A question for anyone with CNA experience: how quickly can you go from verifying that a vuln exists (“shit! this disclosure pans out, sound the alarm”) to getting a CVE assigned and made public? I’m interested in both the ideal case, as well as a more typical real world timeline. What factors might accelerate or delay a public CVE assignment?
cc: @todb @screaminggoat
@dreadpir8robots @todb I haven't gone through a vulnerability disclosure process myself but have seen vulnerabilities reported in real time.
Here was an example from April this year: https://infosec.exchange/@screaminggoat/112300346821676943 cc: @h4sh who got the CrushFTP zero-day assigned CVE-2024-4040
I am under the impression that the if the software vendor is a CNA themselves (CNA partner whose scope includes the product affected by the vulnerability on the List of Partners), that a vulnerability reporter would have to perform their due diligence to work with them in getting the vulnerability identified/confirmed/fixed/assigned CVE. Last resort CNA would be MITRE (or even HackerOne?) if the CNA doesn't respond to contact requests within a reasonable timeframe.
One more example that I was able to find: https://infosec.exchange/@screaminggoat/112130101612487106 a vulnerability reporter reached out to the vendor who didn't respond, and after having issues communicating with MITRE, KoreLogic reached out to Austin Hackers Anonymous @AustinHackers to get a CVE assigned (CVE-2024-2054) for an unpatched Artica Proxy Unauthenticated PHP Deserialization Vulnerability
@buherator @dreadpir8robots @h4sh @todb For clarification, what organization is FD? I can't think of the abbreviation right now for the life of me.
@dreadpir8robots @todb @screaminggoat Like, if you 1) are a CNA and 2) can get in touch with the vendor quick enough for them to acknowledge the vulnerability exists - 24 hours?
If information about vulnerability is already out there (eg on a hacking forum, github or some guys blog) and the vendor is not a CNA, then publishing the CVE is just filling out a form and it takes less than 10 minutes.
As an individual researcher or a security company that does research, you can become a CNA - MITRE actively wants more CNAs so that information can spread faster in a more decentralized yet structured manner. The only thing is to not step on another CNA's scope, and that's usually when they are the vendor.
I've had people disclose vulns to me that they found and there's already a patch for on github I can use to validate, vendor wasn't a CNA, and the entire turnaround was 20 minutes.
@screaminggoat @todb @h4sh I suppose things get much spicier if a zero-day vuln gets disclosed or if there’s widespread exploitation.
I realize I wasn’t considering this so much from the point of view of the researcher/reporter, but rather a vendor who is themselves a CNA, and is faced with widespread exploitation.
It’s fairly easy to find points of view of researchers frustrated with coordinated disclosure (often understandably so), but it’s perhaps unsurprising that it’s rarer to see larger entities/CNAs talking about challenges they may face from that perspective.
@screaminggoat @todb @h4sh @AustinHackers AHA! I remember seeing this before: https://www.cve.org/Media/News/item/news/2023/02/07/Austin-Hackers-Anonymous-Added-as
@h4sh @todb @screaminggoat Appreciate the insights. That’s awesome in every way, cheers. 20 minutes!
If the vendor is a CNA and well-resourced and consensus is that there’s widespread exploitation by state-backed APTs… I’m thinking the vendor would want a CVE assigned and public ASAP. Damage is done at this point, so a CVE seems like an important part of damage control.
…and no, I’m not sitting on news of anything here, I just got to thinking about the process and how I only see it from a vulnerability management perspective, so I’m interested in how others see it, and what challenges might exist which aren’t obvious to me.
Google Project Zero's coordinated vulnerability disclosure for critical vulnerabilities under active exploitation updated 11/29/2021: https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-faq.html
Google expects that vendors will address an actively exploited vulnerability within 7 days. This is in contrast to the 90-day time period used for vulnerabilities that are not categorically known to be under active exploitation.
Google security blog from 05/29/2013: https://security.googleblog.com/2013/05/disclosure-timeline-for-vulnerabilities.html
Seven days is an aggressive timeline and may be too short for some vendors to update their products, but it should be enough time to publish advice about possible mitigations, such as temporarily disabling a service, restricting access, or contacting the vendor for more information. As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.
Rapid7 CVD for "Exploited In the Wild" (no date): https://www.rapid7.com/security/disclosure/
Rapid7 will aim to notify CERT/CC and publish public vulnerability information approximately 72 hours after discovery, regardless of the existence of an update.
