From d76e29c0fafdc807ed5014f196f8509b6d50685d Mon Sep 17 00:00:00 2001 From: Timothy Legge Date: Thu, 10 Oct 2024 18:19:35 -0300 Subject: [PATCH 1/2] Add a guide for creating CVE entries --- README.md | 1 + docs/cve-creation-guide.md | 189 +++++++++++++++++++++++++++++++++++++ 2 files changed, 190 insertions(+) create mode 100644 docs/cve-creation-guide.md diff --git a/README.md b/README.md index 2f4dedb..3c3e777 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,7 @@ If you care and would like to make a contribution or join, you are welcome to do * [Pre-Release Disclosure Agreement](docs/pre-release-disclosure.md) * [Group charter](docs/charter.md) ⚠️ DRAFT * Standards and regulations [reading list](docs/readinglist.md) ⚠️ DRAFT + * [CVE Creation Guide](docs/cve-creation-guide.md) * [Projects](https://github.com/orgs/CPAN-Security/projects) overview on Github * [Meetings](meetings/) information and minutes * [Presentations](presentations/) about us and our work diff --git a/docs/cve-creation-guide.md b/docs/cve-creation-guide.md new file mode 100644 index 0000000..2070a32 --- /dev/null +++ b/docs/cve-creation-guide.md @@ -0,0 +1,189 @@ +# CVE Creation Guide +This is a guide to creating a CVE request via Mitre. +It may be of some use to explain what the CVE fields are looking for with some hints and examples. + +# Creating a CVE Request + +This is an example of how to create a CVE with an older vulnerability from Mojolicious that did not have one previously assigned. + + * CPANSA-Mojolicious-2018-01 + Mojo::UserAgent::CookieJar leaks old cookies because of the missing host_only flag on empty domain. + + Affected range: <7.66 + + CVEs: + + References: + https://github.com/mojolicious/mojo/pull/1192 + https://github.com/mojolicious/mojo/issues/1185 + https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149 + +## Research the CVE database to ensure it has not been logged previously + +Ensuring that the issue has not been previously logged is very important. +Duplicate entries will merely serve to confuse the issue and polute the CVE database. + +1. Access [Mitre.org CVE Search](https://cve.mitre.org/cve/search_cve_list.html) +1. Search for various keywords including but not limited to the distribution or module name and any applicable words. +Review the results +1. If the CVE appears to be the correct one it would likely be best to submit an issue containing the CVE number and link to the CVE database to [https://github.com/briandfoy/cpan-security-advisory/issues](https://github.com/briandfoy/cpan-security-advisory/issues) + +## Access Mitre CVE Form + +1. Access [Mitre CVE Form](https://cveform.mitre.org/) +1. Select a request type: **_Report Vulnerability/Request CVE ID_** +1. Enter your e-mail address: **_cpan-security@perl.org_** +1. Enter a PGP Key (to encrypt): **_Leave blank as the email address is a mailing list_** +1. Number of vulnerabilities reported or IDs requested (1-10): **_1_** + +### Vulnerability Type +This field may take some research/discussion with the CPAN module maintainer. +In the case of CPANSA-Mojolicious-2018-01 it mentions *leaks old cookies* so it is fairly obvious that it is _Information Disclosure_ however that is not on the list. +Options here that look like potentials are: + +1. Insecure Permissions +1. Incorrect Access Control +1. Other or Unknown + +According to the [Pull Request](https://github.com/mojolicious/mojo/pull/1192): + +_Mojolicious does not set the cookie domain if it is unset, but instead stores an additional origin parameter to store the original request-host. +RFC 6265 also requires that cookies without a valid domain set are assigned the domain of their request-host_ + +Based on the lack of a **domain** attribute I would tend to specify **_Insecure Permissions_** + +**_Insecure Permission_** is defined as _"The software, upon installation, sets incorrect permissions for an object that exposes it to an unintended actor."