[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: assignments for malware

To: jericho <jericho@attrition.org>, CVE Editorial Board <cve-editorial-board-list@mitre.org>
Subject: Re: assignments for malware
From: Art Manion <amanion@cert.org>
Date: Mon, 13 Aug 2018 17:19:34 -0400
Authentication-results: spf=neutral (sender IP is 192.52.194.235) smtp.mailfrom=cert.org; imc.mitre.org; dkim=test (signature was verified) header.d=cert.org;imc.mitre.org; dmarc=pass action=none header.from=cert.org;
Autocrypt: addr=amanion@cert.org; keydata= xsFNBFoV8GMBEACXd7zH23Gx/W77Gr3Hs+n+BTtEt7IP0jU26vM9i4ASGewrIFZaRIOgL964 xX7Qk1wvxLl8HvUomLNHsJIZYG4EKcNkEfREO7lTx/3nYhG3wjF0DcHYuLwUkwAS3N6p9PQ7 bvEsXZMbfG0L8ASgRy0h4dWg+XGV4xT64REsIlzSsclVaHKTvP7FAMCDG70L/2wc+w24RAzs TYhfxLp4w8TBaVj/pONm+EDGVtK5u4LPLpLS0xmlGxgKP9mYSYAF3j44msAsbsuFPfWTa8JU s9yASol4pMECH24Cp3snHlSNHMl1APfVz3Xsfw5x/mekgCAPcGCARhA9ltRHLYgVMr1JCYZW JdyUB0UEiY0xvlb5JYfCFJm4fL8E2xoW/ATmDIxkU0qguL55AD2VYEwbWEsiP725YMSKBDaC cGH9fa2iuSxnflui6wR4K+FOjXfB2nF561q+HjlRb6bahdkYzWccX4fx3dSlZ6w62qRFNKAE 5zUfe2ZHwis9Bx9iqIp7Ini/sZ3ESJgMr7qlSSkYl10Esdl5CyFyxQ5g/LgzOlywdHazju13 /ckVBPo5vz9ZPOmafiUDSz6R/kbC0+nCrJSjIBvDfBWG7Gl2gon4HqB4Ji6r3+gFEFFJl+O/ PwID6Wh0jAjTQWvD+5L/vFTZ3/875Q2OcoxL9Hh4ls5ptg+7uwARAQABzR1BcnQgTWFuaW9u IDxhbWFuaW9uQGNlcnQub3JnPsLBkQQTAQgAOwIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMB ABYhBBHNrv2hhwlGumhcAVNt4uTRu2rfBQJaFmXUAhkBAAoJEFNt4uTRu2rfY1IP/j8cjh38 B0mnEo0Lk27r/mYRQhj2Yk/ClsAuPWea56BGAswtW2Q6g6DswcinjvTxrycSqAfpj2ZQP9Rx Ib/FsfozF5bC7Ja5/W4amH1NcTr/cE+sgKX3XZcRlOIrw2d0jmS1SAtDWPWn4zTYKoR7cbDz BAAABLb8/xQn7YFgf8nKQ4ZM0yOTUOnF7wG42UU0Y0ww3b+x2/ZMys0ntpz4ZSOgVJlun2xP WgFzkHu/fEJkVTPkZQweRULIGeFJBzuJP46+FMy6PJFZ/ZudzLy/VBMVAxA/yOszLbRvsl6z 3prRMgI+fJF/11ohRVQ5DWzS4AmfnI9RP6aOlUgEi4MYMcbYKrYGwguhGOpdg5iaO6ir4mhd OMcKLeV0ZqSef0ZpXTLQiTzWuFg9ECof5OCK/Y2VQ2EXyWIi7q4OPTFFoZBl2keoF6j0k272 PCYfJZIzq/ER9mfoH1+7nmIxvZ+XXQ6EoCCPv6le8VKQyZOFVgjD5rPvCeGZgAs9CRbfqYNm bF3jqeMk4kZbJ/+GsKv66M4R0VI2DijOLNF1kGXeU6s45lUBZmcT0Fb2MQ78rNItpeUP+XYj fpB0g/woOIstbSoOqpVZf++HIjnmMHj9jJrbFcMVIPac89EDcjbab3zPTMb5LHdk6AxMsWRM QqxofqoqqzNI7RiKisaDQhINXRwAzsBNBFoV8roBCADZKC4LLl6XhVvHCZZIwa9t2e+swdln YRtxwG1TDRxM1PaV7VDzB9K1FMRDC9CQQmiwI+Vl2j0Kn3BUvkCp3zmP+S7CRgK2vfP1GBAs CURE6j6M7S47qOhQvAvJK0qlF14tCBSX16CceGFV0XzfOUnQGt6m8AnVTr7WODilYsJPWUrj xLe3cKQJs7zk3iMLH1lJ7jNXlAQUgrTurVD7sl6PbKgbmDw3tIgXwep7tMOUzpiN4vCPALA+ WYL+0VxE03TZj/FqNzNrjoKXw+X3za675QnLsXww2cgLBV0Zjg3HZVDT5/0LlQjYqPnaWh3s ZG8uRJ104Thx1JVFLN4+8aDrABEBAAHCwXwEGAEIACYWIQQRza79oYcJRrpoXAFTbeLk0btq 3wUCWhXyugIbDAUJBaOagAAKCRBTbeLk0btq3zHYD/4vvS0lul3UKWGeRsVb33Y3eJ1yv4O3 EpBtmkVgCyxdG3zj8YrI15DCzhn6LSN3FqjV+wovE3SsxIrRjn7eoBA6SH54KlFRrW7pAARc NQaHFU+nX6ST6X3pOoNYzhXPZjkxoUpxyC+ehNARx+3tlQ0LScEr0L5Ttvr8W7nopWaXeuCt VI+8tjDnsCtWLaI2bYi3TYWDJdgWzNFSGYioqIxvQHIpokFZAx6fTKtEYaAqqg2cefRDgNoU bMcHmNtVMAXThLdNAx23F/sv2gV9a612ktCwl6hjKu1vuK4KGnhQu1T/oRk5EUA8jy5yBB6/ S5jwYbZR01EriZXSTXwT/gJcThBIXH8i9/4lUwdhV8+iBP/Pomhs8D7dPU7q1fUYlvVxn8iN K7IFoWdptGv+bhdNsf/qWGxVxOHwTAipr73Fl3eC5RovVM2aAK2Bx6xQFXlh4uPcI/S0gIPG tytClYZxtbXKM3qVhUTZgg1Ge6MgtgJkKWttzRciW0N9t5pZ/IbH7ax0NUv2hjHovGBXhuQb cVAEgmx90iyx9iRizCpgr3JyDNtKX+bc26aGI+mFOdiawp2HihhSazqiEpuNrxlQVWgMgmXa RduAg8L9z2CshZ6Zkcmwea79r8yDsBbwfJEZ71T0WWyfm1UcRVflPFAYb9xE8Ulgh8BQzw// z7Y5Lw==
Delivery-date: Tue Aug 14 07:38:57 2018
Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w7DLJcgO027885
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1534195178; bh=WCEzj2Tt7Gp4Sx1JaAVyvi9N+gVazYP8xCvlnP5b4Nw=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Y9s4xP4BZhyJm03c2/80zWTJJtVZ/7pqzef0D/B6l63Z4lw84z0gRJRDBl9MdV+ZW 1jep/X+E7aSUuD+hHxidAivgztcFDNEG3hy1dapYSqV4A3QBcNvMDqm+LgM85UACAN WMZq7kOwb3hoBKjLd2CX9s2QT5dvhnylk5RV/SFE=
In-reply-to: <alpine.LNX.2.20.1808131148090.14361@forced.attrition.org>
Openpgp: preference=signencrypt
References: <alpine.LNX.2.20.1808131148090.14361@forced.attrition.org>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 8/13/18 12:55 PM, jericho wrote:

