[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs for malicious software in PYPI

On Sat, Sep 16, 2017 at 10:23 AM, Art Manion <amanion@cert.org> wrote:
On 2017-09-15 20:53, Kurt Seifried wrote:
> http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
> TL;DR: Someone may PYPI packages that were malicious, and typo/close
> names of legit things (e.g. acquisition / acqusition). I'd like to
> assign CVEs to them so they are identified, so two thoughts:
> 1) people uploaded code (meant to be malicious or not) to PYPI that
> has flaws, so CVE right

> 2) the typo squatting aspect, should this get a CVE? There is obvious
> intent of shenanigans, but... how do we count it?
While something that needs to be identified/alerted about, I don't think CVE is the right identifier.

There's lots of intentionally created malicious software, the ability to create such software is not a vulnerability, we don't assign CVE IDs to malware...

Anyone can typo-squat, again, the act of or ability to do so is not a vulnerability, how many potential typo-squats are there in the world?

PYPI (and all software) needs signatures to deal with authenticity.  I could be convinced that the lack of such infrastructure in PYPI gets a CVE ID.

 - Art

The problem is the same as SSL/TLS web site certs. Yes this website is definitely bigbank-legit.com, but if bigbank-legit.com actually the bigbank I think it is? A PYPI module called "bzip" or "xz" or whatever keyword someone is likely to search for when looking for a standard library is probably going to get picked up (and how many people actually audit the code they import? or the code that gets pulled in by other things...), I think this straddles the software/services divide, which as we all know is not something CVE addresses cleanly right now, but I think we might need to make this more of a priority (especially as Cisco points out everything is converging). 

Kurt Seifried

Page Last Updated or Reviewed: September 20, 2017