_ + +In this case the lack of the **domain** attribute exposes the old cookies to the server. + +This is a judgement call so either of the other choices might be okay. + +1. Vulnerability type: **_Insecure Permissions_** + + +### Vendor of the product(s) + +Here you should specify the maintainer of the module. +Although you may be requesting CVE IDs for older vulnerabilities you can specify the current maintainer as it does not seem to propogate o the CVE database. + +1. Vendor of the product(s): **_SRI on CPAN_** + +### Product + +For some CPAN modules this is fairly simple. +For others you may need to do some additional research. +For _CPANSA-Mojolicious-2018-01_ CPAN::Audit lists the vulnerability as **Mojolicious** in the identifier but the description correctly identifies **_Mojo::UserAgent::CookieJar_**. +Reviewing [Commit ID](https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149) specified by CPAN::Audit verifies that the **_Mojo::UserAgent::CookieJar_** is the affected component. + +1. Product: **_Mojo::UserAgent::CookieJar_** + +### Version + +CPAN::Audit specifies that the _Affected range_ is <7.66. +Again reviewing the [Commit](https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149) shows that it is tagged in 7.66 and reviewing the [Release for 7.66](https://metacpan.org/release/SRI/Mojolicious-7.66) from metacpan validates this. + +1. Version: **_before 7.66_** + +### Has vendor confirmed or acknowledged the vulnerability? + +Some vulnerabilities are the subject of dispute but most of the older vulnerabilities that may be logged are likely acknowledged. + +Please review the available information to make an accurate determination of the vendor/maintainer acknowledgement. + +For _CPANSA-Mojolicious-2018-01_ the [Pull request](https://github.com/mojolicious/mojo/pull/1192) indicates that **SRI** (kraih) states that the module is leaking cookies. +Further, the actual fix in the [Commit](https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149) acknowledges the security issue. + +1. Has vendor confirmed or acknowledged the vulnerability?: **_Yes_** + +### Attack type + +Similar to the vulnerability type above this may take some intuition and research. +In the case of _CPANSA-Mojolicious-2018-01_ the issue is related to old cookies being inproperly sent to the server. +This would likely be Remote as defined by: + +_The vulnerability can be exploited through a network. +The attacker may be either on the adjacent or remote network._ + +1. Attack type: **_Remote_** + +### Impact + +Again this may take some intuituion and research but in this case is fairly obvious: + +1. Impact: **_Information Disclosure_** + +### Affected component(s) + +This section looks for details on what exactly caused the issue. +In the case of older issues that have been fixed it is can be fairly easy to extract the affected filenames and other relevant information. +For _CPANSA-Mojolicious-2018-01_ + +1. lib/Mojo/Cookie/Response.pm +1. lib/Mojo/UserAgent/CookieJar.pm + +The field requires comma separated values: + +1. Affected component(s): **_lib/Mojo/Cookie/Response.pm, lib/Mojo/UserAgent/CookieJar.pm_** + +### Attack vector(s) + +The attack vector can be difficult to determine or articulate consisely. +For _CPANSA-Mojolicious-2018-01_ it is somewhat unclear whether the cookie for site A is leaked to Site B or simply that old cookies are sent to the web server to which you are connecting. + +However, it would seem that connecting to a web server may send old cookie data to that server. + +1. Attack vector(s): **_Connecting to a web server using a vulnerable version submits information (cookies) that should not have been submitted_** + +### Suggested description of the vulnerability for use in the CVE + +If you are using CPAN::Audit as the source information you can likely use the information listed there. +It may also be a good idea to reference the Issue or Pull Request if either of them provide additional relevant information. + + +1. Suggested description of the vulnerability for use in the CVE: + + Consider that this should be useful as an email subject, and searchable. + The following example roughly matches the de-factor standard formatting for Perl module vulnerabilities. + + **_Mojolicious before 7.66 for Perl has Cross Domain Cookie Leakage in Mojo::UserAgent::CookieJar_** + + - "Mojolicious" is the name of the package and should be first in the description + - "before 7.66" implies that it has been fixed in later versions + - "for Perl" identifies this as a perl package, allowing discoverability + - "Cross