Re: CVEs for malicious software in PYPI

To: "Landfield, Kent" <Kent_Landfield@mcafee.com>
Subject: Re: CVEs for malicious software in PYPI
From: Kurt Seifried <kurt@seifried.org>
Date: Wed, 20 Sep 2017 21:54:11 -0600
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=seifried.org;
Cc: "pmeunier@cerias.purdue.edu" <pmeunier@cerias.purdue.edu>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Thu Sep 21 07:44:21 2017
In-reply-to: <5E73CFE9-5992-4D59-B498-DE6EF00BE1FE@mcafee.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CABqVa3-Kb9V0iF1Cr2PQnxwMLy2GfYUyzaD1oa-EJ0mga9Wgcg@mail.gmail.com> <1505919309.24625.15.camel@cerias.purdue.edu> <5E73CFE9-5992-4D59-B498-DE6EF00BE1FE@mcafee.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2

Question to clarify:

Software package A.

Researcher finds Software package A has a backdoor ("root"/"password") that was in dev but slipped through to a production version.

If the above were a programming error they would get a CVE right?

If they are deliberately introduced by the programmer, still gets a CVE right?

But if a bad guy hijacks the package and inserts the above code, that doesn't get a CVE?

To me a security vulnerability worthy of a CVE in software is a security vulnerability worthy of a CVE in software, I don't care about intent (well in so much as I'd like to avoid shipping code from malicious upstreams, or projects that get compromised/etc.).

On Wed, Sep 20, 2017 at 9:05 AM, Landfield, Kent <Kent_Landfield@mcafee.com> wrote:

+1

--
Kent Landfield
+1.817.637.8026
kent_landfield@mcafee.com

On 9/20/17, 9:57 AM, "owner-cve-editorial-board-list@lists.mitre.org on behalf of Pascal Meunier" <owner-cve-editorial-board-list@lists.mitre.org on behalf of pmeunier@cerias.purdue.edu> wrote:

1) Identifying vulnerabilities in malicious code would be in the scope
of the CVE but it has doubtful utility. Identifying malicious code is
out of scope

2) Typo squatting whether in domain names or package names is not a
software vulnerability, it's a namespace management issue and an attackvector, out of scope of the CVE.

Pascal

On Fri, 2017-09-15 at 18:53 -0600, Kurt Seifried wrote:
> http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
>
> TL;DR: Someone may PYPI packages that were malicious, and typo/close
> names
> of legit things (e.g. acquisition / acqusition). I'd like to assign
> CVEs to
> them so they are identified, so two thoughts:
>
> 1) people uploaded code (meant to be malicious or not) to PYPI that
> has
> flaws, so CVE right
> 2) the typo squatting aspect, should this get a CVE? There is obvious
> intent of shenanigans, but... how do we count it?
>

Kurt Seifried
kurt@seifried.org

Follow-Ups:
- Re: CVEs for malicious software in PYPI
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>

References:
- CVEs for malicious software in PYPI
  - From: Kurt Seifried <kurt@seifried.org>
- Re: CVEs for malicious software in PYPI
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: CVEs for malicious software in PYPI
  - From: "Landfield, Kent" <Kent_Landfield@McAfee.com>

Prev by Date: Re: Required information for CVE entry submissions
Next by Date: Re: CVEs for malicious software in PYPI
Previous by thread: Re: CVEs for malicious software in PYPI
Next by thread: Re: CVEs for malicious software in PYPI
Index(es):
- Date
- Thread