I've seen a vulnerability reporter immediately drop details and proof of concept when a CNA denied that there was a security issue: https://twitter.com/filip_dragovic/status/1767328563148231013 (timeline from publicly disclosed 11 March 2024 to patch/CVE announcement 22 March 2024 was 12 days)
@screaminggoat @todb @h4sh what if there’s obvious exploitation but no white/grey hat researchers with PoC in the mix who might tell the vendor, and the vendor hasn’t reproduced it either yet but can clearly see from telemetry that the Bad Thing is happening. Do they still issue a CVE immediately? Might be murkier: what if it’s two or more vulns? What do you say if you can’t clearly describe it? etc.
@dreadpir8robots @todb @screaminggoat seconds / minutes I would say. It is all automated.
@dreadpir8robots @h4sh @todb From start of the year until now, a lot of software vendors have tried their darnedest to keep the zero-day exploitation under wraps until they released patches:
...I FORGOT HOW CRAZY JANUARY WAS
I'd type more but the ones that stand out were Ivanti, Palo Alto Networks (CVE-2024-3400) and Cisco (CVE-2024-20353 and CVE-2024-20359) for confirming unpatched exploited zero-days.
@dreadpir8robots @screaminggoat @todb That's pretty much what happened with the recent Palo Alto unauthenticated RCE activity. They first published their own security advisory (PAN-SA-2024-0015) that's not a CVE, told customers to remove internet access to the management interface, and then figured out details for CVEs and published it in the next few days. It turned out be two different vulns (CVE-2024-0012 and CVE-2024-9474)
The turnaround between active exploitation (exploit sold on forums, around Oct 31) and the CVEs assigned (19 Nov) was roughly 20 days. I believe that was an honest effort on behalf of palo (they didn't try to cover it), but it was still a bit too long
@h4sh @dreadpir8robots @todb I was unaware at the exploit was being sold on forums, do you have any open source articles that screenshotted that?
@screaminggoat @dreadpir8robots @todb SOCRadar's weekly on Nov 4 had a screenshot of the feed they published on 31 Oct (not sure if that's the same day the forum post went up, its could be a bit delayed since scraping takes time)
https://socradar.io/android-rat-tool-asus-taiwan-access-and-palo-alto-exploit-detected-on-dark-web/
@dreadpir8robots @h4sh @todb @buherator this gives me the idea of keeping a running timeline of zero-days for 2025. I know a lot of cybersecurity companies just announce the number, but seeing the monthly activity and vendors/products and country attribution could be more informative.
@h4sh @dreadpir8robots @todb Threat actors must have a lot of faith and trust in their fellow cybercriminals. Who is willing to drop several Gs for an unconfirmed and unproven exploit? I'm risk-averse so I'd think 50% of these sales were scams.
@screaminggoat @dreadpir8robots @todb yea - unless the forum is trustworthy and there's an escrow, and the person selling has good rep. I wish SOCRadar publishes which forum the posts are from (I am not sure but from the white background it could be xss.is which has stricter bar of entry)
There are a lot of obviously fake PoC sales going on in Github, but in more exclusive forums it may be legit. The best way to disrupt those places is to dilute the marketplace with more scammers which im not sure of anyone is doing that
@h4sh @dreadpir8robots @todb No mention of what he did with the information but this guy recently claimed to have "hacked 100 hackers" on BreachForums using a backdoored ransomware builder https://corneacristian.medium.com/how-i-hacked-100-hackers-5c3c313e8a1a
@screaminggoat @dreadpir8robots @todb Beautiful. I mean, he might as well sell a "backdoor" and people who run it is indeed getting what they are paying for XD
@h4sh @screaminggoat @todb GH PoC is like eating candy you find on the sidewalk. It might be yummy! It might be safe! It might do nothing! It might be fatal! Of course, safest choice is not to eat it, but if you must, test it in a lab first.
@screaminggoat @h4sh @todb I missed any sneakiness around that Chrome one.
@screaminggoat @h4sh @todb @buherator good call. It always feels like we’ll remember each thing forever when everything’s popping off, but then approximately a million other things happen. Year in review stuff is always interesting, and that sort of writeup is always enriched with a timeline.
@dreadpir8robots @h4sh @todb Mostly included while digging through the memory palace for zero-days.
The more egregious Chrome ones occur at 4-5pm U.S. Eastern. My RSS feed is relatively unreliable for Google Chrome, and i've resorted to checking out @browserversiontracker (run by @ruario) for any signs of sudden Chromium updates.
@bagder @todb @screaminggoat Thanks. I suppose it would be strange if it wasn’t quick. I should dig into CNA documentation at some point to learn more.
Belated congratulations on the curl project becoming a CNA! Hopefully prevents repeats of CVE-2020-19909 etc.
@dreadpir8robots @todb @screaminggoat thanks, and yes that is certainly one of the primary points with curl becoming a CNA.