Finding, Getting and Publishing CVEs

so I'm just gonna start a timer so I don't run out of time so finding getting and publishing CV ease bluntly what is the CV and why do people keep bugging me about them so this is the one slide I have to read from I apologize so do you remember those flaws and Intel CPUs who here's had to deal flaws in Intel CPUs recently okay so we've got Spectre meltdown foreshadow how many am I forgetting about yes correct and so who remembers the one that broke a SLR via MMU right exactly that's the most recent one for shadow so that is actually no sorry that's last year's one CB 2017 five nine to five and

hands up if anybody knows whether or not it got fixed no it did not get fixed not by the CPU vendors so basically there's CV 2017 five nine two six five nine two seven five ninety-two eight for them Owen 5/9 wait for the browsers so the browser's fixed it by remember they took away our high accuracy timing functionality so yeah so basically who fix that well for example if you look at Souza's page on their CV they marked it won't fix as did many vendors because quite frankly the SLR is broken so we've given up on it but the point of this is is without CVS looking up this information becomes nyam possible whereas with the CV you have a lovely

screen like this saying the description you know page table locks blah blah blah boring but more importantly those links at the bottom so if you click on them you end up but this is the ANC so this is the original project page and a little snippet from it where they talk about you know some process or vendors agreed with our findings that a SLR is no longer available security defence at least for the browsers others did not dispute our findings I love that it's like they didn't argue too much so it must be real from the browser vendors most found our paper relevant and you know did something with it and then sort of track this we have those those four

CVE numbers right one for Intel one for AMD one for arm and one for like all the browsers and this is not an uncommon case right if you've dealt with Specter or meltdown or foreshadow or whatever you know this is becoming more and more of the clownin case right everything's interlinked and interrelated in just a giant mess so what's the source of truth for CB right a lot of people you see B's who has the truth well the answer is simple it's the mitre corporation and technically speaking mitre is a nonprofit entity but isn't the US government it's just they get all their funding from the US government it's about four billion a year and they run a bunch of projects

for the US government including a bunch of cybersecurity projects like the C V program so they ultimately hold the true source of truth for C V and that would be at CVE mite org and then there's a bunch of people who republish it probably the one most of you use and that I use is the national vulnerability database right hands up who who knows the nvd from nist intimately right everybody the reason for that is simple because nist adds a whole bunch of useful information to make cv more palatable they add the CBS f scoring right so on a scale of zero to ten how badly you know does this hurt they add the CPE data which is the product

information you know is it the Linux kernel is it G Lib C is it you know which version of Windows is affected and then there's a whole pile of people who republish stuff like CV details or and all these other sites which to put it bluntly are not a source of truth in the sense of they're probably correct they may not be I don't know you know we don't track them we don't make sure that they're correct so I would say if you're dealing with CV please go to either the mitre CV database which is the the true truth the nvd is very good they pull from it but one little dirty secret is you know the nvd really only cares about

the stuff that US government cares about that's literally what they're paid to care about so when they do an analysis of a vulnerability like to have the CBS s scoring they will do that for Windows and Linux and you know large enterprise projects that the government uses but you know for a PHP script thing yeah the US government doesn't care most cases so that data that you're kind of relying on the NBD to add may not be added soon if ever right because there's tens of thousands of CVS a year now well just over ten thousand about eighteen thousand last year and so yeah please go to the original source of truth start your investigation there to make sure

that you're not you know chase I've seen some sights that republish cv data and they they drop stuff or they add stuff that isn't correct and that's even worse because then you chase down a Ravel only to find out that it has nothing to do with what you thought you were trying to deal with so let's get to the meat of the talk finding a CVE so how do we find a cv is actually quick question has anybody here ever found a vulnerability or an exposure and gotten it a cv awesome so that's the first thing vulnerabilities and exposures so vulnerabilities we're all pretty familiar with vulnerabilities right we're talking remote code execution or you know the the attacker can escalate

privilege or the attacker can you know send a wonky ping packet to your server and your server tips over and dies right vulnerabilities tend to be pretty clearly cut simply put you know does the attacker do something bad yes or no right do they do something they really shouldn't be allowed to do I'm not gonna bore you with actually how you find vulnerabilities because I'm sure most of you know how as an aside if you want to rack up a quick CV account just go through github and search for terms like XSS or buffer overflow people fix these things and label them as such but they don't bother to get CVS for them so if

