oss-sec mailing list archives
Re: Thoughts on a vuln/CVE?
From: Dave Walker <davewalker () ubuntu com>
Date: Tue, 18 Jun 2013 11:16:34 +0100
On 18 June 2013 07:44, Kurt Seifried <kseifried () redhat com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 06/18/2013 12:24 AM, Moritz Muehlenhoff wrote:On Tue, Jun 18, 2013 at 12:04:30AM -0600, Kurt Seifried wrote:http://bits.debian.org/2013/06/remove-debian-multimedia.html[..]We have software with a now insecure configuration as it points to a site that may or may not be under attacker control. It seems to me like this might be a candidate for a CVE. Thoughts and comments for and against are welcome (I'm on the fence myself).No way. This is not an insecure configuration: This was never a Debian service and people are free to put whatever they want in /etc/apt/sources.list. There are hundreds of external apt sources and everyone of them could have their owner changed at some point. Also there's no security issue: If a domain is grabbed and someone configures an apt repository on the site, he/she would lack the repository key previously used to sign the repo. Cheers, MoritzAh thanks, I forgot about that (I don't use Debian that often). So with the signing key requirement in mind this is not a vuln. However my original question still stands, can/should we consider a common configuration of software that goes from being secure to insecure to be worthy of a CVE? A lot of things that used to be common practice (like shipping every service/server enabled, all accounts active, all access enabled, anonymous uploads allowed, etc.) are now seen as security vulnerabilities/exposures. As for the security of the repo key proving that it it is safe/not compromised would be hard, I'm guessing it wasn't held on an HSM, and was it securely destroyed, or? Also part of my thought process is that (for example) this would be a good configuration to check for and ensure is disabled, something for SCAP for example or the Debian security guide (e.g. a generic "make sure all enabled repos are actually working as expected").
Hey, If a weakness in Debian's package management system signature verification was identified recently, then this specific issue of debian-multimedia deserves dedicated attention as it would be a useful contributing vector; but until then - this isn't an documentable exposure risk IMO. Comparing to the definition we use for 'Exposure', a "system configuration issue" certainly fits the grounds to be assigned a CVE identifier, but arbitrary package archives which are signed are not tied to a specific host (re-mirroring is often encouraged), as the assurance is provided by the signature - not by any means of transport. I think the direction Kurt is moving towards is making sure every distro is thinking what would happen if a popular update domain changes ownership, is this case considered? If a CVE identifier helps make this co-ordinated, then - well, there have been worse uses for identifiers. :). -- Kind Regards, Dave Walker
Current thread:
- Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)
- Re: Thoughts on a vuln/CVE? Yves-Alexis Perez (Jun 17)
- Re: Thoughts on a vuln/CVE? Russ Allbery (Jun 17)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 17)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Simon McVittie (Jun 18)
- Re: Thoughts on a vuln/CVE? Dave Walker (Jun 18)
- Re: Thoughts on a vuln/CVE? Tim (Jun 18)
- Re: Thoughts on a vuln/CVE? Moritz Muehlenhoff (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Florian Weimer (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 18)
- Re: Thoughts on a vuln/CVE? Kurt Seifried (Jun 17)