Re: CVEs for malicious software in PYPI

[Pascal Meunier <pmeunier@cerias.purdue.edu>]

The legitimate software should get a CVE in all those cases, which have
nothing to do with typosquatting.  Typosquatting is more like social
engineering, not a vulnerability in software package A.

Pascal


On Wed, 2017-09-20 at 21:54 -0600, Kurt Seifried wrote:
> Question to clarify:
> 
> Software package A.
> 
> Researcher finds Software package A has a backdoor
> ("root"/"password") that
> was in dev but slipped through to a production version.
> 
> If the above were a programming error they would get a CVE right?
> 
> If they are deliberately introduced by the programmer, still gets a
> CVE
> right?
> 
> But if a bad guy hijacks the package and inserts the above code, that
> doesn't get a CVE?
> 
> To me a security vulnerability worthy of a CVE in software is  a
> security
> vulnerability worthy of a CVE in software, I don't care about intent
> (well
> in so much as I'd like to avoid shipping code from malicious
> upstreams, or
> projects that get compromised/etc.).
> 
> 
> On Wed, Sep 20, 2017 at 9:05 AM, Landfield, Kent <Kent_Landfield@mcaf
> ee.com>
> wrote:
> 
> > +1
> > 
> > --
> > Kent Landfield
> > +1.817.637.8026
> > kent_landfield@mcafee.com
> > 
> > 
> > On 9/20/17, 9:57 AM, "owner-cve-editorial-board-list@lists.mitre.or
> > g on
> > behalf of Pascal Meunier" <owner-cve-editorial-board-list@lists.mit
> > re.org
> > on behalf of pmeunier@cerias.purdue.edu> wrote:
> > 
> >     1) Identifying vulnerabilities in malicious code would be in
> > the scope
> >     of the CVE but it has doubtful utility.  Identifying malicious
> > code is
> >     out of scope
> > 
> >     2) Typo squatting whether in domain names or package names is
> > not a
> >     software vulnerability, it's a namespace management issue and
> > an
> > attackvector, out of scope of the CVE.
> > 
> >     Pascal
> > 
> > 
> >     On Fri, 2017-09-15 at 18:53 -0600, Kurt Seifried wrote:
> >     > http://www.nbu.gov.sk/skcsirt-sa-20170909-pypi/index.html
> >     >
> >     > TL;DR: Someone may PYPI packages that were malicious, and
> > typo/close
> >     > names
> >     > of legit things (e.g. acquisition / acqusition). I'd like to
> > assign
> >     > CVEs to
> >     > them so they are identified, so two thoughts:
> >     >
> >     > 1) people uploaded code (meant to be malicious or not) to
> > PYPI that
> >     > has
> >     > flaws, so CVE right
> >     > 2) the typo squatting aspect, should this get a CVE? There is
> > obvious
> >     > intent of shenanigans, but... how do we count it?
> >     >
> > 
> > 
> > 
> 
>