you want to like get a whole pile of Seavey's to your name literally uh that that's the quickest way to do it now exposures what's wrong with this picture are those key secret anymore no exactly so exposures don't typically allow an attacker to get directly into a system or to directly escalate privileges but like going back to my first example you know a SLR address stack layout randomization we used to think was amazing because it you know it made the exploit codes fail right because you'd exploit a problem overwrite a buffer you had pushing your shellcode and you'd call it and it wasn't there and you couldn't find out where it went right like it was just literally in some

random place and you could theoretically try and brute force it maybe but that's not gonna work well yeah as it turns out a SLR you can determine the layout of memory through a whole pile of tacks just search the CV database for the term aslr bypass and so you know we've learned for example a SLR no longer works as well as we thought it did because there's all these exposure bugs where you can determine how is memory laid out I've seen things where you know database exposure of hashed passwords yeah not always terrible except when they're like just md5 you know hashing them and you can you know everybody in here with a laptop can now enforce those

you know because you have a laptop CV counting inclusion rules this is intentional there's a lot of text it's very detailed but honestly what it really boils down to is sort of a couple of main things number one for inclusion is currently we cover traditional software and hardware so on premises right we don't yet officially cover CVS for like services that's coming we're working on it but basically the first thing is is you know is this something that a customer actually runs that they you know acquire and run and can do something about right the second thing is is this something we cover right traditionally it meant enterprise software stuff the US government cares about you know Microsoft Linux blah blah

blah obviously that scope is expanding you know there's a ton of IOT stuff coming out of China some of its in my house there's no CV coverage for that and I'm a little I try not to think about it because honestly I can't do anything about it so that's basically you know do we cover this with CV or not then the second aspect of that is what's called a CV numbering authority so Microsoft is a CNA right they cover Microsoft products Red Hat covers Red Hat Oracle covers Oracle and then as far as counting goes splitting and merging so there's never just one vulnerability right like anybody who's looked or dealt with computer bugs there's never just

one buck right like if there's one bug there's more bugs you know it's like cockroaches or ants in your house right it's not like one little guy just happened to wander in from South America and took up no it's like you've got to like tear down your walls and like get all the bugs out so this is a very common case where literally you know like the Intel stuff is a great example because now that people know to look for these types of side-channel attacks and all this monkey stuff you know we're up to about what is it 15 or 20 of them right like and and they're just gonna be like another dozen every year that's

just it's a fact of life now so how do we split and merge these the answer is really simple is it basically does it add value right so if you audit a PHP application you're gonna find a file across sifting cross-site scripting vulnerabilities because that's how PHP works right and so is there really any value in like oh you found 10 cross-site scripting vulnerabilities and this different parts of the PHP script we're gonna assign 10 CDs well no because ideally what'll happen is you find 10 vulnerabilities and then the next release fixes 10 vulnerabilities hopefully doesn't always happen so ideally we merge all those vulnerabilities into one CV you know we treat it as a package deal and move on

if you've ever looked at CDs you'll see the phrase CDE so and so blah blah blah is assigned as an incomplete fix for this other CD right so what'll happen is somebody'll find myself speaking I found 13 flaws temporary file creation flaws in a piece of software pulled them they had to fix them they said yes we'll fix them they fixed six so good start they released an update saying we fixed all the tenth laws and like really did you and I checked and of course they fixed six so I assigned a second CD saying you know there's still seven remaining can you guys please fix them for real this time they're like oh we promise yes we

will they released an update saying yes we fixed them all of them we promise and I'm like hi check the code there's still three I'm like okay we're almost there like this is progress right third time's a charm and they got all the remaining three right but as a customer using that software you know well which version actually has all of these things faked so it simply boils down to we bucket up the CVEs so that each class of vulnerability so if you have like cross-site scripting and a buffer overflow yeah those those are very different very different impacts very different exploit models so it makes sense to split them right because there's a company chances

are you'd be like exercise whatever the web thing deals with that it you know we got some magic Cisco appliance that claims to magically deal with this and it probably does but the buffer overflow oh that's that's bad that's you know that's a bad guy getting in and taking over our server and the second main bucket we do which version is affected right if you have my favorite is the Linux kernel you know oh we found a flaw in it well what versions does it affect oh it affects these versions oh and while we were looking we found this other related flaw but it affects a different set of versions because you know that code was added six months

later lever right so it becomes very important when you're tracking this stuff especially you know in the enterprise world to know like you know which versions actually fix this stuff so that's splitting and merging it in a nutshell so let's make a CV first question when should you ask for a CV for your vulnerability and the simple answer is as soon as possible please because it makes talking about it and tracking it so much easier my yeah this is public now so I don't know if anybody remembers the GFC stat guard stuff from what was it two years ago I want to say or a year ago anyways Qualis did some really good research found a flaw in G ellipses

