AdamB wrote:As a security professional I'm not a huge fan of the response to a possible security issue being, 'Just don't put it on a routable address.' Obviously practicing defense in depth is a best practice across the industry, but that also means taking investigation of potential security issues in the software extremely seriously. Unpatched holes in IoT devices including switches, routers, etc, is a huge issue in our industry and the lackadaisical shown here contributes to the problem.
So in the past we had a security hole from a package we use to run our HTTP interface. Mind you the exploit did not allow someone to gain control of the switch but rather crash it by writing to the flash filling the flash to full and a factory default cleared it allowing it to be upgraded.
When the hole was exploited and the package authors released a patch we incorporated it in our next release.
This "potential" hole that Matt reported which has not been confirmed or verified by us or reported by another user report "as of yet".
If you are expecting us to provide 100% fool proof code then you live in a dream land because much larger companies with far more programmers are constantly being exploited and the best that can be done is patch them as they are discovered and confirmed. Large companies like Microsoft, Apple, Cisco, and such constantly release updates with security hole patches as they are discovered, exploited, and then verified and patched.
However my advice is solid and one that I practice as well as most service providers which is to secure my infrastructure devices from even being probed or being accessible to be exploited.
I keep my devices on un-routed outside my network IP space, and in the rare event I have no choice I use access control list to limit their exposure. If the device has a WWW routable IP then we provide an Access Control list feature but if the switch is behind a NAT and you port map to it for outside access then you have to secure the Access Control List in the router as the switch will see all outside probes as coming from the NAT router.
We said we would investigate and we are.
We said we would look for patches to any packages we use but do not write which we are.
We explained best practices to prevent probing and possible exploitation which is to limit access from the WWW via things like Access Control Lists and or putting sensitive infrastructure on private un-routable IPs and or the use of private VLANs.
I fail to see the lackadaisical response you claim I had. The complete transcript of my response to Matt has been declassified and available to read above. Now if you want to do an Adam Schiff parody of my response to Matt then call it lackadaisical then I guess so but there was definitely no Qid pro quo I can promise you that.
Just what action and advice would you have taken and given that differs from mine?