Page 49 - Cyber Defense eMagazine July 2024
P. 49
Vendors may choose to downplay the number of registered vulnerabilities for various reasons, such as
simplifying their reporting process, minimizing public exposure of vulnerabilities, or reducing the
perception of having a large number of individual vulnerabilities in their software.
However, grouping multiple vulnerabilities under a single registered CVE is a bad strategy as it makes it
unclear for organizations which exact vulnerability needs to be addressed in the development cycle to
resolve the CVE issue. This can result in communication problems within IT teams, leading to potential
oversight of unpatched vulnerabilities. Ultimately, it complicates mitigation efforts for organizations,
increases the risk of unnoticed vulnerabilities, and results in accusations against the vendor.
While Ivanti and Juniper faced public criticism, it's worth noting that the damage from mishandling
vulnerability disclosure was not critical because they did disclose vulnerabilities. However, there is an
older case involving Microsoft, where a certain vulnerability was concealed, allowing threat actors to
exploit it for years.
In May 2017, Microsoft silently patched the vulnerability known as "EpMo" without publicly disclosing it in
2013 when it was initially discovered. This lack of disclosure allowed APT31 (attributed to China's
Zirconium) to replicate the exploit in 2014 to form the "Jian" exploit and use it since at least 2015. The
exploit was reported to Microsoft by Lockheed Martin’s Computer Incident Response Team, indicating a
potential attack against American targets. The delayed disclosure enabled APT31 to exploit the
vulnerability for years. This example underscores the importance of timely and transparent disclosure of
vulnerabilities by vendors, as it enables users and organizations to take necessary measures to protect
themselves against potential threats.
Other Issues with Vulnerability Handling
Sometimes vendors, after detecting vulnerabilities in their software, issue the upgrade while retaining the
previous version's public number. Consequently, it becomes unclear for a sysadmin whether the
application in place is vulnerable or patched. Such cases often go unnoticed by the public, but they do
happen. In June 2023, Dell Commander 4.9.0 was found to have CVE 2023-28071, with a NVD score of
7.1. The company released a new version internally marked as A02, but did not change the publicly
available version number, which is visible in the Programs and Features view. A good practice would be
to assign a new number to the updated version.
Best Practices to Disclose Vulnerabilities
When software vendors disclose vulnerabilities and assign CVEs, they should adhere to certain rules.
First, they need to coordinate with CVE Numbering Authorities (CNAs), which are responsible for
assigning CVE IDs and maintaining the CVE database. This ensures that the vulnerability meets the
criteria for CVE assignment.
Entities discovering vulnerabilities should disclose them to relevant parties, including vendors, CERTs,
and vulnerability databases, allowing vendors time to develop patches before public disclosure.
Cyber Defense eMagazine – July 2024 Edition 49
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