stack our page right so the idea is you have this one megabyte stack our page which if the attacker touches we know something bad happened and we stopped them awesome they found you could literally jump over it okay cool and they came with a proposed solution and everything was awesome until one of our really smart guys Florian VMR looked at it and went no there their problem is wrong because there's a three problems and their solution is wrong because we'll have to make the stack guard page three and a half gigabytes per process for it to work and oh yeah did I mention we now have actually I found two more problems right so now we have three problems so talking

about these problems you know when I say like oh the koalas stack card thing the one that they found originally no maybe or was it no it's the second one that Florian found in mention you know it it becomes impossible to have a meaningful conversation whereas CVE 2016 1 2 3 4 & 1 2 3 5 & 1 2 3 6 right they're scoped they're defined you know we we can talk about what we're talking about so basically like babies please put a CV number on it as soon as possible especially if the vulnerability is not yet public right if it's it's an embargoed or private vulnerability still and you have to talk to other people

it's so much easier when you have a CV because literally we all know what we're talking about and most people have to handle more than one security flaw at a time right like a vendor like Red Hat I left in June but essentially the the trend was red hat product security was handling roughly 3,000 vulnerabilities a year yeah so we're handling a lot of vulnerabilities you know a company like Microsoft is around a thousand you know if you look at even some of these open source projects they have hundreds of vulnerabilities per year because just the size and scope of what they build it's complicated and there's flaws so please I can't stress enough asked

sooner rather than later the second step is just the CV already exists right I've had a lot of people ask to receive you for something where we already have a CV for that the challenge there obviously is if we have duplicate CV entries it makes a mess the good news is I convinced mitre to move all of the data into github now it's in git and we can update it so that's the one dirty little secret the old mitre CV database had no update mechanism right every entry had some data but there was like no field to specify that like this has been updated on this date right so I actually at one point had like manual

tools that would download the database every hour compare to the previous version and show me the differences like what was added what was deleted what what is new whatever right so now that we're in github obviously if you're familiar with git it's really really easy to look at a file or a set of data and get and be like what has changed since Thursday or has it changed at all if you're getting a CVE who is in charge of that software so as I was saying scope so the idea of scope is a company like Microsoft in theory knows their software the best and can best handle and assign the CV for that security issue right same thing ideally

with Red Hat or with Oracle or with whomever so the basic premise of when you find a CVE in a piece of software that has a CV numbering authority in charge of it you have to go to them first and also obviously we want people to report put vulnerabilities to the vendors to the projects right to the upstream so that they can get fixed right who here has seen a security flaw talked about online and nobody told the project right that that's sadly quite common with some things right so I mean it's I love people to find vulnerabilities that is something that we need more people to do but we also sort of need them to tell

the people in charge of that software about it so that maybe they have a chance to fix it right because yeah otherwise we're just kind of being jerks so right now there's a CNA scope document that's terrible because it says things like like for example Airbus is a CV numbering authority and Airbus covers all of their own products and all of their suppliers now who here knows who Airbus as suppliers are nobody like of course nobody knows who their suppliers are probably Airbus doesn't even know fully so again this is a project we have a specific project called the CV user registry where the premise is everybody involved in the CV project will have to

declare like who they are and what they cover so like Red Hat for example when I left there was a 110 or 120 commercial and 126 github organizations that I managed to track down right so Red Hat has this huge footprint of stuff same thing with Microsoft right who hears heard of great playing software well Microsoft bought them like apparently 10 or 20 years ago I really had no idea or I remember once I was looking at snoring I'm like why why does the snort page say Cisco now like what oh wait what happened so ideally we're gonna have a registry with URLs of the products with the names of products so that you can easily take

a piece of software and go like who's in charge of this and if there is somebody in charge of it you'll be able to figure it out in a few seconds and if not we have what are called the CNAs of last resort so it's it's a scoping thing that I'll get into in a sec but simply what is the minimum CV entry does anybody offhand know well it's it's what you literally saw in that previous screen it's literally you have to have a CV ID you have to have a product name in version obviously right we've got to know what we're talking about you have to specify a problem type which is not entirely true there's a lot of CVS in

the CV database I don't know if you've looked at Oracle stuff for example where you know an unknown flaw unknown impact you know exploitable through unknown means has this terrible effect like thank you Oracle and I mean in fairness where you gonna do either you apply the patch or you don't right like there's really not a lot you can do with some vendors so ideally there's a problem type you know buffer overflow cross-site scripting temporary file whatever there's that text-based description which doesn't have to but also again ideally also includes like an impact you know does this result in code execution does it result in the server catching fire does it result in you know whatever and then

