|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
I haven't been voting on candidates, but I want to respond to these for the active voters to consider. Exposures to finger, rusers, etc fall into the exposures category because they aren't really vulnerabilities. In fact, I would argue that they aren't even exposures given the description. To be a problem the following needs to be true: 1) The service needs to be accessible to a malfeasor (externally or internally) 2) The service needs to respond to requests from the malfeasor with correct, useful information. 3) The system the service is running on must have some other vulnerability that can be exploited. 4) The system needs to be accessible so that vulnerability can be exploited. So, that "finger" is running on my machine is not a problem if a firewall and/or tcpwrappers are in place and prevent anyone from offsite from accessing it. Likewise, if there are no vulnerabilities on my machine, I'm not exposing anything. And I won't even mention the policy problem again. :-) I run a version of finger on my machine. It returns information that may or may not be accurate. It may not respond to requests from some hosts and domains. My machine is otherwise pretty tightly configured, so people knowing that there is a user 'spaf' on my machine isn't a problem (as if they couldn't guess that otherwise). I am basically the only user on my machine. So, is "finger" still an exposure because it is running? I think not. --spaf
|
||||
