Did I miss that CVEs are allocated for supply chain compromises nowadays?
-
RE: https://mastodon.social/@cisakevtracker/116647846381979235
Did I miss that CVEs are allocated for supply chain compromises nowadays?
@GossiTheDog Yes, since 2017ish, for example
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog They found a way to justify AI costs?
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog yeah, and a whole bunch of Open Source projects have had to become CNAs to keep others from issuing bullshit CVEs. Hence https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/ and http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/ . Between that and NVD issuing CVSS scores that don't match what SMEs evaluate the same bugs as, and for that matter CVSS just being kind of bad in several ways, the whole scheme is starting to reek.
-
R relay@relay.infosec.exchange shared this topic
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog
A CNA that is of organization type "Researcher" can issue CVEs for anything not explicitly in another CNA's scope.
Kaspersky is one such CNA.
-
RE: https://mastodon.social/@cisakevtracker/116647846381979235
Did I miss that CVEs are allocated for supply chain compromises nowadays?
@GossiTheDog Makes sense to me.
CVE are regularly used to actually block deployment pipelines, which is a useful function for mitigating supply chain vulnerabilities.
More generally, I wouldn't want to be forced to distinguish between active and passive threats and then not be able to label the active threats in a standard way.
-
RE: https://mastodon.social/@cisakevtracker/116647846381979235
Did I miss that CVEs are allocated for supply chain compromises nowadays?
@GossiTheDog makes sense though if the package/software version is compromised? Whether the vulnerability stems from a bug or deliberately placed malware or backdoor, they are all vulnerabilities of some sort.
-
@GossiTheDog makes sense though if the package/software version is compromised? Whether the vulnerability stems from a bug or deliberately placed malware or backdoor, they are all vulnerabilities of some sort.
@GossiTheDog they could of course also contribute to OSSF's malicious package DB instead. If it is a package like tanstack.
-
@GossiTheDog they could of course also contribute to OSSF's malicious package DB instead. If it is a package like tanstack.
@GossiTheDog the XZ backdoor for instance also got a CVE (CVE-2024-3094).
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog Yeah its weird but it started last year from what I can tell.
Guess malware is a vulnerability now
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog Weelll... If a particular version of a product has been Trojanized due to a supply-chain attack, it could be argued that this version contains a vulnerability now, no? And vulnerabilities are assigned CVEs.
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog It's because of this, prolly. They've been added to the KEV so CISA can force agencies to clean out artifacts/compromised systems
-
@GossiTheDog It's because of this, prolly. They've been added to the KEV so CISA can force agencies to clean out artifacts/compromised systems
@campuscodi it's pretty odd. They're not vulnerabilities... if you were affected, it'd be an incident - not an upgrade. CISA need to build a better system and process.
-
@campuscodi it's pretty odd. They're not vulnerabilities... if you were affected, it'd be an incident - not an upgrade. CISA need to build a better system and process.
@GossiTheDog @campuscodi you're not wrong, but it seems CVEs are the go to mechanism for any security issue of software dependencies.