the references which is the URLs which you know if you've ever had to investigate a CVE those those are the goals right those are that's what you want right is those references so you can go spider out and start looking at stuff and then finally of course needs an assigning cname like who actually assigned the CV right like they just can't appear out of nowhere so currently we're working on federating the CV hierarchy if you look at it currently it looks like this it's mitre everybody like it's a flat structure completely right what we want to move to is where we have the primary CNA which would be mitre probably and then for example we're hoping that JP cert you

know Japan sort will take over the Japanese market because they speak Japanese and they live in the same time zone right for anybody who has had to deal with people and like asia-pac you know that the time zone thing is a huge problem and the language and culture thing is very different right like I come from the open source world and the way open source handles security I can guarantee you would not fly it all in Japan right like they just could not culturally that would be a no-go same thing for aerospace right aerospace isn't gonna be like oh sure yeah yeah whatever publishes details it's fine yeah we'll fix it later right they're gonna get sued same thing with

pharmaceuticals and medical you know who here remembers the whole st. Jude's pacemaker debacle right somebody claims they found a flaw the pacemaker company came out really hard saying no you didn't well it turns out they did find flaws that were really really bad so the idea is we'll have these hierarchies we have one for open source right now and longer-term we're hoping that like IOT medical devices aerospace you know also Geographic ones because like I said you know sometimes I don't speak Mandarin or Cantonese like and and we've dealt with people there where they don't speak English right I mean and so like Google Translate is great and all but not that great so this

is something we're working on sadly this guy has more automation than we do the currency you're gonna see I'm gonna live a sign of CV and you're gonna see the horrifyingly manual process that we have or that I have and most companies don't have anything that much better but yeah right now publishing to the CV database looks basically like you hand it off to a CV numbering authority hope they do the right thing and in some cases that's me and I apologize I'm terrible again we're working on automation I got them to put this thing in github so at least now the data can get a read copy of it very easily and longer-term we will be you know

granting more people access to write to the data which is something we just didn't have in past and if anybody here has been doing CVS for more than 10 years you'll remember there was a really bad period about between about 10 and 6 years ago we're you know getting CVS and getting them published took forever and the reason was simple like mitre lost a bunch of their funding they had like one or two guys working on it so yeah that's what happens when you have one or two guys working on a project it gets slow and stuff would just disappear into the mitre hole right you send them a CV request and it's gone for like three

months or a year whatever who knows at least now that it's in github you can sort of see what's going on to a degree so finally publishing your CV to the world so number one get your CV as early as possible number two use it ideally in a perfect world put it in the git command now realistically a lot of people find and fix security flaws very quickly or sometimes they fix a flaw don't realize it's a flaw and then somebody else comes along and goes hey that that code commits you committed is really awesome because it fixes a security flaw and you're like what oh yeah I think I'm not sure is that good but publishing it as

soon as possible and using it widely makes life so much simpler right if you have the CV and the changelog the release notes in the you know documentation in your database whatever it just makes it so much easier especially now that with open source you know it's not like it affects one person right something like the Linux kernel GFC open SSL right everybody ships that right open SSL is a great example how many of us own a TV okay you all have open SSL on your TV right because all the other SSL implementations cost money so when you build a TV and you need to put SSL and TLS into it which you have to do now because it what has two needs

to be able to do Skype and or aku and Netflix and all that other stuff it has to have an SSL TLS client well are you going to pay money for it or use open SSL well everybody uses openness same thing with cars so demo of a CV assignment so basically I run the distributed weakness filing project which is a fancy way of saying open source CV ease it's a holdover from my work at Red Hat so I actually have to pull up that page image so literally if you want to get a CV for open source and it's not covered by a cine so for example there is you know red hats a CNA

that cover there open source stuff kubernetes is a CNA they cover kubernetes but if there's not a specific CV numbering authority for that's offered go to I want to see the e org and you'll see this form and I ask things like oh that's terribly small sorry but you'll basically see I ask for things like you know is this open source I've actually had people request off for not open source and I'm like I can't help you sorry and then I'll ask you for things like what's the name of the product who's the vendor what version is effective like do you know please tell me you know because if you don't know then we have a problem you know what is

the vulnerability a lot of people they'll find a problem like oh I made the program crash cool good for you is it reproducible is it something actually bad you know if you can make I remember it was it was a piece of software that turned a specific file format for sheet music into PDF files right so you could like write up a score and then turn it into a PDF and print it nice and you can make a crash with like a wonky file cool the response from the CV community is like don't don't do that like don't open that file again if you open a file in that program and it crashes well just stop doing that

versus let's say a web browser now should a web browser be able to open literally any web page full of god knows what and not crash the answer is yes right that is an expected behavior you know should you be able to open an email no matter how badly formatted and your email client doesn't like go nuts well yeah right that's that's expected behavior so I basically asked for a bunch of information and it gets trucked into a spreadsheet that literally looks like this like that it's a bit out of order but basically there's the timestamp there's who requested it right there's the vendor of the project the URL of the product is I want to you know sometimes

