Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
I haven't been voting on candidates, but I want to respond to these
for the active voters to consider.
Exposures to finger, rusers, etc fall into the exposures category
because they aren't really vulnerabilities. In fact, I would argue
that they aren't even exposures given the description. To be a
problem the following needs to be true:
1) The service needs to be accessible to a malfeasor (externally or internally)
2) The service needs to respond to requests from the malfeasor with
correct, useful information.
3) The system the service is running on must have some other
vulnerability that can be exploited.
4) The system needs to be accessible so that vulnerability can be exploited.
So, that "finger" is running on my machine is not a problem if a
firewall and/or tcpwrappers are in place and prevent anyone from
offsite from accessing it. Likewise, if there are no
vulnerabilities on my machine, I'm not exposing anything.
And I won't even mention the policy problem again. :-)
I run a version of finger on my machine. It returns information that
may or may not be accurate. It may not respond to requests from
some hosts and domains. My machine is otherwise pretty tightly
configured, so people knowing that there is a user 'spaf' on my
machine isn't a problem (as if they couldn't guess that otherwise).
I am basically the only user on my machine. So, is "finger" still
an exposure because it is running?
I think not.