{"id":22949,"date":"2023-09-19T16:10:56","date_gmt":"2023-09-20T00:10:56","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2023\/09\/19\/news-16679\/"},"modified":"2023-09-19T16:10:56","modified_gmt":"2023-09-20T00:10:56","slug":"news-16679","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2023\/09\/19\/news-16679\/","title":{"rendered":"The mystery of the CVEs that are not vulnerabilities"},"content":{"rendered":"<p>A researcher specializing in Software Supply Chain security named <a href=\"https:\/\/www.linkedin.com\/posts\/danlorenc_cve-vulnerabilitymanagement-nvd-activity-7102609622657548288-YBxY\/\" target=\"_blank\" rel=\"nofollow\">Dan Lorenc recently raised an interesting topic on LinkedIn<\/a>.&nbsp;<a href=\"https:\/\/github.com\/CVEProject\/cvelistV5\/commit\/fd076718832c3ea0b79765b1451c2f88e2c20007\" target=\"_blank\" rel=\"nofollow\">138 new vulnerabilities<\/a> in open-source projects were all entered the same day to the CVE database.<\/p>\n<p>To understand what the problem is there are a few things you&rsquo;ll need to know.<\/p>\n<ul>\n<li>CVSS &ndash; The Common Vulnerability Scoring System (CVSS) is a system widely used in vulnerability management programs. <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2020\/05\/how-cvss-works-characterizing-and-scoring-vulnerabilities\">CVSS<\/a> indicates the severity of an information security vulnerability, and is an integral component of many vulnerability scanning tools.<\/li>\n<li>CVE &ndash; Common Vulnerabilities and Exposures (CVE) is a list of publicly disclosed vulnerabilities and exposures that is maintained by <a href=\"https:\/\/attack.mitre.org\/\" target=\"_blank\" rel=\"nofollow\">MITRE<\/a>.<\/li>\n<li>NVD &ndash; The National Vulnerability Database (NVD) is a database, maintained by the <a href=\"https:\/\/www.nist.gov\/\" target=\"_blank\" rel=\"nofollow\">National Institute of Standards and Technology (NIST)<\/a>, that is fully synchronized with the MITRE CVE list.<\/li>\n<\/ul>\n<p>The Common Vulnerabilities and Exposures (CVE) database is used to list publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services).<\/p>\n<p>The NVD provides enhanced information above and beyond what&rsquo;s in the CVE list, including patch availability and severity scores. NVD also provides an easier mechanism to search on a wide range of variables.<\/p>\n<p>The <a href=\"https:\/\/www.cve.org\/About\/Process\" target=\"_blank\" rel=\"nofollow\">way it should work<\/a> is that vulnerabilities are first discovered, then reported to the CVE Program. The reporter requests a CVE ID, which is then reserved for the reported vulnerability. Once the reported vulnerability is confirmed by the identification of the minimum required data elements for a CVE record, the record is published to the CVE List.<\/p>\n<p>Details include but are not limited to affected product(s); affected or fixed product versions; vulnerability type, root cause, or impact; and at least one public reference.<\/p>\n<p>When you register a CVE you typically get it with the year you request it and so new CVE IDs would start with CVE-2023. However,&nbsp;Lorenc&nbsp;says&nbsp;that an unknown party has submitted a bunch of CVEs which are backdated and have a high CVSS score.<\/p>\n<p>For example, <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2020-19909\" target=\"_blank\" rel=\"nofollow\">CVE-2020-19909<\/a> was <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-19909\" target=\"_blank\" rel=\"nofollow\">listed<\/a> as an integer overflow vulnerability in <em>tool_operate.c in curl 7.65.2<\/em> via a large value as the retry delay.