Russians root out Spanning Tree flaw

by Paul Allen

19 Mar 2002

A Russian CTO has reignited the debate over how security vulnerabilities in networking protocols should be disclosed.

Oleg Artemjev, CTO at Russian ISP MetalTelecom, and Vladislav Myasnyankin, head of IT at a Russian bank, claim to have discovered a serious flaw in the Spanning Tree protocol.

The flaw is vendor independent, so would affect every enterprise running the technology. The vulnerability could leave enterprise networks wide open to DoS and man-in-the-middle attacks.

Artemjev and Myasnyankin have pledged to publish details of the vulnerability, after what Artemjev said was a cold response to his fears from the industry. The pair claim vendors they approached were not interested and Artemjev claimed he was rebutted by two leading vendors.

Artemjev believed the flaw was so serious that Layer-2 hardware worldwide would need to be reprogrammed, and stressed he had published details in a Russian magazine in the hope vendors would respond. "We're not hackers, we are security-aware IT-specialists," he said. The two working on an English version.

A source at Avaya Technologies, who has seen some details of the alleged weakness, claimed it was not serious and said Avaya hadpatched up the problem. "It is a potential issue for enterprise networks. Avaya is investigating ways of overcoming these issues in a confidential way," the source said.

Many vendors believe those who publish details of vulnerabilities before patches have been coded play into the hands of hackers. But there is an increasing belief among users that vendors are reluctant to respond quickly unless goaded by full disclosure.

Phil Sciffman, director of security architecture at consultant @Stake, said difficulties in reporting security problems had pushed some into publishing details of flaws in a manner that could itself threaten enterprise networks. But he added that the accompanying publicity certainly had an effect on vendors.

"Disclosure of security events is a huge religious debate in the IT community. Releasing the information in a responsible way brings attention to the problem, which can hasten the fix. He urged the networking community to thrash out a faster, reliable reporting mechanism that could be applied across the industry. "Finding the right kind of people in the company is often very hard to do. The vendors we're talking about have huge organisations."

"Every large corporate network that is using kit made by any of the major vendors would be affected by a vulnerability in ST. The trouble with IEEE is it's often slow to respond to these things, as anything that's committee-based is going to be. If you see a problem in open source code it can be sorted in a matter of hours," said Schiffman.

© Vlad

Valid XHTML 1.0!  Valid CSS!