Topic: IMP Vulnerability

[Daniel]

Greetings,

I am wondering if the IMP vulnerability found recently affects those of us using 4.1.2.

Thanks,

Daniel

[Doug Nordwall]

the vulnerability can be found at
http://www.securityfocus.com/bid/3079

I think it probably does. I'm going to try and test it today

[Dan Brown]

This has been reported to e-smith security.  It's generally best not to discuss security issues, particularly regarding apparent vulnerabilities of the system, on a public list/board.

[Doug Nordwall]

It's already available on securityfocus..i think the damage has been done...

[Ross Laver]

Daniel,

Sorry for the delay in responding to this. As you may know, e-smith systems are typically not subject to the vulnerabilities that can affect generic Linux server installations. This is because our development team configures e-smith to provide the highest level of security by default. You can read more about this in our security whitepaper:

http://www.e-smith.com/whitepapers/

This situation is similar with respect to the reported IMP vulnerability. Default e-smith installations are not affected by this vulnerability, since it can only be exploited by local users with shell access. Local users on an e-smith server by default do not have shell access. There are no known exploits for this vulnerability.

Hope this helps,

Ross

[John Helms]

Thank you for responding to this question. Security issues like this are FAR too important to not be talked about. I am quite surprised that E-Smith has not made a more official and public statement regarding this vulnerability since IMP is a part of E-Smith's distro. I don't get the "best not to discuss security issues" thing that gets posted in response to a valid question regarding security on these boards. If there is a possible security issue that may affect my customers I want to know...YESTERDAY whether its something I need to do something about today.
Shhhh don't discuss it won't make it go away.
BTW, where are the listings for security issues and patches for these issues? Seems like I used to be able to find them quite easily but lately they are MIA. Maybe i'm just not looking in the right places.

[Daniel]

Greetings,

Thanks so much for the input and answers.

I would agree with a previous poster who esentially said that once a hole is on security focus then we don't lose anything by discussing it here.  Doing so will allow us to catch up to the hacker, not help him.

I am glad to know that we are not vulnerable to this flaw though.  Once again e-smith pulls through for us.

I am a bit curious about how to do updates on our systems though...I mean I see the updates folder on the ftp server but do you just look and see if there is anything new there and install it?

It seems like there could be a better way, like some sort of page that tells you what patches have been put out and gives a link to the download...something like that would be so simple, but so helpful.  Not that I am complaining; the product is already superb.

Thanks a billion,

Daniel

[Blake Heinemann]

I agree with the previous posters. I saw this security notice last week and emailed it to security@e-smith.com on 7/21.  I have heard nothing since, even though it's been posted several placed on the internet.  What's more, since IMP advertises it's version number on the sign-in page, it was a little disconcerting that E-smith didn't say anything publicly about it.

[Ross Laver]

John Helms wrote:

>I am quite surprised that E-Smith has not made a more official and public statement regarding this vulnerability

As stated, it is not a vulnerability. Should we issue an official statement each time we come across something that is not a vulnerability?

>I don't get the "best not to discuss security issues" thing that gets posted in response to a valid question regarding security on these boards.

This is standard Internet practice and has been explained on these boards several times. See, for example http://www.apache.org/security_report.html or the recovery procedures recommended by CERT (http://www.cert.org/nav/recovering.html).

> If there is a possible security issue that may affect my customers I want to know...YESTERDAY whether its something I need to do something about today.

As soon as we become aware of a security problem (as opposed to a non-problem) we move swiftly to develop a fix. As soon as we have a fix, we make it available to all e-smith users by posting an article on this site. We do not throw out an open invitation to crackers by publicizing security problems prior to making available the fix. Again, see the procedures recommended by CERT and followed by all responsible software developers.

Security is of the utmost importance to us and we strive to ensure that our open source distribution is the most secure all-in-one Linux distro available.

John, something else that is of the utmost importance to us is customer service. That includes service to our Authorized Partners and to *their* customers. Systems integrators who choose to become partners will find that we are extremely responsive in ensuring that their customers are well cared for.

[John Helms]

"As stated, it is not a vulnerability. Should we issue an official statement each time we come across something that is not a vulnerability? "

Of course you should! How about the following:
E-Smith has examined the security issues surrounding the (insert name here) vulnerability and has determined there is or is not a problem with versions (insert name here) of E-Smith.

"We do not throw out an open invitation to crackers by publicizing security problems prior to making available the fix. Again, see the procedures recommended by CERT and followed by all responsible software developers."

I'm sure the "crackers" are completely aware of E-Smith, what it contains for packages, and what IPs it runs on. Invitations won't be needed i'm afraid.

"Security is of the utmost importance to us and we strive to ensure that our open source distribution is the most secure all-in-one Linux distro available."

I know, that is why I feel confident in using E-Smith for my customers. I just think your policy toward security questions needs adjusted.

"John, something else that is of the utmost importance to us is customer service. That includes service to our Authorized Partners and to *their* customers. Systems integrators who choose to become partners will find that we are extremely responsive in ensuring that their customers are well cared for."

As you may or may not know, I have been selling E-Smith since its beginning. I have not yet signed on as a "Authorized Partner" but have been purchasing copies of E-Smith directly from E-Smith for sale to my customers. The price increase has made the choice of whether to signup a extremely hard one to make. There are numerous alternatives out there now all proclaiming to be secure but with a lower price tag. As well there are numerous devices available that fit into the same niche as the E-Smith product. Even though I feel your current price is scratching the high side, I think E-Smith is an excellent product. It has to be hard to straddle the open source/make a profit divide and I sincerely hope E-Smith continues to succeed. I believe in Linux and its value to the world. All of the other distros that I can think of have a record of quickly releasing to the public security advisories whether they are real problems or false alerts. E-Smith should too. Keep up the good work, it is appreciated.

[Ross Laver]

> How about the following:
E-Smith has examined the security issues surrounding the (insert name here) vulnerability and has determined there is or is not a problem with versions (insert name here) of E-Smith.

Like I said, when there's a problem, we respond. If our procedures differ from those of other distros, it's because our default configuration eliminates the vast majority of security problems.

> I'm sure the "crackers" are completely aware of E-Smith, what it contains for packages, and what IPs it runs on.

That's not the point. We make no attempt to conceal the packages used in e-smith -- quite the contrary, as you should know. But two distributions can use exactly the same packages and yet one is secure, the other isn't. The issue is how the whole thing is configured -- again, please see our security whitepaper.