[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: assignments for malware

On Mon, Aug 13, 2018 at 10:55 AM, jericho <jericho@attrition.org> wrote:


This year there have been an increasing number of CVE assignments for malware; specifically 'malicious ruby gems' or 'malicious NPM modules'. They potentially come in two varieties, and may be handled differently depending. The first, and recent is CVE-2018-3779:

        active-support ruby gem 5.2.0 could allow a remote attacker to
        execute arbitrary code on the system, caused by containing a
        malicious backdoor. An attacker could exploit this vulnerability
        to execute arbitrary code on the system.

It isn't crystal clear from the H1 report if this was the legitimate code being backdoored, similarly named gem via a forked project, or a gem being distributed with a similar name (which I suspect). "The gem duplicates official activesupport (no hyphen) code, but adds a compiled extension."

The second type is just a malicious module that has nothing to do with the legitimate module, other than a similar name as the means for getting people to download it. An example of that is CVE-2017-16044:

        `d3.js` was a malicious module published with the intent to hijack
        environment variables. It has been unpublished by npm.

This is essentially malware, just served up via an official repository. Since that does not represent a vulnerability in a piece of software, it is my understanding that this would not meet the criteria for inclusion in CVE.

A backdoor is a vulnerability. I think the problem is CVE in past dealt with "oops we make a mistake" and not "oops, a malicious actor did it on purpose". 

Doesn't matter to the end user, well actually it does, backdoors are worse because someone for sure knows about the vulnerability and most likely intended to use it. So do these things need CVEs, tracking and remediation for people affected by it? Yes. 

I'm trying to imagine a scenario where a software or service user goes "oh, this exploitable flaw is a backdoor, thus no CVE, thus we don't need to remediate it" and uhh.. I can't imagine that, not even close. 

Could MITRE clarify the policy on this?

Thank you,


Kurt Seifried

Page Last Updated or Reviewed: August 13, 2018