Tuesday, October 10, 2006

Free BSD Local DOS Bug (IDefense)

I planned a good post for tonight, still working on it. While doing some lurking on the full disclosure archives I came across this http://lists.grok.org.uk/pipermail/full-disclosure/2006-October/049960.html

Just posted by IDefense Labs. Its a local integer overflow in the FreeBSD kernel that can cause a machine lock up and in some cases reboot. I think IDefense was right to classify this as a low severity vulnerability because the attacker needs local access to the box. The FreeBSD response was also quoted in the advisory:

"The policy of the FreeBSD Security Team is that local denial of service bugs not be treated as security issues; it is possible that this problem will be corrected in a future Erratum."

Possible?! Since when is access to information no longer important? Information availability is part of the information assurance process. Sorry, I sounded all corporate there, I promised myself I'd stop doing that. Ah, well, just my opinion.

On a side note, someone from Australia and South America visited this ridiculous blog! Cool.

No comments: