This stuff is why CVE numbers are meaningless. "Someone can see the temperature of your server if they can get into your home network" is barely a bug, let alone a security bug.
This is just generating CVE numbers for the sake of it.
suprjami 148 days ago [-]
My favourite is CVE-1999-0524, people can tell the time set on your system with ICMP Timestamp messages.
Someone's added it to a commercial security scanner recently, so we have a lot of "severity 1" tickets to disable it.
Yes, severity 1 for something that's been there for 25 years. Very important CVE obviously.
If you don't assign CVE numbers to every security-related flaw, no matter how minor the flaw may be, you must come up with a way to draw the line on what flaws get CVEs and what ones don’t. That would be worse in pretty much every respect.
As it is now, I can look at a CVE and determine for myself and my organization whether it something we need to care about. I’d rather that decision stay in my hands, not someone else’s.
suprjami 148 days ago [-]
> I can look at a CVE and determine for myself and my organization whether it something we need to care about.
Except it doesn't work like this.
A security scanner will include a CVE. People want no red flags on the security scanner. They don't care what the CVE is, they just want red mark go away.
The attitude to accepting useless crap as a CVE is diluting what an important CVE actually is.
Fnoord 148 days ago [-]
A decent security scanner allows you to exclude informational vulnerabilities. When I rolled out Wazuh in an org, it allowed for said function. And I still, personally, wanted to know about it at least once.
Denote6737 147 days ago [-]
If that is your attitude to security scanning, you should not be in charge of anything more important than a speak and spell.
DougN7 147 days ago [-]
Seriously? Treating joke CVEs the same as true sev 1 issues is beyond silly and counter productive. There are very real limits to time, money and attention and pretending otherwise is foolish.
Citizen8396 147 days ago [-]
The person you’re replying to seems to agree with you.
Citizen8396 147 days ago [-]
Are you speaking from your experience in vulnerability management? If anything, I’ve seen the opposite behavior (ignore everything except where the risk is critical).
CVSS has been around since the mid-2000s, so it isn’t as if there’s no way to discern critical vulnerabilities from informational ones.
ziddoap 148 days ago [-]
>Except it doesn't work like this.
You'll have to email my bosses that :)
shawnz 148 days ago [-]
> If you don't assign CVE numbers to every security-related flaw, no matter how minor the flaw may be, you must come up with a way to draw the line on what flaws get CVEs and what ones don’t.
That's already the case now, since there's no perfectly objective way to decide whether a bug is even security related or not.
This is just an example of where that already existing subjective distinction was applied in a way that not everyone agreed with. It's an unavoidable problem that is going to happen once in a while.
It doesn't mean that CVEs are useless and it doesn't necessarily mean we need to be more liberal about what warrants a CVE either.
ziddoap 148 days ago [-]
>That's already the case now, since there's no perfectly objective way to decide whether a bug is even security related or not.
Sure, you are right that a line already exists. However, that line basically boils down to "could this bug conceivably affect security". The decision tree is 4 questions long -- very simple.
What I am opposed to is someone else answering "yes, this could conceivably affect security" and deciding on my behalf that I don't need to worry about it. That is a line for me (or someone who knows the organizations infrastructure, risk tolerance, etc.) to draw.
ploxiln 147 days ago [-]
Except that in this case, the answer to that question is no, this could not conceivably affect security. It's the rough shape of something that could, but actually it could not.
So we're back where we started. It's still subjective, how much you should "conceive the possibility", when it doesn't appear to actually be there.
147 days ago [-]
chgs 148 days ago [-]
So you are happy to have 1 million cves to look for per year per product?
Unless there’s a minimum standard it becomes noise, and the real CVEs are lost.
ziddoap 148 days ago [-]
>So you are happy to have 1 million cves to look for per year per product?
Trying to ignore the extreme hyperbole here...
I want me or my team to see every security-related flaw affecting the products in our network, yes. That's literally our job.
A CVE like this takes maybe 2 minutes for a junior on the team to mark as no risk.
tsumnia 148 days ago [-]
I agree with ziddoap here. Not reviewing these minor bugs are exactly how we end up with sophisticated attacks using simple bugs that leave us arm chair experts commenting "How did they even think of this?!?!"
