[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: assignments for malware
- To: jericho <jericho@attrition.org>
- Subject: Re: assignments for malware
- From: Kurt Seifried <kurt@seifried.org>
- Date: Mon, 13 Aug 2018 13:25:42 -0600
- Authentication-results: spf=softfail (sender IP is 192.52.194.235) smtp.mailfrom=seifried.org; imc.mitre.org; dkim=pass (signature was verified) header.d=seifried-org.20150623.gappssmtp.com;imc.mitre.org; dmarc=none action=none header.from=seifried.org;
- Cc: CVE Editorial Board <cve-editorial-board-list@mitre.org>
- Delivery-date: Mon Aug 13 15:54:23 2018
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seifried-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/mQ+6rGOMdvTe+Ag2M7cElxgW7niaZIE6R1YkQisnlI=; b=WXOSfJEjbdC5s+bZmWRZzrhykrjlMjYxSCduE3mqa7ZyxXBNDAEcJarfL2utSPsXYJ cbOX4Ynh/6/UoJil7qcgLmYjq8wBQ861roacVOl5j3vV1cuYECZHOGZHbstPtmQI26+0 2WSZqNUBFKLPhtWoWMiDxOIQdP5P5WNUSSoQWwGkGMoVkxn2Jdz341XflN3pGGhthE5r qmlNtKHP0LnnOyIqkGS323eWjUOQ1hIujheipHuQxH678OEWt8bOk7AdMDXSWl3eVmDW hpTGh0bIrTsmaknL6xJCWTvHiF67qoc1feQVKjadscxgkFFz0eP2Ssm2AsvjkdMZRcNd YNHA==
- In-reply-to: <alpine.LNX.2.20.1808131148090.14361@forced.attrition.org>
- References: <alpine.LNX.2.20.1808131148090.14361@forced.attrition.org>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
On Mon, Aug 13, 2018 at 10:55 AM, jericho <jericho@attrition.org> wrote:
Board,
This year there have been an increasing number of CVE assignments for malware; specifically 'malicious ruby gems' or 'malicious NPM modules'. They potentially come in two varieties, and may be handled differently depending. The first, and recent is CVE-2018-3779:
active-support ruby gem 5.2.0 could allow a remote attacker to
execute arbitrary code on the system, caused by containing a
malicious backdoor. An attacker could exploit this vulnerability
to execute arbitrary code on the system.
It isn't crystal clear from the H1 report if this was the legitimate code being backdoored, similarly named gem via a forked project, or a gem being distributed with a similar name (which I suspect). "The gem duplicates official activesupport (no hyphen) code, but adds a compiled extension."
The second type is just a malicious module that has nothing to do with the legitimate module, other than a similar name as the means for getting people to download it. An example of that is CVE-2017-16044:
`d3.js` was a malicious module published with the intent to hijack
environment variables. It has been unpublished by npm.
This is essentially malware, just served up via an official repository. Since that does not represent a vulnerability in a piece of software, it is my understanding that this would not meet the criteria for inclusion in CVE.
A backdoor is a vulnerability. I think the problem is CVE in past dealt with "oops we make a mistake" and not "oops, a malicious actor did it on purpose".
Doesn't matter to the end user, well actually it does, backdoors are worse because someone for sure knows about the vulnerability and most likely intended to use it. So do these things need CVEs, tracking and remediation for people affected by it? Yes.
I'm trying to imagine a scenario where a software or service user goes "oh, this exploitable flaw is a backdoor, thus no CVE, thus we don't need to remediate it" and uhh.. I can't imagine that, not even close.
Could MITRE clarify the policy on this?
Thank you,
Brian
Kurt Seifried
kurt@seifried.org
kurt@seifried.org
- Follow-Ups:
- Re: assignments for malware
- From: jericho <jericho@attrition.org>
- Re: assignments for malware
- References:
- assignments for malware
- From: jericho <jericho@attrition.org>
- assignments for malware
- Prev by Date: assignments for malware
- Next by Date: Re: assignments for malware
- Previous by thread: assignments for malware
- Next by thread: Re: assignments for malware
- Index(es):
