[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

assignments for malware




Board,

This year there have been an increasing number of CVE assignments for malware; specifically 'malicious ruby gems' or 'malicious NPM modules'. They potentially come in two varieties, and may be handled differently depending. The first, and recent is CVE-2018-3779:

        active-support ruby gem 5.2.0 could allow a remote attacker to
        execute arbitrary code on the system, caused by containing a
        malicious backdoor. An attacker could exploit this vulnerability
        to execute arbitrary code on the system.

It isn't crystal clear from the H1 report if this was the legitimate code being backdoored, similarly named gem via a forked project, or a gem being distributed with a similar name (which I suspect). "The gem duplicates official activesupport (no hyphen) code, but adds a compiled extension."

The second type is just a malicious module that has nothing to do with the legitimate module, other than a similar name as the means for getting people to download it. An example of that is CVE-2017-16044:

        `d3.js` was a malicious module published with the intent to 
hijack
        environment variables. It has been unpublished by npm.

This is essentially malware, just served up via an official repository. Since that does not represent a vulnerability in a piece of software, it is my understanding that this would not meet the criteria for inclusion in CVE.

Could MITRE clarify the policy on this?

Thank you,

Brian


Page Last Updated or Reviewed: August 14, 2018