Michelle:
I will add to Axton's comments based upon my own knowledge of Systems Security.
James McKenzie
L-3 GSI
-----Original Message-----
From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Lucero, Michelle - IST contractor
Sent: Wednesday, August 02, 2006 7:53 AM
To: [email protected]
Subject: Re: ARSWiki: New Article
This is very interesting stuff, Axton.
Can you help clarify this statement for me?
"At the time the last affected version (v6.3) is no longer 'officially'
supported by the vendor, the full vulnerability will be published."
My interpretation is that the full vulnerability will be published when
6.3 is no longer supported. Although, we can easily guess what the full vulnerability is by the description in the article(s), can't we obtain the full vulnerability statement from BMCRemedy Tech Support?
>>Actually, no. BMC will not release details of this problem. However, when you switch
>>to ARS 7.0 the problem is fixed. Also, it is good security practice by a company to
>>not release full details of the problem and to implement fixes, if practical, in the
>>current release. It was not practical to implement a fix in ARS 6.3 without causing
>>major disruption in processing as the fix was very difficult to implement mid-stream.
Also, if one's servers are not exposed to the internet, wouldn't the only attack be internal, especially if the Remedy Email engine is not accepting incoming email.
>>Well, since you asked this question, I will answer. Over 80% of current explotation
>>attempts are by 'inside' employees. If you consider this, one disgruntled employee
>>with knowledge of the exploit can wreck havoc on your operations. And one of the
>>vulnerabilities remains even if you NEVER installed the E-mail engine.
On another note. For the Secure ARS article. Most of the instructions appear to be listed for ARS 6.01. Do the same instructions apply if individuals are using 6.3 products; including Flashboards?
>>Yes. Since the problems were not fixed with 6.3 you should attempt to use the
>>fixes. Some of the fixes are not necessary with ARS 7.0.
