Vulnerability Disclosure

How should a research proceed when a vulnerability is found?

If the engagement is private: deliver to the contracting entity.

• May negotiate the public release of the information…

What about other cases?

None

The researcher doesn’t notify the vendor about the vulnerability.

• Doesn’t care.

• Uses it as part of an arsenal or trades the information.

Leads to 0-day vulnerabilities.

• Vulnerability is not known to the public and there is no direct remediation.

• Some other third parties may also know about the vulnerability and exploit it.

If the impact is high, it creates major disruption when publicly known.

• Remember: Systems take at least one month to be patched.

CVE-2017-0144 - EternalBlue

Coordinated

1. The researcher informs the vendor about vulnerability and impact.

Usually through the form of a report with an estimation of impact and/or demonstration.

1. The vendor implements and distributes a correction.

But not always!

1. Vulnerability is mostly fixed in supported systems.

CVE-2020-15802 – Sep 9 2020

Researcher:

“We discovered the vulnerability in March 2020 and responsibly disclosed our findings along with suggested countermeasures to the Bluetooth SIG in May 2020. We kept our findings private and the Bluetooth SIG publicly disclosed them, without informing us, on the 10th of September of 2020. Our work is assigned CVE-2020-15802.”

Bluetooth SIG:

At the time of writing, there are no deployed patches to address the BLUR attacks on actual devices. The Bluetooth SIG suggested that version 5.1 of the standard will contain guidelines to mitigate the BLUR attacks (e.g., disable key overwrites in certain circumstances as proposed in our countermeasures), but such guidelines are not (yet) public and we cannot comment on them. The Bluetooth SIG provides a public statement about BLURtooth and the BLUR attacks.

Full

The researcher discloses the vulnerability without warning.

• As a CVE.

• In a public mailing list.

• As a blog entry, webpage, or news item.

• As an exploit.

The vendor is pressured to issue a fix as soon as possible.

• But not always.

  • It doesn’t!

  • It considers the product not supported.

  • It underreports the issue.

Some mayhem may occur until a fix is applied.

• Remember all those phones/TVs/etc… without frequent updates.