[Daniel's week] December 20, 2024
Daniel Stenberg
daniel at haxx.se
Fri Dec 20 16:13:10 CET 2024
Hello friends.
Welcome to the end of another work week and a summary of some of the things
that kept me busy the last seven days...
## CVE-2024-11053 "fun"
On Sunday afternoon I was informed that CISA in their infinite wisdom had
decided that the curl related CVE-2024-11053 [9] should be scored CVSS 9.1
CRITICAL, which made it show up on some news sites.
We announced that CVE set to severity LOW earlier this week. How and why did
this massive severity level bump happen?
This job that was done by NVD in the past, setting CVSS scores on published
CVEs, is nowadays done by CISA (Cybersecurity and Infrastructure Security
Agency) as they are now an "ADP" (Authorized Data Publisher) within the CVE
program.
They are the new know-it-all organization and will quickly fill in some
(seemingly arbitrary) values in a CVSS calculator and set that for CVEs that
are missing the score.
CISA has a GitHub repository [2] with all their data and in there we can see
how they committed info for CVE-2024-11053 [1] on December 11.
At 15:01 (my time zone) I posted on Mastodon [3] that this CVE is certainly
not a critical security problem, and shortly thereafter at 15:42 I submitted a
PR [4] to CISA to update the metadata to something more reasonable. I figured
5.3 could possibly work.
At 18:13, CISA instead pushed an update [5] that was not my PR. It lowered the
score even further; all the way down to 3.4. I then closed my PR once I
realized this happened.
Unfortunately, few of those alarmist websites probably will update after this
update so I suspect we will see this CRITICAL label floating around for a
while.
We subsequently had a brief discussion in the curl security-team during the
week: should we reconsider setting CVSS scores to our published CVE records
just in order to prevent CISA and others to perform crimes like this going
forward? But no. We remain convinced CVSS is bad and going along with that
dance will not be pretty.
We added the following paragraph to our vulnerability disclosure policy
document [10]:
We do not support CVSS as a method to grade security vulnerabilities, so we do
not set them for CVE records published by the curl project. We believe CVSS is
a broken system that often does not properly evaluate to suitable severity
levels that reflect all dimensions and factors involved. Other organizations
however set and provide CVSS scores for curl vulnerabilities. You need to
decide for yourself if you believe they know enough about the subjects
involved to make reasonable assessments. Deciding between four different
severity levels is hard enough for us.
## AI slop
On December 18, yet another Hackerone submission [13] landed against curl's
bug
bounty where the report showed clear signs of slop. While this now starts to
become normal and within the everyday routines, this stood out a little
because the reporter had a Hackerone "reputation" of 1,000 which is way higher
than most reporters ever before, which should indicate an experienced and
"senior" security researcher within the Hackerone community. After some people
looked into this hacker's past performances, it rather seems that AI slop now
can help lazy incompetent researchers trick the system. Maybe not a big
surprise, but still sad.
With this submission the trend is blatantly obvious so I created an "AI slop"
checkbox field in curl's Hackerone reports and went back and filled it in for
the past obvious AI generated reports I could find. This way, by checking this
checkbox going forward for entries with obvious (bad) AI usage, I hope to get
accurate reporting and statistics. Instead of guessing or estimating. Right
now, I count only seven reports with it checked, but all of these have been
filed within the last year.
The current slop rate is roughly 7% of the submissions, or every 15th report.
It is incidentally also roughly at the same rate we currently get valid
reports that end up getting published as curl security problems. We get about
two Hackerone submissions per week on average.
Let's see how this develops.
## c-ares for QNX
Brad House released c-ares 1.34.4 [8], which incorporated several fixes for
QNX. This made it possible for me to do a subsequent update of c-ares for QNX
[7] now built straight from the release with zero custom patches applied.
I still have pending work to provide curl builds for QNX built with c-ares.
Coming soon.
## 104 operating systems
While slowly working on a future curl related presentation, I again asked
around for updates to my "curl has run on all these operating systems" slide
which as usual triggered some updates and it now counts 104. I subsequently
also updated the operating systems list in the curl repo [6].
## everything curl
I added some new sections to everything curl [11] this week and closed the
correspondingly issues about topics not previously covered. Mostly a few
recently added command line options.
There are still a bunch of them left open [12] in case anyone feels like
contributing.
## Coming up
- the curl feature window opens tomorrow, Saturday
- Christmas week, things will be slower than normal
## Links
[1] = https://github.com/cisagov/vulnrichment/blob/develop/2024/11xxx/CVE-2024-11053.json
[2] = https://github.com/cisagov/vulnrichment
[3] = https://mastodon.social/@bagder/113657205050547339
[4] = https://github.com/cisagov/vulnrichment/pull/151
[5] = https://github.com/cisagov/vulnrichment/commit/91fadb2bf6b461638c8155978b9f20cf17e51fe3
[6] = https://github.com/curl/curl/pull/15755
[7] = https://qnx.haxx.se/
[8] = https://c-ares.org/changelog.html
[9] = https://curl.se/docs/CVE-2024-11053.html
[10] = https://curl.se/dev/vuln-disclosure.html
[11] = https://everything.curl.dev/
[12] = https://github.com/curl/everything-curl/issues
[13] = https://hackerone.com/reports/2905552
--
/ daniel.haxx.se
More information about the daniel
mailing list