Domain Cookie Leakage" is a short description of the vulnerability + - "Mojo::UserAgent::CookieJar" is the vulnerable component/function inside the package (optional) + + +### Discoverer(s)/Credits + +On occasion, the discoverer and or credit may be disputed. +It is likely good practice to error on the side of caution and report the facts with references. +Sometimes a maintainer will specifically credit a reporter or discoverer but mentioning the issue as logged by ... might be best. +In the case of _CPANSA-Mojolicious-2018-01_ the issue listed in https://github.com/mojolicious/mojo/issues/1185 was logged by @expbbc. + +Interestingly @expbbc did not mention security in the initial issue. +They did however mention that it might be considered a security issue in the [Pull Request](https://github.com/mojolicious/mojo/pull/1192) + +1. Discoverer(s)/Credits: **_Paul Robins (@expbbc)_** + +### Reference(s) + +If you are using CPAN::Audit as the source information it provides reference URLs that can be used here. + +1. Reference(s): + + **_https://github.com/mojolicious/mojo/pull/1192_** + **_https://github.com/mojolicious/mojo/issues/1185_** + **_https://github.com/mojolicious/mojo/commit/c16a56a9d6575ddc53d15e76d58f0ebcb0eeb149_** + +### Additional information + +You can provide additional information that you may have if it is relevant. + +Some possible additional information: +1. If the vulnerability is embargoed (not publicly acknowledged or under a non disclosure of some sort) mention it here +1. Potentially reference the year it was discovered if not mentioned elsewhere + +In this example one could mention the year + +1. Additional information: **_This vulnerability was reported and patched in 2018_** From 8d991386568fe41e48bd9f17772f2928d2786e11 Mon Sep 17 00:00:00 2001 From: Timothy Legge Date: Thu, 10 Oct 2024 21:34:38 -0300 Subject: [PATCH 2/2] docs/cve-creation-guide.md --- docs/cve-creation-guide.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/cve-creation-guide.md b/docs/cve-creation-guide.md index 2070a32..ebc5db1 100644 --- a/docs/cve-creation-guide.md +++ b/docs/cve-creation-guide.md @@ -32,7 +32,7 @@ Review the results 1. Access [Mitre CVE Form](https://cveform.mitre.org/) 1. Select a request type: **_Report Vulnerability/Request CVE ID_** -1. Enter your e-mail address: **_cpan-security@perl.org_** +1. Enter your e-mail address: **_module.owner@cpan.org (or other email address)_** 1. Enter a PGP Key (to encrypt): **_Leave blank as the email address is a mailing list_** 1. Number of vulnerabilities reported or IDs requested (1-10): **_1_** @@ -138,7 +138,7 @@ However, it would seem that connecting to a web server may send old cookie data If you are using CPAN::Audit as the source information you can likely use the information listed there. It may also be a good idea to reference the Issue or Pull Request if either of them provide additional relevant information. - +This can also include any public URL that helps to document the vulnerability. 1. Suggested description of the vulnerability for use in the CVE: @@ -169,6 +169,8 @@ They did however mention that it might be considered a security issue in the [Pu ### Reference(s) If you are using CPAN::Audit as the source information it provides reference URLs that can be used here. +It may also be a good idea to reference the Issue or Pull Request if either of them provide additional relevant information. +This can also include any public URL that helps to document the vulnerability. 1. Reference(s): @@ -181,7 +183,8 @@ If you are using CPAN::Audit as the source information it provides reference URL You can provide additional information that you may have if it is relevant. Some possible additional information: -1. If the vulnerability is embargoed (not publicly acknowledged or under a non disclosure of some sort) mention it here +1. If the vulnerability is embargoed (not publicly acknowledged or under a non disclosure of some sort) mention that it has not been publicly disclosed and do not link to any embargoed information. +1. If the vulnerability has been discussed in public it should be noted (and referenced). 1. Potentially reference the year it was discovered if not mentioned elsewhere In this example one could mention the year