Because the people that do conduct sophisticated attacks are studying every knock and cranny for these types of things. If they can find it once, they can automate it and find more. And then they move on to the next piece of their puzzle of "what can I do from here?"
distortedsignal 148 days ago [-]
I don't know that this CVE would be trivial to knock out.
My CVSS score for this is as follows:
CVSSv3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (I said "Low" integrity issues, and "Low" availability issues, since I don't know if the DOS issue is real)
That reads out to a "Medium" CVE.
I have, in the past, worked with some banks, and they want all 4+ CVSSv3 CVEs enumerated and either remediated or for a plan to be in place to remediate them.
Maybe you're significantly better than I am at this, but I am hesitant to look at any CVE and say it's not a problem with how I have configured my software. Unless I have really deeply looked into the issue, I get really nervous saying a CVE is not going to affect my software.
suprjami 148 days ago [-]
Except this isn't a CVE anyone will encounter in the workplace because nobody in their right mind would run Pi-Hole on a Raspberry Pi in a professional setting. It's a waste of time.
If you want to dedicate staff to reviewing useless garbage issues you do that, go and review every issue logged against other non-commercial software.
The rest of us have a job to do.
ziddoap 148 days ago [-]
>The rest of us have a job to do.
I'm not sure why you are being hostile about it, but okay.
Obviously you feel very strongly about the subject. You should engage with MITRE and encourage them to reconsider their current CVE inclusion decision tree.
chgs 147 days ago [-]
If Daniel Steinberg struggles to make headway with them…
Fnoord 148 days ago [-]
Yeah except Bob, your uncle, is working from home and therefore needs to care about his home network security.
suprjami 147 days ago [-]
I look forward to your explanation of how the temperature of Bob's Raspberry Pi poses a threat to his employer.
I also wonder how the attacker got access to Bob's home network in the first place?
If only he had the chance to focus on actual important security issues instead of constant notifications about useless noise like the temperature of his Pi-Hole.
witrak 146 days ago [-]
>I look forward to your explanation of how the temperature of Bob's Raspberry Pi poses a threat to his employer.
Hmm, anything like this can be used as part of side channel if an attacker is able to influence the temperature of Bob's RPi.
Fnoord 146 days ago [-]
Informational vulnerabilities are often nothing to worry about, until they are.
8338550bff96 148 days ago [-]
That's a good way to get people to turn off security scanners
bravetraveler 148 days ago [-]
Some reduction might not be so bad. I would love to know how many times I've said the phrase "the version string/CVE is irrelevant because our vendor backports patches"
A lot of this can/should be boiled down to: are our updates and mirrors current?
One selects an OS vendor/distribution explicitly to make this kind of thing their ~problem~ responsibility. They gave me "foo", they can fix it.
There's usually no problem because nobody builds everything from upstream sources. The security vendor yells at me and the OS vendor about discoveries in something they never packaged.
Each distribution gets sufficiently involved that I refuse to mind most CVEs. Eternally grateful my current role allows me to drop this charade
jgalt212 148 days ago [-]
> I can look at a CVE and determine for myself and my organization whether it something we need to care about.
Yes, but one can envision a scenario where everything gets a CVE number and you, or members of your team, spend an inordinate amount of time looking up CVE numbers. Then along comes a service that you have to pay for that scores each CVE number for you. Due to any lack of discretion (in a database maintained by "experts"), you'll pay with your time, or your money.
ziddoap 148 days ago [-]
I'm quite happy with the current scenario and decision tree used to assign CVEs. As it stands right now, it is not "everything" that gets a CVE number.
If they change the decision tree and spelling mistakes start being assigned CVEs, I am sure I will change my mind.
r3db34rd 148 days ago [-]
[dead]
mjlee 148 days ago [-]
Not exactly that, someone can change the unit used to display the temperature for authenticated users.
148 days ago [-]
omoikane 148 days ago [-]
In this particular case they probably should have reported it as a regular bug and not as a vulnerability, but I am not sure this generalizes to CVE numbers being meaningless since I am not sure how often it happens.
jeroenhd 148 days ago [-]
Most CVE numbers are useful, but there are enough meaningless ones that will set off commercial security scanners to extort a sale to make them unreliable enough that you need to dig into most of them (rather than just assume they're security risks and treat them with the correct priority). Annoyingly, there are also plenty of security bugs that don't make it through the CVE system.
