Closed joachimmetz closed 5 months ago
Why does this matter:
More data points that CVE and CVSS scoring is not helping to improve security and that Mitre CVE and NIST NVD are clearly not up to the task of providing reliable security advisories.
A recent academic study[1] found that only 57% of security questions with regards
to CVE vulnerability scoring presented to participants in the study were accurately
answered. The study further elaborates on which information cues are crucial for
better accuracy, as well as which would actually drive confusion and lower
accuracy in scoring.
It is not unusual to find false positive in a CVE or inaccuracies in scores assigned
to any of the metrics groups, which introduces a risk of losing trust in a CVE or
creating panic for organizations which is uncalled for.
Another study[2] from Carnegie Mellon University reported similar findings with
regards to the accuracy of scoring. The report states: “More than half of survey
respondents are not consistently within an accuracy range of four CVSS points”
where 4 points alone moves the needle from a high or critical severity to lower
levels.
[1] Allodi, Luca & Banescu, Sebastian & Femmer, Henning & Beckers, Kristian.
(2018). Identifying Relevant Information Cues for Vulnerability Assessment
Using CVSS. 119-126. 10.1145/3176258.3176340.
[2] Spring, J.M, Hatleback, E. Householder, A. Manion, A. Shick, D. “TOWARDS
IMPROVING CVSS” Carnegie Mellon University, December 2018
VideoLAN blamed a reporter for running VLC on an old version of Ubuntu with out-of-date
libraries, and security firm MITRE for issuing a CVE before it could examine the
reporter's claims
NIST NVD has rated this issue incorrectly at CVSS v3 base score of 9.8 and "Network"
exploitable. This evaluation is not correct, the issue is only local exploitable, which
gets it a CVSS v3 base score of 7.8.
CVE stands for Common Vulnerability and Exposures and is scored using the CVSS
(Common Vulnerability Scoring System) standard. This standard is a bit complicated
to grasp at first, and (on the surface) seems a bit arbitrary.
The CVE scoring method is complicated, so much so that the average user shouldn't
even bother trying to calculate scores for vulnerabilities.
Things that would make the CVE better suited for security advisories (at least from an Open Source perspective):
Things Mitre CVE could be doing to reduce their error rate:
Things NIST NVD could be doing to reduce their CVSS scoring error rate:
Incorrect and misleading security advisories
Recently I was made aware of CVE-2018-8754 and DSA-4160.
First of all I was surprised to see these "Security Advisories" (quotation intended) seeing neither Mitre (who are responsible for issuing CVEs) nor Debian Security had reached out me. Seeing I’m the maintainer of libevt.
First some context
Libevt clearly indicates it has alpha status and HEAD, which is work in progress. So it will likely contain bugs.
See Wikipedia for an explanation of alpha: https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha
You cannot expect normal (open source) development if every pre-release or development version is scrutinized as stable software. It will take time and effort to get to stable and secure.
Lack of due diligence
Neither Mitre nor Debian Security did reach out to me, as the project maintainer, before they made their "advisories" (quotation intended).
Until to date neither Mitre nor Debian Security has not answered me these questions:
Where the answer to the last questions seems no.
Mitre and NVD and their arbitrary CVE process
The status of CVE-2018-8754 initially read:
How can you post an advisory if have not done your analysis?
Now it says:
Until date I have not seen any proof for the first 2 claims.
For the 3rd one you would have to run libevt as part of a service without having taken additional measures like sand-boxing.
To improve security it is important to get facts straight and not have this arbitrary process.
Per Mitre the vulnerability definition we currently use is:
As you can read from their response Mitre applies arbitrariness within their over complicated definitions (that are also not aligned with the CWE). Also until date Mitre has not provided any evidence of their claims after numerous requests to do so.
Additional information from NVD.
NVD basically says we have no information so we assume the worst based on no facts without any transparency.
Let's review https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8754 and https://nvd.nist.gov/vuln/detail/CVE-2018-8754. There are details in the NVD that are not in the CVE such as "Allows unauthorized disclosure of information", "Allows unauthorized modification", "Attack Vector (AV): Network",
Also the NVD references https://www.debian.org/security/2018/dsa-4160, which only mentions "denial of service".
Where does the NVD get this information? After having repeatedly asked for the proof NVD has not provided me with any.
I read this as instead of providing an accurate and transparent advisory the NVD will knowingly make false claims (make up stuff) when there is no information. This sounds a lot like slander ("to make false and damaging statements") or defamation to me.
Thank you Mitre CVE and Nist NVD for having such a "responsible disclosure" process. (quotation intended)
Bureaucracy at its best
Nist NVD pointing to Mitre CVE
Mitre CVE pointing to Nist NVD
Rectification (at last)
On July 11, 2018 NIST NVD removed the speculative claims from https://nvd.nist.gov/vuln/detail/CVE-2018-8754. Nothing in the NVD entry indicates that the advisory has been updated.
Also until date neither Mitre CVE or NIST NVD has apologized for putting their speculative claims out in the world in the first place, nor have they presented an assessment on what they plan to change going forward.
Untruthful claims in DSA-4160
I was also surprised and saddened that Debian Security had did not done their due diligence. From their initial DSA-4160 report:
I've reached out to Debian Security seeing their website offers no direct feedback link. They replied after roughly 1 week after issuing DSA-4160.
It took about a month to get the DSA-4160 posting updated. There is no public evidence of the posting being changed, nor any statistics on how often this happens.
More hearsay
Some more hearsay I found by vulnerability exchange platforms that not even try to bother to keep up to date with their upstream
From: https://exchange.xforce.ibmcloud.com/vulnerabilities/140473
From: https://packetstormsecurity.com/files/cve/CVE-2018-8754
Even more disappointing the ability of the site to comment does not appear to be working. Until date packetstormsecurity has not responded or acted on any feedback provided directly to them.
Post-mortem
Who can I send the bill for all the time, effort and energy spent on this?
Mitre CVE and Nist NVD it is very nice of you want the software developers to meet your standards, but when are you going to self-impose quality standards to your own work?
More "security advisory" incompetence
Another update September 12, 2018
An update from Mitre CVE on August 24, 108, 5 months after the "advisory" went public:
First of all finally some more transparency. However Mitre CVE, please add the CVE number(s) you are referencing to your responses. From the email I have no idea which CVE number(s) you are referring to. So looking through all the CVE numbers I know about I checked CVE-2018-8754 and it now states:
So this is a misrepresentation of the dispute I have with the CVE. I do not dispute there is a bug, I dispute that this is worth a CVE number. For reasons mentioned before. Honestly this only confirms the complete arbitrariness of the CVE program.
Where are the links to the assessment done by Mitre CVE? Or does Mitre CVE do no assessment at all? Then where is the link to the assessment by the reporter? Oh wait, did the reporter just provided the output created by the fuzzing tool?
I did (multiple times), and what do you expect no answer so far.
Another update August, 2021
Mitre still has not made any visible improvements they now even confirm that they do not do any due diligence. They leave it up to the reporter to reach out to the "vendor" and there is no validation that this happened. Also see: https://github.com/libyal/libexe/issues/1#issuecomment-904888577
If you cannot guarantee software issues will be fixed then why bother? Stop wasting everyone else their time so people can focus their time and energy on efforts that really make software more secure