I have to go check and make sure it's actually open-source and I'm flexible that way like if it's always hi licensed for sure cool in other cases you know all whatever close enough is close enough right what's the vulnerability type right as you can see there's a nice selection of different vulnerabilities you know what's the affected component right like have you actually narrowed it down a bit and in some cases you can see they haven't they're just like whatever the whole thing it's affected what's the impact of exploitation right again if you can't clearly articulate and say I did X which caused Y and Y is bad because then you know maybe it's not really a security flaw right but most

security flaws like ninety-nine point eight percent of them are really simple like I made it crash I made it do what I wanted to do with code execution I read your passwords like you know it's not rocket science ideally an attack vector because again you know if I remember are some PHP apps whether like oh if you're the admin you can do a cross-site scripting vulnerability by putting up these custom web pages and I'm like yeah that's about right you know like that seems reasonable and in other cases they explicitly say no if the administer users not do this that the other thing oh okay that's a flaw you know as defined by your sort of security profile

then I asked for references and this is always lovely because people some people have a habit of putting stuff into YouTube videos and sending that which sucks because like I have to watch a YouTube video let's really badly made and you can barely read the text but I can't cut and paste and it's not accessible and that's something as I get older I'm beginning to realize accessibility matters right like we don't want a lock of blind people out of the security community that I feel would be kind of a jerk move so one thing I'm pushing for is some form of a rule that will say like when you submit data for CVS like reference URLs I don't know exactly what

the rules say but something like you have to be able to like cut and paste or you have to be you know I mean it can't just be like a screenshot of a PDF of text again I've had people send that ideally more than one reference URL and then there's my stuff my notes and like how terrible this is and as you can see I've there's a bunch of stuff I've rejected like one request there at the top it lacks a request URL and Jeremy sent me a new one but here's my this week's my favorite request so this guy sent me a request for a Python software and one thing I've noticed is when it

comes to people claiming flaws in like big projects like Python they're either totally correct or like totally nuts this guy turns out totally correct so he's like hey there's a flaw and Python in C Python you know which we all use in love right python is awesome and fixed version after commit so and so oh my goodness that's lovely vulnerability type good lord he's actually got it there nicely cwe 77 improper neutralization of special elements used in a command also known as command injection like we're on fire affected component good like seriously the SH util module make archive function like he's narrowed it down it's a denial of service and information go blah blah you basically have to open up on

malicious zip file which yeah that's a pretty reasonable thing to do right a lot of data gets passed around a zip files and gets unpacked somewhere and turned into lord knows what and then he has these URLs and he actually for example this is a good sign I'll link to the official bug tracker that's like this is kind of the gold standard Stinney this is kind of the gold standard right because the beauty is not only is it in the bug in the bug tracker for the project but then chances are oh look at that they actually acknowledged it and fixed it so at this point I'm feeling comfortable that you know this guy is legit and if you read it you know

bla bla bla it's not I love this this utils spawn isn't very good at quoting command lines and then he links to an older bug where they talk about this back in 2015 and never really fixed it awesome so new change set some long number by Benjamin Peterson in branch 2.7 blah blah blah fixes this awesome he also links us to the older bug as you can see 2015 and it's kind of like yeah whatever it's hard to quote characters they talked about it a bit and then nothing really happens that's quite common for sort of quasi related security bugs that aren't clearly bad oh my goodness here's the Asheville commit which as you can see is pretty pretty simple right

it's yeah they replaced the spawn with sub-process check and I don't know if you're familiar with Python but python kind of goes in that we wrote something that did something we figured out it was terrible so we wrote like a newer thing that we called something different and it doesn't much better and then we found out that was terrible and so like in Python to open up a command line you've got like I want to say like six or seven options like different ways to do it and as my current understanding is sub process is probably your best bet to do this securely and safely then we've got the link to the the actual like issue in

