Andrey Lukashenkov’s Post

There was an unexpected follow-up to this story. Chris Madden spotted likely wrong #CWE provided to the #CVE-2024-0042 by #Vulnrichment (check his issue on GitHub for details https://lnkd.in/dnHrgUmj). Honestly, this is baffling. Having to question and double-check all and every bit of data coming from the sources that are meant to be trustable puts all the #cybersecurity industry in a bad place. #informationsecurity #vulnerabilityassessment #vulnerabilitymanagement

I noticed that the National Vulnerability Database (#NVD) backlog has been growing at a much slower rate lately. For a long time, it's been hanging around 18000 #CVEs. So, I have taken a brief look at the recent NVD activity. Here is a chart of the current statuses of CVE added to the NVD in 2024 grouped by the week they were published. As you see, for the first 6 weeks of the 2024 NVD analyzed close to 100% of published CVE (an Analyzed CVE becomes Modified when additional info like a reference link is added). Then there is a big gap, but things start to improve in the first week of June. The current NVD strategy seems to be like “analyze as much of the new CVE as possible and forget the rest”. They are still below the January 2024 capacity levels, but there appears to be an upward trend in the number of analyzed CVEs. I'm very curious to see if there is any pattern in which new CVE are analyzed and which are left behind, and if all the backlog will be addressed eventually. #informationsecurity #vulnerabilityassessment #vulnerabilitymanagement

This is critical information for everyone that use the NVD database as the source for checking vulnerability information. The gap that Andrey describes is where you will be left in the dark, not discovering all those CVEs in your systems. This is hurting the business and will affect the implementation of the EU Cyber Resilience Act if it's not fixed soon. Can the EU step up to help? Meanwhile the CVE organisation is encouraging the CNAs to add the missing data at the time the CVE is created, to fill the gap. This will take time, as the CNAs needs training, detailed information and a change in their own internal processes. I think that in the long run, we need a global federated solution for handling vulnerabilities in our systems. #CVE #CNA #NVD #EUCRA #CRA #SBOM

The CVE-2024-28991 vulnerability is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data.

potential consequences of setting the Set User ID (SUID) permission on the /sbin/fdisk program Setting the setuid (SUID) bit on the /sbin/fdisk command using chmod u+s /sbin/fdisk would allow any user who executes /sbin/fdisk to run it with the permissions of the file's owner (typically root) . This means that even regular users would be able to run the fdisk command with elevated privileges, which could potentially be a security risk. The SUID bit is a special permission that can be abused if not properly configured . Instead of using the SUID bit, it is generally recommended to use the sudo command to grant users the ability to run privileged commands like fdisk . This provides more control and auditing over who can execute such sensitive system commands.

CVE-2024-6387 The Qualys Threat Research Unit (TRU) discovered that OpenSSH, an implementation of the SSH protocol suite, is prone to a signal handler race condition. If a client does not authenticate within LoginGraceTime seconds (120 by default), then sshd's SIGALRM handler is called asynchronously and calls various functions that are not async-signal-safe. A remote unauthenticated attacker can take advantage of this flaw to execute arbitrary code with root privileges. This flaw affects sshd in its default configuration. Details can be found in the Qualys advisory at: https://lnkd.in/dttskH7t

It looks like we are to see another uptick in the #CVSS base scores with wider adoption of the new #CVSSv4. Since #CVERecord v5.1 became available on May 8th, making it possible to use CVSS v4, 23 #CNA submitted it for 360 #CVE as of this morning. Some of those CVE are new, and some are the old ones that got the score updates. Here is the list: https://lnkd.in/ewJGedhK I plotted all of those CVE comparing the CVSS base scores of v3 ant v4, and the picture shows a significant uptick in the values for v4. Ben Edwards and Sander Vinberg showed the same effect moving from CVSSv2 to CVSSv3 in their talk “CVE Is The Worst Vulnerability Framework (Except For All The Others)” at #VulnCon (https://lnkd.in/e9pBp8PX). Furthermore, It is notable that some CNA now provide only CVSS v4 with their CVE records, see the marks on the left side. Your systems need to be prepared to handle that if you rely on CVSS in any manner. #informationsecurity #vulnerabilityassessment #vulnerabilitymanagement

New update from the National Institute of Standards and Technology (NIST) on the #NVD situation. No explanation for the situation, no definitive commitments. The last time I checked (this morning 😎) since February 12th there were over 8500 #CVE published (https://lnkd.in/dNQQMft5) and more than 8000 of them have no #CPE configuration (https://lnkd.in/duHWNjuF). I'm a bit lazy to pull out accurate stats, but for the past 10 days or so exactly one CVE (CVE-2024-3400) was fully processed. #informationsecurity #vulnerabilityassesment #vulnerabilitymanagement

Since February 12th, the National Vulnerability Database (#NVD) added more than 7000 #vulnerabilities. Only just over 400 of those were enriched with crucial information like #CWE, #CVSS, and #CPE. At Vulners, we've been hard at work to address NVD not adding key data to #CVE and to offer an alternative to power your #vulnerabilitymanagement processes. In short, we started collecting data from the CVE Program and normalizing them to power core Vulners features that were affected by the absence of NVD data. Please refer to our blog post for more details. https://lnkd.in/dvGbqdHD

How to store passwords safely in the database and how to validate a password? Let’s take a look. Storing passwords in plain text is not a good idea because anyone with internal access can see them. According to OWASP guidelines, “a salt is a unique, randomly generated string that is added to each password as part of the hashing process” https://bytebytego.com/