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/easset_upload_file76686_282255_e.png\" alt=\"listing of a disputed CVE\" width=\"700\" style=\"display: block; margin-left: auto; margin-right: auto;\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/easset_upload_file53269_282255_e.png\" alt=\"listing of one of the disputed CVEs\" width=\"0\" height=\" \" caption=\"false\" \/><\/p>\n<p>In the screenshot you can see that the entry is &ldquo;DISPUTED&rdquo;<\/p>\n<p>In his <a href=\"https:\/\/daniel.haxx.se\/blog\/2023\/08\/26\/cve-2020-19909-is-everything-that-is-wrong-with-cves\/\" target=\"_blank\" rel=\"nofollow\">blog Daniel Haxx<\/a>, a Swedish open source developer and curl maintainer, explains that this is not a security vulnerability. It was, in fact, a <a href=\"https:\/\/github.com\/curl\/curl\/pull\/4166\" target=\"_blank\" rel=\"nofollow\">bug reported and fixed<\/a> in 2019. Haxx criticizes the NVD for not trying very hard to actually understand or figure out the problem they grade.<\/p>\n<p>As Lorenc pointed out, it looks as if a bot or AI has been scraping old issues and commits and filing them in an automated fashion, without ever getting maintainers involved.<\/p>\n<p>The problem is that many have automated scanning for vulnerabilities or are using specialized <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\" target=\"_blank\" rel=\"nofollow\">vulnerability triage or management platforms<\/a>. When no maintainers are involved or even notified about these non-issues, they may live on. Many of these scanners will not see or disregard the &ldquo;DISPUTED&rdquo; status and will end up wasting a lot of precious time that could have been spent on actual vulnerabilities.<\/p>\n<p>The question that remains: Is there a fundamental problem with the CVE reporting process which allows for the automated submission of bogus vulnerabilities?<\/p>\n<p>Let&#8217;s say that the experts agree that any form of automated filing of CVEs without any previous contact with the developers\/maintainers of the list completely misses the whole point of getting vulnerabilities fixed before they are made public. And filing vulnerabilities that are in fact bugs that were resolved long ago is a weird form of fear mongering.<\/p>\n<p>Knowing this can happen, by accident or on purpose, warrants a more robust checking than looking for the minimum required data elements for a CVE record.<\/p>\n<hr \/>\n<p><strong>We don&rsquo;t just report on vulnerabilities&mdash;we identify them, and prioritize action.<\/strong><\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using <a href=\"https:\/\/www.malwarebytes.com\/business\/vulnerability-patch-management\">Malwarebytes Vulnerability and Patch Management<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/the-mystery-of-the-cves-that-are-not-vulnerabilities\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<table cellpadding=\"10\">\n<tr>\n<td valign=\"top\" align=\"left\">\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/business\" rel=\"category tag\">Business<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/exploits-and-vulnerabilities\" rel=\"category tag\">Exploits and vulnerabilities<\/a><\/p>\n<p>Categories: <a href=\"https:\/\/www.malwarebytes.com\/blog\/category\/news\" rel=\"category tag\">News<\/a><\/p>\n<p>Tags: CVE<\/p>\n<p>Tags:  NVD<\/p>\n<p>Tags:  vulnerabilities<\/p>\n<p>Tags:  CVE-2020-19909<\/p>\n<p>Researchers have raised the alarm about a large set of CVE for older bugs that never were vulnerabilities.<\/p>\n<table width=\"100%\">\n<tr>\n<td align=\"right\">\n<p><b>(<a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/the-mystery-of-the-cves-that-are-not-vulnerabilities\" title=\"The mystery of the CVEs that are not vulnerabilities\">Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/09\/the-mystery-of-the-cves-that-are-not-vulnerabilities\">The mystery of the CVEs that are not vulnerabilities<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[1001,11810,30159,22783,32,30158,10752],"class_list":["post-22949","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-business","tag-cve","tag-cve-2020-19909","tag-exploits-and-vulnerabilities","tag-news","tag-nvd","tag-vulnerabilities"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22949","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=22949"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/22949\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=22949"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=22949"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=22949"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}