Did I miss that CVEs are allocated for supply chain compromises nowadays?
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog
A CNA that is of organization type "Researcher" can issue CVEs for anything not explicitly in another CNA's scope.
Kaspersky is one such CNA.
-
RE: https://mastodon.social/@cisakevtracker/116647846381979235
Did I miss that CVEs are allocated for supply chain compromises nowadays?
@GossiTheDog Makes sense to me.
CVE are regularly used to actually block deployment pipelines, which is a useful function for mitigating supply chain vulnerabilities.
More generally, I wouldn't want to be forced to distinguish between active and passive threats and then not be able to label the active threats in a standard way.
-
RE: https://mastodon.social/@cisakevtracker/116647846381979235
Did I miss that CVEs are allocated for supply chain compromises nowadays?
@GossiTheDog makes sense though if the package/software version is compromised? Whether the vulnerability stems from a bug or deliberately placed malware or backdoor, they are all vulnerabilities of some sort.
-
@GossiTheDog makes sense though if the package/software version is compromised? Whether the vulnerability stems from a bug or deliberately placed malware or backdoor, they are all vulnerabilities of some sort.
@GossiTheDog they could of course also contribute to OSSF's malicious package DB instead. If it is a package like tanstack.
-
@GossiTheDog they could of course also contribute to OSSF's malicious package DB instead. If it is a package like tanstack.
@GossiTheDog the XZ backdoor for instance also got a CVE (CVE-2024-3094).
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog Yeah its weird but it started last year from what I can tell.
Guess malware is a vulnerability now
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog Weelll... If a particular version of a product has been Trojanized due to a supply-chain attack, it could be argued that this version contains a vulnerability now, no? And vulnerabilities are assigned CVEs.
-
RE: https://mastodon.social/@cisakevtracker/116647845255291135
It's not isolated, e.g.
There's a whole bunch of these now, it looks like companies are just yolo'ing out CVEs for other companies products.
@GossiTheDog It's because of this, prolly. They've been added to the KEV so CISA can force agencies to clean out artifacts/compromised systems
-
@GossiTheDog It's because of this, prolly. They've been added to the KEV so CISA can force agencies to clean out artifacts/compromised systems
@campuscodi it's pretty odd. They're not vulnerabilities... if you were affected, it'd be an incident - not an upgrade. CISA need to build a better system and process.
-
@campuscodi it's pretty odd. They're not vulnerabilities... if you were affected, it'd be an incident - not an upgrade. CISA need to build a better system and process.
@GossiTheDog @campuscodi you're not wrong, but it seems CVEs are the go to mechanism for any security issue of software dependencies.