github which again this is a good sign right this is all sort of these are legitimate sources of information it's not some random guys web page with like a PDF on it saying I claim x y&z and more to the point you know it's being acknowledged by the developers right I've literally had flaws where literally the flaws like I found a cross-site scripting moment program and the response from the developers yes you did thank you we fixed it awesome and I'm like oh so easy to make that request I've had other ones where they make some crazy claim and it's ignored or the admin goes I don't think someone closes it and I'm like you know can you give us

a hint maybe again or github stuff and I even linked to a reproducer like how nice is this person right they gave us a clear bug report they link to the official sources they link to the code commit to fixed in it they gave us the right versions the names and like here's a reproducer I'm like I love this person right so what do I do with that well basically I go to my little spreadsheet and that entry is like now happy so I move it into the assigned request tab and then I give it a CV number literally that's it so there we go I gave it CV 2018 1 million 802 so I've given it a CV

number but I haven't yet published it right we probably should do that so let's do that now what I basically do is and and I don't usually do this one at a time I do them like Friday afternoon at the end of the week usually in batch them operating do it all in one big go

tell me when you can is that readable or bigger ok well I'm getting old too and I abhor TenPoint fonts when I'm watching stuff so first thing I'm gonna do is update my local copy of the CV list repo how to explain this same way the mitre corporation moved the data into get but git is not the true source of truth the way they work is you submit your data to a branch of their git repo they then pull that data into their back-end which lives somewhere in like North Virginia mangle it manipulate it put it into their database and then they export their entire database back into the get thing I think it's once an hour so the git

repo is not the true source of truth it's like people and stuff the git repo the actual he didn't backend and that's just historical process right they've got this back in that they wrote in like 95 and that's that so it's it's a bit of a cumbersome process because what it means is you can not touch master if you touch master everything breaks so we're not allowed to touch master so I update all that stuff and then I'm gonna check my notes to make sure I'm not forgetting anything yeah so first thing I'm gonna do is what I would normally do is I essentially reserve a CBE right so there's a bunch of CBE's well now number 802 is 802

three probably maybe I used it for an embargoed issue that isn't yet published so what I do is I mark a CV as reserved and actually the easiest way to do that we'll be taking existing reserved one and make a new reserved one so basically CV 1 million six hundred thirty is reserved and I just made a coffee up basically so here we go as you can see a reserved seat is very simple it's basically marked as taken and like is reserved and the value reserved this Canada has been reserved blah blah blah basically it's going to be used at some point so now you know I'm hopefully not going to double assigned 802 because I

almost never do that then I'm going to make a CV so that makes a big good

and I'm just gonna skip the whole where I would normally commit that reserved CV put it into the databases reserved and then you know later actually publish it we'll just do it live those live demos are the best demos so whoops nope that's the wrong directory here we go okay there we go so what I do what I discovered most people aren't great at writing English especially if it's like their second third or in some cases fourth language so I used to ask people to write their own CV descriptions and I discovered that that was not the way to go so now I just asked for the data and then I generate it let's open that in something

more readable like atom so I basically machine generate it literally using sentences with like variable replacement like it's it really is that simple [Music]

let me there's a really sadly easy way to make this a bit more readable for you this is my go-to when I need to like super quickly format a chunk of JSON

okay so as you can see the format is reasonably simple and of course it's out of order so basically at the top we would have the metadata right this was assigned on today's date it was requested oh geez a while ago the ID the assignor me the requester this guy I assume data format mightor problem type da blah blah description English so we now support multiple languages huzzah improper neutralization bla bla bla so we scroll up of course you'll see things like so we've got machine readable data now now the dirty secret things like that product name and that vendor name are not standardized I apologize something we're working on so for example when we have the Linux kernel

you know is it Linux kernel the Linux kernel Linux kernel project I don't know but we basically we need to pick one and stick to it right I think you would all agree with that scrolling up there's the description written by a computer script so Python Software Foundation Python C Python version 2 1 7 contains a blah blah blah you know it's not the prettiest English but it's readable and then we've got our references which again that's kind of often the more important stuff because that lets you research it and track it down so yeah good enough so we got a file and I will just

okay so I need to make a branch and uh whoops so this will make the branch and then check it out so I'm now working on a branch called DWF - today's date - l1 I'm gonna copy the JSON file here get at it