The second type is just a malicious module that has nothing to do with 
the legitimate module, other than a similar name as the means for 
getting people to download it. An example of that is CVE-2017-16044:

     `d3.js` was a malicious module published with the intent to hijack
     environment variables. It has been unpublished by npm.


This seems out of scope for CVE.  I get that npm-style software distribution is a 
"new" and real thing, and without having recently looked at it in 
detail, my impression is that npm and it's ecosystem isn't terribly secure, which 
is an intentional choice:

  
https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability

In ancient box product terms, the analog is "I downloaded and linked 
lib-png.so because I wanted to include PNG support in my application."  Not 
a technical vulnerability, I accidentally installed malware.

Yes, these matter, and I'm in favor of telling the public about 
malicious npm-managed code, but that might not be CVE's job.

I don't see much of a difference with CVE-2018-3779.  Intentionally 
malicious code masquerading as legitimate, gains authority and 
reputation by being allowed on npm in the first place, depends on 
community to find and remove.

In terms of being vulnerabilities (and in scope for CVE), I'd say no, 
not in scope.  I wouldn't suggest removing any existing assignments, 
but either stop or make a decision to include such things in CVE's 
scope?

Trying out the other side: There is a (popular but insecure) software 
development ecosystem, within that system, flagging malicious 
components is treated like a vulnerability/CVE assignment?  Still 
doesn't really work for me.

 - Art

Follow-Ups:
- Re: assignments for malware
  - From: Kurt Seifried <kurt@seifried.org>

References:
- assignments for malware
  - From: jericho <jericho@attrition.org>

Prev by Date: Re: assignments for malware
Next by Date: Re: assignments for malware
Previous by thread: Re: assignments for malware
Next by thread: Re: assignments for malware
Index(es):
- Date
- Thread