Incorrect and misleading security advisories CVE-2018-11723 and CVE-2018-20348

[joachimmetz]

Incorrect and misleading security advisory

Recently I was made aware of CVE-2018-11723.

First of all I was surprised to see this “Security Advisory” (quotation intended) seeing neither Mitre (who are responsible for issuing CVEs) nor the reporter had reached out me. Seeing I’m the maintainer of libpff.

The reporter 熊文彬 <bear.xiong () dbappsecurity com cn> did not reach out to this project. So apparently this reporter does not care much for getting bugs fixed.

First some context

Libpff clearly indicates it has alpha status and HEAD, which is work in progress. So it will likely contain bugs.

See Wikipedia for an explanation of alpha: https://en.wikipedia.org/wiki/Software_release_life_cycle#Alpha

You cannot expect normal (open source) development if every pre-release or development version is scrutinized as stable software. It will take time and effort to get to stable and secure.

Lack of due diligence

Neither Mitre nor the reporter did reach out to me, as the project maintainer, before they made their "advisory" (quotation intended).

Mitre and NVD and their arbitrary CVE process

The status of CVE-2018-11723 reads:

This vulnerability is currently awaiting analysis.

How can you post an advisory if have not done your analysis?

The libpff_name_to_id_map_entry_read function in libpff_name_to_id_map.c in libyal
libpff through 2018-04-28 allows remote attackers to cause an information disclosure
(heap-based buffer over-read) via a crafted pff file.

Until date I have not seen any proof how a special crafted pff file would cause information disclosure.

Also until date Mitre has not provided any evidence of their claims after numerous requests to do so.

It is now August 8, 2018 Mitre CVE has not responded to multiple inquiries (except for their auto-response). Again Mitre CVE is not giving me confidence in their ability to provide a "responsible disclosure" process (for additional context see: https://github.com/libyal/libevt/issues/5).

August 18, 2018 some rectification by NIST NVD

After reaching to NVD they did a more realistic assessment this time:

CVSS v2.0 Severity and Metrics:
Base Score: 1.9 LOW 
Vector: (AV:L/AC:M/Au:N/C:P/I:N/A:N) (V2 legend) 
Impact Subscore: 2.9 
Exploitability Subscore: 3.4

Access Vector (AV): Local 
Access Complexity (AC): Medium 
Authentication (AU): None 
Confidentiality (C): Partial 
Integrity (I): None 
Availability (A): None 
Additional Information: 
Victim must voluntarily interact with attack mechanism
Allows unauthorized disclosure of information

However no proof has been provided for the claims "Allows unauthorized disclosure of information", seeing this is similar to https://github.com/libyal/libfsntfs/issues/8. I likely have to "thank" the reporter and Mitre CVE to be unable to provide impact assessments that are backed by proof.

Also see

• Similar incorrect and misleading security advisories https://github.com/libyal/libevt/issues/5
• Actual bug https://github.com/libyal/libpff/issues/64

[joachimmetz]

On January 3, 2019 I was made aware via an update on a closed issue https://github.com/libyal/libpff/issues/48 (not by Mitre CVE) about another CVE assigned to libpff CVE-2018-20348.

• This issue had already been addressed.
• This project has not been provided any vulnerability assessment regarding this issue by any source. No proof of this being an actual vulnerability has been presented. I refer here to the CWE definition of vulnerability https://cwe.mitre.org/about/faq.html#A.2 not the arbitrary definition uphold by Mitre CVE (see libyal/libevt#5 for context).

The current claims "libpff_item_tree_create_node in libpff_item_tree.c in libpff before experimental-20180714 allows attackers to cause a denial of service (infinite recursion) via a crafted file, related to libfdata_tree_get_node_value in libfdata_tree.c."

This is very hypothetical, libpff is a library that runs locally, not a network service.

So these claims are dependent on many factors:

• on compiler flags/build settings.
• additional security measures

Mitre-CVE where is the analysis of these?

Again the work done by Mitre CVE is incomplete and useless.

[joachimmetz]

And again a completely inaccurate assessment by NIST-NVD

https://nvd.nist.gov/vuln/detail/CVE-2018-20348

CVSS v2.0 Severity and Metrics:
Base Score: 4.3 MEDIUM 
Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) (V2 legend) 
Impact Subscore: 2.9 
Exploitability Subscore: 8.6

Access Vector (AV): Network 
Access Complexity (AC): Medium 
Authentication (AU): None 
Confidentiality (C): None 
Integrity (I): None 
Availability (A): Partial 
Additional Information: 
Victim must voluntarily interact with attack mechanism
Allows disruption of service

This library has no network capabilities. Seeing that NIST NVD has been informed about the lack of network capabilities in this library before I can only conclude that they are incapable of making accurate "vulnerability" impact assessments.

Update January 15, 2019 after me reaching out to NIST NVD they have update their advisory. Until date no improvements have been proposed by either Mitre CVE and NIST NVD to fix their useless and broken process.

I repeat what I said before Mitre CVE and Nist NVD it is very nice of you want the software developers to meet your standards, but when are you going to self-impose quality standards to your own work?