[Music]

stinking and then I will commit it to that branch and that exists now in my so I have a copy of the CV list repo so I have my own repo that I work on and then I push my changes and github makes that quite wonderfully simple let's make this bigger oh there we go so compare and pull request and I click Creole request and that's it now what will happen is my tur on their end will look at the pull request they have a little bit of CI to make sure that the request is well form you know that I haven't sent them some mangled JSON or whatever right there's there's all sorts of things that go wrong yeah it's

ridiculous sometimes but anyways they'll basically run through their CI test they'll make sure it's like a sign to get commit right we require signed commits so that we don't have random people dumping stuff in there you know we have a very strong factual evidence trail now of like who did what - which CVE win which we didn't have before so this is a bit of an improvement but essentially at some point probably what time is it on the East Coast they've all gone home so it'll probably happen tomorrow morning they'll look at this accept it push it into the database it'll get done on their back-end they'll push it back out and to get some hour at

the top of the hour or whatever they'll also publish it on the web site and it will exist and that's it a CV has been born as you can see we need automation we need to do a whole lot of things but if I told you what the situation was five years ago you would cry and throw stuff at me but like I said we're working on this and if you're not into like the whole US government news tracking they're currently going through a kerfuffle because for example the CV project doesn't have reliable funding right they they're on a project funding basis rather than like every year we're actually gonna probably give you money it's like a very maybe it happens maybe

it doesn't type a thing right now so hopefully CV becomes a bit more healthy and a little bit more reliable because like I said right now it runs on a bunch of people like most open source projects who like try it you know we're trying to do the right thing but we also have lives and vacations and like get sick and stuff we're trying to automate it you know we've got a bunch of projects around the CV user registry so who all is involved in this how do you like how do you contact them right that's a huge problem right you find a vulnerability in something how the heck do you get ahold of the person in charge of it

right you go through if anybody here has ever found of you know a flaw in a corporate piece of software who here's tried to talk to corporate frontline support about a security flaw and reported right yeah like take a shot you know it's it's misery it's horrible so we want to you know have like like Red Hat very simple you email second look at Red Hat calm and a human being reviews it and we had some very tight essays on when we had to deal with it when we had to reply you know and that reply might be like thanks but no but at least a human being saw it right like there's other vendors where you email them stuff

and I don't know what happens to it like good luck that's all I can say so yeah that was a CV being born um so I guess with that I'm basically yeah there we go perfect oh right on time so the demo went well thank goodness so quick question so you want to be a CNA a cv numbering authority right now in the open source world so for example we have kubernetes is one I'm currently minting a couple like Jenkins and I want to say PHP but if you want to be a CV numbering authority for your software or prod that you're involved in I'm trying to make that easier it's still very manual and a bad process so I'm also looking

for guinea pigs because I'm trying to streamline the process and find out sort of what's the minimum viable product so one thing I realized for example is I don't necessarily actually need to train you on all the CV stuff you can find what we're gonna call is a CV mentor you know somebody who knows see the ease and knows how to handle it so you would basically go to them and say I think I found a security flaw let's do the CV song-and-dance and they would help you do that you know they'd hope you bundle up the CV request to make it correct like that Python request was as you can see very quick and easy

to process right because he linked to all the right information used all the right words it was all simple so if anybody's interested in that just please email me either courtesy for dog or KC food security lines org it's also on the I want to see the org webpage but like I said the more CNAs we have the more distribute it becomes the better coverage we have and you know that's ultimately what we want right my back of the envelope calculations say we need about one to 10 million Seavey's a year and that would give us a good basic coverage of the open source world and like probably 10% of all commercial software that kind of matters so in

conclusion the current CV system kind of works mostly works it's pretty good we cover the big things that you know Microsoft does their stuff Red Hat does their stuff Oracle does their stuff you know I don't agree with the way they do it but at least they do it you know it's better than before where it was just like you know literally vendors like Oracle would say like here's a patch install it by Tuesday or else like literally I've seen you know back to the day vendors would say things like that you'd be like why do we need to install it by Tuesday like no reason just do it really quickly you know and then you

look at your count you're like oh right Def Con starts Tuesday you know right like literally it was such a horrible situation and again you know I also come from a vendor in past so I I apologize you know we haven't always made things as easy and as nice as we should have for our customers so with that I guess question and answers does anybody have any questions I actually have a quick question you want to tell us a little bit about your open social security podcast a little plug oh sure so myself and actually my former manager at Red Hat Josh pressors we do a thing called the open source security podcast where we talk about

mostly security quite often in an open source context it's a open source security podcast comm and it's a weekly he releases it on Sunday and like for example we recently did a review of Bruce Schneier new book too long didn't read you probably know all of it but he writes it in a way that is very approachable to normal people which you know that's something yesterday's I guess keynote was you know how do we talk to normal people like most of us myself included it's something we're working on great thank you any questions from the audience oh yeah I'm gonna try not to fall the situation with mitre reminds me a lot of what the internet went through when it

