[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: assignments for malware

To : Art Manion < amanion@cert.org >
Subject : Re: assignments for malware
From : Kurt Seifried < kurt@seifried.org >
Date : Mon, 13 Aug 2018 15:27:35 -0600
Authentication-results : spf=softfail (sender IP is 192.52.194.235) smtp.mailfrom=seifried.org; imc.mitre.org; dkim=pass (signature was verified) header.d=seifried-org.20150623.gappssmtp.com;imc.mitre.org; dmarc=none action=none header.from=seifried.org;
Cc : jericho < jericho@attrition.org >, CVE Editorial Board < cve-editorial-board-list@mitre.org >
Delivery-date : Tue Aug 14 07:38:57 2018
Dkim-signature : v=1; a=rsa-sha256; c=relaxed/relaxed; d=seifried-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=id9ywv2o+naqGds+InA0qG7ZToRqxf8QmzV/UilDsk4=; b=KTnDu29mwabucOI+2GY1CLKnGNHhjWAay95T4f5ZYnYO9RJlYMtqUnGnSjMhA8n+xi LF0zKwKqAy/YpBcR0awzkk2uttH76VfypPw2dTp/OGv4bFORPgz2cTUE3WmcQ67Djty0 M4bEdPrauJgdxBWWSO/QJ6PjrB8iDnHqmvqUqowcJDCPnF+bvi2mhmoPAacYUInWKIUr A2SCKBs8LepTWKjNTLzfK4/rsy7pCv2sJaiAak4Byj4oK2aKeocf+TKlsPSD+en42NSc 6fTWLGQTpef3POIQbZOxrod4clIT9OI0rpJtxcQriibrEBDoeuyfo5jtPoOIF8KxNPK1 b7Tg==
In-reply-to : < d6370fc3-3645-6cd7-c4d1-072aeb28918f@cert.org >
References : < alpine.LNX.2.20.1808131148090.14361@forced.attrition.org > < d6370fc3-3645-6cd7-c4d1-072aeb28918f@cert.org >
Spamdiagnosticmetadata : NSPM
Spamdiagnosticoutput : 1:99

The NPM problems aren’t new, CPAN had (and still has) many of the same
problems.


-Kurt





> On Aug 13, 2018, at 15:19, Art Manion <amanion@cert.org> wrote:
>
>> On 8/13/18 12:55 PM, jericho wrote:
>>
>> The second type is just a malicious module that has nothing to do
>> with the legitimate module, other than a similar name as the means
>> for getting people to download it. An example of that is
>> CVE-2017-16044:
>>     `d3.js` was a malicious module published with the intent to
>> hijack
>>     environment variables. It has been unpublished by npm.
>
> This seems out of scope for CVE.  I get that npm-style software
> distribution is a "new" and real thing, and without having recently
> looked at it in detail, my impression is that npm and it's ecosystem
> isn't terribly secure, which is an intentional choice:
>
>
> https://blog.npmjs.org/post/141702881055/package-install-scripts-vulnerability
>
> In ancient box product terms, the analog is "I downloaded and linked
> lib-png.so because I wanted to include PNG support in my
> application."  Not a technical vulnerability, I accidentally
> installed malware.
>
> Yes, these matter, and I'm in favor of telling the public about
> malicious npm-managed code, but that might not be CVE's job.
>
> I don't see much of a difference with CVE-2018-3779.  Intentionally
> malicious code masquerading as legitimate, gains authority and
> reputation by being allowed on npm in the first place, depends on
> community to find and remove.
>
> In terms of being vulnerabilities (and in scope for CVE), I'd say no,
> not in scope.  I wouldn't suggest removing any existing assignments,
> but either stop or make a decision to include such things in CVE's
> scope?
>
> Trying out the other side: There is a (popular but insecure) software
> development ecosystem, within that system, flagging malicious
> components is treated like a vulnerability/CVE assignment?  Still
> doesn't really work for me.
>
> - Art
>

References :
- assignments for malware
  - From: jericho <jericho@attrition.org>
- Re: assignments for malware
  - From: Art Manion <amanion@cert.org>

Prev by Date: Re: assignments for malware
Next by Date: Re: assignments for malware
Previous by thread: Re: assignments for malware
Next by thread: Speaking of CVE for services
Index(es):
- Date
- Thread