In a perfect world, you should be able to treat a CVE number in a scan or bug report as something of importance, but in practice you need to filter out the "time protocol allows reading the time" class of CVEs as well. CVEs might as well be links to Github issues if they're treated like this.
VyseofArcadia 148 days ago [-]
Now we just sit back and wait for the side channel attack where someone figures out how to use temperature changes to exfil data.
I disagree, that's pretty easy to turn into a occupancy sensor. I think people need to get away from the "is this piece of information sensitive" in isolation and start thinking about it more like leaking bits. Leaking bits is bad, you don't know how a clever person might leverage them
tomschlick 148 days ago [-]
Yeah this is generating CVE numbers for resume clout.
iforgotpassword 148 days ago [-]
Maybe this is actually a good thing. Check a few of the cves they found and if it's things like this, you're dealing with a clown. I'd feel ashamed requesting to get a cve assigned for something like that.
kiyell 147 days ago [-]
OP here, it's been interesting seeing people's view of this. I wanted to clarify two things.
The bug here is that unauthenticated users can change a setting that only an administrator should be able to. The maintainers acknowledged the bug and accepted a patch to fix it.
Is changing the temperature unit shown on a dashboard a serious problem? No. But it is a problem and one that could be classified as a security issue.
What's the point of the CVE assignment? Well it creates a public record of this flaw and helps Pi-hole administrators make their own decisions (patch / ignore). It also puts the issue in the hands of other security researchers. For example, is there a possibility of using this vulnerability to conduct a DoS attack? I didn't test this and have moved on to other things but others can.
jijji 148 days ago [-]
where is the bug tho... the author is unable to do any exploit because the input variable is correctly sanity checked.... again, where is the "bug" or how is this a bug?
hoseja 147 days ago [-]
Behold, professional bug bounty hunters.
Valectar 148 days ago [-]
There's a lot of discussion here in the comments on whether this can meaningfully be called a vulnerability if you can only "see the temperature of your server".
Setting aside that the vulnerability doesn't actually allow that, isn't this potentially a Spectre / Meltdown vulnerability? This is an unprotected endpoint that conditionally executes code taken from user input. If the branch predictor can be trained to speculatively execute arbitrary code from the input, information could be extracted via endpoint timing using a similar methodology to Spectre or Meltdown, right?
bongodongobob 147 days ago [-]
This is what annoys me about internal security teams. No, this doesn't make us vulnerable because it's in the DMZ, we have ACLs, it's behind a firewall, we have traffic monitoring, process monitoring, MFA, geofences, etc etc. Just because there's a possibility this could be exploited in some convoluted way in a targeted attack doesn't mean all the other walls we have stood up around this are suddenly useless. I'm constantly pestered and forced to waste my time explaining that your little CVE scanner tool is not the end all for our security posture.
Not to snap at you, but I'm forced to deal with these "what if" scenarios weekly and it drives me nuts. I know the security guys have a job to do, but I feel like half of their job is just trying to drum up scary looking things to justify their employment.
This is just generating CVE numbers for the sake of it.
Someone's added it to a commercial security scanner recently, so we have a lot of "severity 1" tickets to disable it.
Yes, severity 1 for something that's been there for 25 years. Very important CVE obviously.
https://nvd.nist.gov/vuln/detail/CVE-1999-0524
As it is now, I can look at a CVE and determine for myself and my organization whether it something we need to care about. I’d rather that decision stay in my hands, not someone else’s.
Except it doesn't work like this.
A security scanner will include a CVE. People want no red flags on the security scanner. They don't care what the CVE is, they just want red mark go away.
The attitude to accepting useless crap as a CVE is diluting what an important CVE actually is.
CVSS has been around since the mid-2000s, so it isn’t as if there’s no way to discern critical vulnerabilities from informational ones.
You'll have to email my bosses that :)
That's already the case now, since there's no perfectly objective way to decide whether a bug is even security related or not.
This is just an example of where that already existing subjective distinction was applied in a way that not everyone agreed with. It's an unavoidable problem that is going to happen once in a while.
It doesn't mean that CVEs are useless and it doesn't necessarily mean we need to be more liberal about what warrants a CVE either.
