By Jon Tullett
The bad news: crackers have successfully exploited a weakness in Solaris for x86 to defeat the highly-regarded Pitbull intrusion protection system. The good news: it was just a tradeshow competition.
Security company Argus Systems had egg on its face at the recent Infosecurity exhibition in London. Challenging all comers to crack a secured web server running the vendor’s flagship Pitbull protection system on Solaris 7 for x86, the company promptly had to pay up the $50,000 prize to a team of Polish crackers.
Dubbed “Last Stages of Delirium” (LSD), the group comprises four members: Michal Chmielewski; Sergiusz Fonrobert; Adam Gowdiak; and Tomasz Ostwald, who exploited a weakness in the operating system’s kernel, and completely bypassed the Pitbull system. Argus spokespeople rushed out explanations that their software was not at fault, but the damage had been done; the system they said could not be broken had been soundly cracked.
In fairness, it really was not the Pitbull system at fault, and the server Argus had set up for the challenge was not running a typical production environment, allowing more access to services than might be normal. Argus CEO Randy Sandone pointed out that any system running Sun’s Solaris 7 for x86 could be vulnerable to the attack. Details of the flaw have not been released to the public yet, but Argus said it has been working with the LSD crew to gain information which Sun will use to provide patches.
Regardless of where the flaw lay, Argus’ take on the affair is somewhat evasive. Claiming that their software was not at fault is weak at best – the software is there to protect a system assumed to be vulnerable (otherwise why install it at all?). This is software installed and trusted to give IS managers peace of mind, and the bottom line is, it didn’t work. Had this been a production server, there would have been a deeply unhappy IS manager on the phone, not to Sun, but to Argus.
Argus also pointed out that in reality none of their customers are at risk, since they have no customers using that product on the vulnerable system. All their Solaris shipments have been for OS environments running on the Sparc platform which - because the crack exploited vulnerabilities specific to the x86 platform – is not vulnerable. That rather begs the question: why didn’t they run the demo on a version that is in use, rather than one that has never been deployed?
All in all, a very embarrassing public incident for a high-profile security company, which only highlights what security experts already know: you absolutely cannot rely on a single product to completely protect a system. Not a firewall, not an IDS, not encryption. You must have all the pieces to complete the picture, no matter what the brochures say.