moved from NIST to ICANN and ITF and stuff like that so is there any kind of push to say we need to get mitre into its own sort of organization separate from the US government and not get its funding and be dependent on that so sort of um so fundamentally mitre is a non-profit and they do got US government contract oversight they have a couple mandates around security biosecurity cyber security whatnot um what we're doing in CV world is right now essentially like if mitre loses their funding from the DHS the CV project basically dies right it's not we don't have enough of a community yet so you know coming from the Red Hat world what

what quite often happens is Red Hat wants to get these open-source projects to grow up and stand on their own two feet and that's where we currently are with CD is we're basically trying to sort of D couple ourselves a bit from mitre so that we're less reliant on them so part of that is this Federation this hierarchy which is just removing the actual day-to-day kind of CV handling and management from them from a governance point of view we're also working on things to reduce sort of miters involvement in the sense of like right now they do most of the heavy lifting right and because that heavy lifting costs money and like I don't have a budget do it you know red net you

know here redhead did it like that's where I used to work and you know I spent a lot of time working on CV on behalf of redhead and redhead you know Red Hat was responsible for what 15 20 percent of the CV database in total up until recently so we need more that open sourced model where the community stands on its own but we're a long ways away from there with similar problems to most open sources that everybody wants to use CVE very few people want to contribute to it right and it's great that people use it I want that just like I want people to use open source but some at the end of the day somebody has to do

some programming or some CV assignments or you know has to do some work so these are things we're working on and like I said there's a current congressional about their funding where they're like oh you guys are doing a terrible job like yeah we kind of are because they're funding keeps going away like what do you want from us so they recommended it become a line item like we just fund this thing every year right which will improve things vastly so it's growing up and part of it is you know almost nobody knew about CV up until a few years ago really like it was a very niche thing but now security is not a niche right we've created all

this crap plugged it into the internet and discovered whoops now we need to update it how do we track that right how bad is it we don't know so I'm thinking probably within five years CVE will the CVE community will be able to largely stand on its own feet okay thanks any other questions oh yeah

first of all what does that mean to you

so I have probably five positions on that so disclaimer I worked for red head of product security for seven years prior to that I worked for eyesight eye defense which were vulnerability aggregation companies um so in a perfect world with spherical cows people would do the right thing not just the people finding the vulnerabilities but the people responsible for the software with the vulnerabilities we don't live in that way there's a lot of economic and market forces that basically say haha I sold you something and you no backsies like why would I support it no backsies right I got your money it sucks to be you so you know on the one hand I wish every

researcher responsibly took the time to go to the company work with the company you know within a reasonable timeframe get it fixed blah blah blah but like there's just some evil drug companies out there or you know last year Ford in a couple large car companies actually came out and said we won't sue you if you bring the security vulnerability to us and I was like oh that's actually progress like straight up that's progress no there's a lot of industries like in a lot of the world if you find a flaw in your bank's website what do you do the correct answer is nothing you don't tell them right because the costs will show up and take all your stuff

right you know so I would say like many things iterated prisoner's don't try to do the right thing please do the right thing and if that doesn't work to quote Troy Hunt you know we talked to last week about the value of public shaming of companies with bad security yeah the reality is that's what you need to do to some companies I would also say maybe look at the company's track record right some companies might have a legitimate need to be like oh god that that's gonna take like three or six months or a great example being this Intel stuff right like yeah software sure we can fix that but like ah it's hardware now and we need the hardware

vendor well ultimately we dip the Ruhlman still we also need micro patches in the meantime and we need the vendors to like fix all their linux kernel's like and like many of these complicated problems we start looking into it and all of a sudden it goes from like oh you know somebody proposed this problem with this solution turns out it's way worse than we thought it's you know a million times more complicated so you know we're gonna need six months or a year right everybody complains about how long spectrin meltdown were in private yeah it had to be like there were so many engineers working on it and so many people at so many companies dealing with

this and we still didn't do like what I would say we didn't do a great job we did an okay job ideally what happens is like with a stack guard flaw we had it private for about it was five months or something you know and Florian found like a whole can of worms and did a whole bunch of hardening and changes to GFC in addition to fixing the flaws and then the day hit we rolled out the updates nothing happened right no press everybody installed the updates and life went on and ideally that's what happens right it's you know oh all these tires might blow up or whatever so just you know go to the

garage get your tire swapped boom done we're all good so as far as responsible disclosure goes like yeah I would encourage people to be nice but fundamentally that doesn't always work and also I would say you know protect yourself right because some companies and organizations will come down on you like a bag of hammers if you give them bad news which is unfortunate but it is the world we live in great well thanks Kurt that's all the time we have for questions round of applause for Kurt you