Sure, you are right that a line already exists. However, that line basically boils down to "could this bug conceivably affect security". The decision tree is 4 questions long -- very simple.
What I am opposed to is someone else answering "yes, this could conceivably affect security" and deciding on my behalf that I don't need to worry about it. That is a line for me (or someone who knows the organizations infrastructure, risk tolerance, etc.) to draw.
So we're back where we started. It's still subjective, how much you should "conceive the possibility", when it doesn't appear to actually be there.
Unless there’s a minimum standard it becomes noise, and the real CVEs are lost.
Trying to ignore the extreme hyperbole here...
I want me or my team to see every security-related flaw affecting the products in our network, yes. That's literally our job.
A CVE like this takes maybe 2 minutes for a junior on the team to mark as no risk.
Because the people that do conduct sophisticated attacks are studying every knock and cranny for these types of things. If they can find it once, they can automate it and find more. And then they move on to the next piece of their puzzle of "what can I do from here?"
My CVSS score for this is as follows:
CVSSv3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (I said "Low" integrity issues, and "Low" availability issues, since I don't know if the DOS issue is real)
That reads out to a "Medium" CVE.
I have, in the past, worked with some banks, and they want all 4+ CVSSv3 CVEs enumerated and either remediated or for a plan to be in place to remediate them.
Maybe you're significantly better than I am at this, but I am hesitant to look at any CVE and say it's not a problem with how I have configured my software. Unless I have really deeply looked into the issue, I get really nervous saying a CVE is not going to affect my software.
If you want to dedicate staff to reviewing useless garbage issues you do that, go and review every issue logged against other non-commercial software.
The rest of us have a job to do.
I'm not sure why you are being hostile about it, but okay.
Obviously you feel very strongly about the subject. You should engage with MITRE and encourage them to reconsider their current CVE inclusion decision tree.
I also wonder how the attacker got access to Bob's home network in the first place?
If only he had the chance to focus on actual important security issues instead of constant notifications about useless noise like the temperature of his Pi-Hole.
Hmm, anything like this can be used as part of side channel if an attacker is able to influence the temperature of Bob's RPi.
A lot of this can/should be boiled down to: are our updates and mirrors current?
One selects an OS vendor/distribution explicitly to make this kind of thing their ~problem~ responsibility. They gave me "foo", they can fix it.
There's usually no problem because nobody builds everything from upstream sources. The security vendor yells at me and the OS vendor about discoveries in something they never packaged.
Each distribution gets sufficiently involved that I refuse to mind most CVEs. Eternally grateful my current role allows me to drop this charade
Yes, but one can envision a scenario where everything gets a CVE number and you, or members of your team, spend an inordinate amount of time looking up CVE numbers. Then along comes a service that you have to pay for that scores each CVE number for you. Due to any lack of discretion (in a database maintained by "experts"), you'll pay with your time, or your money.
If they change the decision tree and spelling mistakes start being assigned CVEs, I am sure I will change my mind.
In a perfect world, you should be able to treat a CVE number in a scan or bug report as something of importance, but in practice you need to filter out the "time protocol allows reading the time" class of CVEs as well. CVEs might as well be links to Github issues if they're treated like this.
The bug here is that unauthenticated users can change a setting that only an administrator should be able to. The maintainers acknowledged the bug and accepted a patch to fix it.
Is changing the temperature unit shown on a dashboard a serious problem? No. But it is a problem and one that could be classified as a security issue.
What's the point of the CVE assignment? Well it creates a public record of this flaw and helps Pi-hole administrators make their own decisions (patch / ignore). It also puts the issue in the hands of other security researchers. For example, is there a possibility of using this vulnerability to conduct a DoS attack? I didn't test this and have moved on to other things but others can.
Setting aside that the vulnerability doesn't actually allow that, isn't this potentially a Spectre / Meltdown vulnerability? This is an unprotected endpoint that conditionally executes code taken from user input. If the branch predictor can be trained to speculatively execute arbitrary code from the input, information could be extracted via endpoint timing using a similar methodology to Spectre or Meltdown, right?
Not to snap at you, but I'm forced to deal with these "what if" scenarios weekly and it drives me nuts. I know the security guys have a job to do, but I feel like half of their job is just trying to drum up scary looking things to justify their employment.