerability in BIND is discovered and reported to ISC, a
process begins that results in a patch (or new version) being
released, first to a subset of customers, then to other implementers
and CSIRTs (like AusCERT) and finally to the public. As part of the
conditions of this process (known as a phased release), AusCERT
receives a copy of the upcoming announcement under embargo conditions.
Why does this precedence matter? When a vulnerability is responsibly
disclosed to a software vendor, it gives the vendor time to develop
and test a patch that corrects it. If information about the
vulnerability were to be made public before the patch is ready,
it's highly likely that it would be exploited by hackers - this is
what is known as a 'zero day' vulnerability. Responsible disclosure
tries to prevent this occurrence by getting the patch into the hands
of as many legitimate operators as possible before the vulnerability
becomes known publicly. It's vital that any critical installations
are patched in advance of the wider community becoming aware of the
problem to reduces the window of time available to miscreants to
exploit and breach these systems; this is why such operators are
the first to receive the patch. It's only after this initial period
(and not every vendor will impose the same timelines) that a public
security advisory is released with information about the vulnerability
and directions on how to get and apply the patch. CSIRTs, like
AusCERT, play their part by assisting in the distribution of this
information. Should anything subvert this process, such as an
unexpected leak, it causes problems for everyone involved -
implementers are likely to be forced to rush their patching and it
may even compress the timeline for official public release of the
information.
So what did we do when we discovered our mistake? AusCERT routinely
publishes its External Security Bulletins on its site. Immediately
after the error was noticed - this was literally within 15 minutes
of release - we pulled this bulletin from the site. We also sent
a retraction message to all of the recipients of the originally
AusCERT distributed bulletin, asking them to delete the message
and that this information was not to be acted on nor distributed.
And we informed the ISC security team about the issue and what we
had done to mitigate the harm. In the end, the BIND advisories
were released publicly the next day and AusCERT redistributed them,
as normal.
What did we learn from this experience? This is a story about an
embarrassing situation that no professional CSIRT ever wants to
find itself in, but as a cautionary tale against the dangers of
complacency and information overload it's one worth repeating. The
push to mechanise information distribution in this industry is high,
but the risk of error means that AusCERT has always retained a more
human process for distributing information. Unfortunately, humans
still make mistakes - this situation would have been avoided by
simply taking more time to fully read an email message. Here in
AusCERT, we'll continue to work in the best interests of our
constituency and remain ever-mindful of the very human frailties
involved in providing this service.
Joel Hatton
|
|
|
|
 |
|
 |
|
|