6

6 months ago, I found a buffer overflow in git which has the same impact as this vulnerability (with the execption that it allow server side code execution). It got several cve assigned to it and was completely fixed upstream.

However, 2 months after the upstream fix, the cve details are still unpublished and near no Linux distribution updated their stable branch.
I even noticed that wikimedia gerrit and bitbucket.org were still vulnerable last week (I warned the appropriates persons and it got fixed on wikimedia).

I definitely can’t bring the information to every provider. I know it can take years for a cve to be published. But It definitely don’t break the news like cve-2014-9390.

How to widely advertise it so peoples and Linux distributions fix their machines ?

user2284570
  • 1,402
  • 1
  • 14
  • 33
  • I reported it to cert last december, but didn’t got any replies. – user2284570 Mar 14 '16 at 15:07
  • well looks like it made the front page of Hacker News tonight anyway... https://news.ycombinator.com/item?id=11292488 – Rory McCune Mar 15 '16 at 22:15
  • I was catching up on the SANS Internet Storm Center podcast yesterday, and they also featured it there on the Thursday, March 17th episode. – Xander Mar 24 '16 at 13:39

2 Answers2

4

Unfortunately there are no hard and fast rules about this kind of issue and with the very wide use of open source components and libraries it's inevitable that some companies won't update even after a long time (for example 200k servers still vulnerable to Heartbleed a year after release)

In terms of getting people to pay attention and patch, unfortunately it still seems like the only way is to publish vulnerability information widely and publicly, after an appropriate private notification period.

Exactly how long you want to have for that period is a matter of debate, with people going from 0-days all the way up to many months.

Perhaps a decent guideline would be to follow Cert's Responsible Disclosure Policy which releases after 45 days.

From the timeline you describe it sounds like you're well past that point already, so really if you want to see more people pay attention the best way may be to write up a blog post describing the issue and potential impact and circulate it widely.

Whilst it may seem cynical to suggest this, in terms of getting people to pay attention, marketing the vulnerability may be the best way to go. If you look at recent vuln's that get publicity most have a catchy name ("Drown", "Heartbleed" etc) and the write-ups explain in quite clear terms the likely impact. Then it's a case of it getting picked up in social media (twitter, reddit etc) and starting circulation amongst the InfoSec community.

Rory McCune
  • 60,923
  • 14
  • 136
  • 217
  • I also have blog, but nobody is reading it. The government in my country even started a plan in order to create software for fixing a particular issue whereas I created that software *(because I had identified that particular daily life problem)* long before they thought about doing it. – user2284570 Mar 14 '16 at 15:34
  • @user2284570 you have a blog link? – Rory McCune Mar 14 '16 at 15:36
  • It’s even [on my profile](http://security.stackexchange.com/users/36301/user2284570?tab=profile). Concerning the problem I mentionned, it was specific to the French language so translation didn’t played a role. I recognize I mainly created it because it was a requirement for my final exam last year. – user2284570 Mar 14 '16 at 15:42
  • I forgot the most important. It’s even listed on [this page](https://bounty.github.com/) (I’m the fifth). – user2284570 Mar 14 '16 at 16:05
  • You can get "professional" help for publicizing vulnerabilities by using a service like the [Zero Day Initiative](http://www.zerodayinitiative.com/) that buys vulnerabilities and then discloses them on a fixed schedule. I'm sure there are others, this is just the one I'm most familiar with. – Neil Smithline Mar 14 '16 at 21:31
  • @NeilSmithline : they told they weren’t interested about security bugs in git. I also contacted Bureau des failles et de la sécurité *(the official service of our militarized police responsible to handle it threats)* only to receive an automated acknowledgement in January. – user2284570 Mar 15 '16 at 12:44
-1

It's an obvious fairytale about the CVE, CERT and so forth "vulnerability assessment teams/agencies". And if such a questions are keeping rising, I feel I must break your illusions into a very small and sharp glasspieces....

Remember: there's NO such things, as a collective vulnerability assessment teams/agencies like CVE, etc. Why? Too many government agencies are in vital need of the backdoor-like vulnerabilities to be in existance, to make them able to break in illegally and stealthy. Remember alot of stories like BlackHat speech cancellations, lawsuit against a person who found a backdoor in ALL Cisco, Edward Snowden just followed the supreme law of his country - the USA Constitution - and he is now on "most wanted" list. And these are the most loudly-spoken things, there are lots more - I've just not mentioning them here, but I can add some info if requested.

Even being caught - government agencies are enforcing and covering their crime-mates, like The Hacked Team. Yes, their malware was opened and opensourced by a leak. Also a Bundestrojan(er) was detected and showed to public... How many antiviruses are catching precisely that malware nowdays? even taking in account a time lag between the moment they were actually found and brought down to the public

Wake up! The only way to show that something is wrong is to say about it as louder as you can to as broader audience as you can reach. With all proves, code examples e.t.c. Only then it won't be silently disclosed and some actual steps will be in order by Vox populi. It's the only way nowdays, and that's the thing governments are fighting with - so be prepared, if you dare ;)

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11
  • [I partially disagree](http://pastebin.com/UX2P2jjg) – user2284570 Mar 15 '16 at 14:12
  • 2
    Assuming that poor disclosure policies are due to government conspiracies seems quite the leap. – Neil Smithline Mar 15 '16 at 14:18
  • @user2284570 you can actually post the vulnerability and the testing/Prove-Of-Concept code in a question to this very site and ask people to test, for instance. That's my approach – Alexey Vesnin Mar 15 '16 at 14:20
  • @AlexeyVesnin : [I definitely lack the computer skills required to create such proof of concept](http://security.stackexchange.com/q/115769/36301). – user2284570 Mar 15 '16 at 14:24
  • @user2284570 that's proves you're in the right place - I think many people here would love to collaborate in writing such a proof. You can ask for help in this particular matter too in your questions – Alexey Vesnin Mar 15 '16 at 15:02
  • 1
    @AlexeyVesnin : someone suggest me to [do this](http://www.openwall.com/lists/oss-security/2016/03/15/5) on freenode. I don’t know it will change something though. – user2284570 Mar 15 '16 at 15:06
  • @user2284570 a good suggestion, and I advise you to mention this question in your freenode post and vice versa - link all your posts with each other, so this will maximize the reach – Alexey Vesnin Mar 15 '16 at 15:07