Thursday, October 18, 2012

On HP/H3C and Schrödinger's Disclosure

Background and Timeline

Whew! The past two days have been a whirlwind of activity and I wanted to get this down before things got too crazy or out of hand.

This weekend I had planned to be at Toorcon 14, my favorite security conference hands down, with a presentation entitled "A CouNtry's Honerable n3twork deviCes". The abstract:
Thanks to FX you can now use buffer overflows on Huawei routers. Buffer overflows are cool but there are issues you have to overcome. What if there was another path which looked more like regular traffic? This talk will release details of research done in parallel to FX's against H3C/HP routers, switches, access points and firewalls. Some stats of affected Internet-accessible devices will be thrown about and updates released to Metasploit to help audit your own network. After this talk you just might be able to control a large part of the Internet in a very large CouNtry.
It's a culmination of research I've been doing since June, 2012 into H3C gear with stats I (and others) have collected. On August 6, not long after FX's DEFCON talk, I submitted what I had to US-CERT for them to coordinate with HP/H3C. Standard US-CERT disclosure policy is 45 days from vendor notification. Unless the vendor asks and all agree to extend this.

30 days later I had not heard back from US-CERT or HP/H3C so I requested an update. At this time HP/H3C requested more time at which I said "ok, you can have until Toorcon. I'm going to submit to talk and even if not selected I want to disclose this."

All research and prep work for this talk was done as an individual researcher and not as part of any company. I had decided to go through US-CERT since I agree with their disclosure policy and felt this was something big and should be known and handled by them. They have a lot of experience and contacts to handle this. It's not that my employer's team isn't good, they're freaking awesome, I just didn't want to get them involved. Unfortunately.....

Then Comes Tuesday..

I received a very cordial and apologetic voicemail and e-mail from the HP Software Security Response Team asking me not to present this Saturday. The vulnerabilities are apparently too big for them to be ready. I had clearly stated back in September my intention to provide mitigation techniques so that their customers would not be left in the dark after the presentation was done. I'm not a bad person, really.. Honest!

While this was understood they still felt the information was too much of a risk and again requested I delay the talk until they could be ready.

I'm guessing somebody woke up on Tuesday morning and went "Oh hell, is Toorcon this Saturday?" but you can speculate as you see fit. I can't stop you.

Some dates were floated around. HP understands the urgency and also knows that ZDI, their own disclosure group, has a 6 month policy to "disclose no matter what." So the information will come out, just not right now by me or US-CERT.

Others strongly suggested to me that I agree with this delay. If you're familiar with the 7-layer OSI stack (similar to but not exactly like the 7-layer Taco Bell burrito) then you know there are 2 additional layers atop it. Politics and Money.

Feel free to speculate as you see fit. I can't stop you.

So Are You At Risk?

If you own and use H3C or Huawei equipment then of course you are. I have information of serious vulnerabilities and you don't. Nanny nanny boo boo. But I believe in Full and Responsible disclosure, which is why I went through US-CERT. It's just that this information has serious industry-wide implications that HP isn't ready to release.

Can others figure out what I know? Certainly they could. Am I going to tell anyone or give hints? No, I cannot. There is this bag with an angry cat in it that wants to come out. Or it may not be a cat. It's Schrödinger's Disclosure! You just won't know until it's opened.

This is what's tough about Full and Responsible Disclosure and why you should listen when dates and intentions are stated.

If you own and use H3C or Huawei equipment then you already know you're at a serious risk thanks to FX's DEFCON talk. If you value your network and its data then you should already have taken steps to protect it. These protections will most likely keep you safe from me as well.

However I know there are guys and girls out there that can find the same stuff I did. Please be respectful of me and HP by not talking about it if you do. Do feel free to talk to me and we'll commisurate together over our shared information.

Contacting HP

If you have any questions in relation to this case, I encourage you to contact HP's PR contact Samantha Singh

Disclaimer

The content herein consists of my own personal opinions and not those of my employer.

2 comments:

Vikas Singhal said...

Congrats Kurt for the findings and booho to HP :P

Viscous Damping said...

Excellent work.

I commend your decision to hold out on this issue, hopefully HP recognise your generosity.

Keep up the good work.

I will make a Good Guy Greg meme in your honour.