Slashdot Mirror

← Back to Stories (view on slashdot.org)

Rethinking Security Advisory Severities

Posted by Soulskill on from the mauve-alert!-mauve-alert! dept.

An anonymous reader writes: The recent OpenSSL vulnerability got the internet all hyped up for a security issue that, in the end, turned out to have a very limited impact. This is good news of course, we don't need another Heartbleed. But it raises the question: should security advisories be more clear on the impact and possible ramifications of such a vulnerability, to avoid unnecessary panic? Developer Mattias Geniar says, "The Heartbleed vulnerability got the same severity as the one from last night. Heartbleed was a disaster, CVE-2015-1793 will probably go by unnoticed. ... Why? Because CVE-2015-1793, no matter how dangerous it was in theory, concerned code that only a very small portion of the OpenSSL users were using. But pretty much every major technology site jumped on the OpenSSL advisory. ... The OpenSSL team is in a particularly tricky situation, though. On the one hand, their advisories are meant to warn people without giving away the real vulnerability. It's a warning sign, so everyone can keep resources at hand for quick patching, should it be needed. At the same time, they need to warn their users of the actual severity.

30 comments

  1. Trauma by Anonymous Coward · · Score: 1

    I don't disagree but I think the Heartbleed bug caused a lot of trauma so now people jump whenever there is a vulnerability in OpenSSL,,

  2. How can they know? by Anonymous Coward · · Score: 0

    Especially when you're talking about FOSS, nobody really knows who's running what code out there.

  3. Seems like they did the right thing by Dutch+Gun · · Score: 1

    It's going to be difficult for a library developer to know precisely how many people are using a particular feature, even if they have a general sense of feature or version popularity. Moreover, to the relatively few people affected by this, this absolutely WAS a critical bug. Unless you are clear and candid about the seriousness of the bug, those people that need to patch may not hear about it. It's probably best for them not to make wild guesses about who they think are affected. Stick to the facts, and let others determine the ramifications.

    I don't really care about "unnecessary panic". Better more awareness of issues than less. The real danger, of course, is that if you overblow the *practical* danger, then people may stop paying attention. It's likely the media jumped on this only because of the recent memory of Heartbleed. Once that gets old, they'll stop with the insta-panic over each new security issue, and we'll be back to normal (which is probably *not enough* panic over serious issues).

    --
    Irony: Agile development has too much intertia to be abandoned now.
    1. Re:Seems like they did the right thing by bondsbw · · Score: 3, Insightful

      But isn't the point to try to match the level of panic with the level of practical danger?

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    2. Re:Seems like they did the right thing by Dutch+Gun · · Score: 1

      Ideally, yes, but... do they actually know the level of practical danger? That depends on knowing how many organizations are using a specific version of the library, or a feature within the library. I think they probably have a vague idea about these things, but I'm not sure it's a good idea to be trying to scale the level of urgency based on their own interpretation of what may be very incomplete data.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:Seems like they did the right thing by Anonymous Coward · · Score: 0

      What I don't get is why they didn't mention the affected versions in the announcement.

      If the bug only affects a few versions, if switching versions prevents the bug what is there to gain by keeping that a secret? People would have seen they are unaffected or could have downgraded in their own time without the bug being public yet. Did they fear revealing the versions would get hackers to look at every commit in those versions and figuring out the bug and a workable exploit?

  4. avoid OpenSSL by Kishin · · Score: 0

    The sheer number of screwups and bad code in that library means the real advisory should be Avoid OpenSSL. Use LibreSSL instead. Its team knows how to write robust code and stripped out much of the worst stuff.

  5. That is the problem. by jd · · Score: 1

    By trying to not say too much, the advisories are inherently vague and therefore can be interpreted as insignificant or a dire emergency depending on the day.

    That's not useful to anyone.

    Because the NSA and GCHQ have effectively eliminated all network security, thanks to their backdoors in things like Cisco devices, it should be automatically assumed that all the bad guys capable of exploiting the issue already have all the information they need and the bad guys not capable of exploiting the issue aren't an issue whether informed or not.

    Advisories should therefore declare everything. Absolutely everything. And it should be made clear in those advisories that this is being done because the risks created by the backdoors exceed the risks created by the additional information.

    The added information will aid in debugging, clearing up the issue faster and validating that no regressions have taken place.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
    1. Re:That is the problem. by denbesten · · Score: 1

      The advance notification was extremely useful to me. It allowed us to catalog our use of OpenSSL and to start planning our maintenance. This significantly improved our responsiveness on the 9th.

      There needs to be (and is) a disctinction between advance notification and full disclosure. The advisory of July 6th was advance notification. The June 9th advisory has the details you desire. It came out at the same time as the fix.

    2. Re:That is the problem. by rich_salz · · Score: 1

      This is wrong. We're not trying to protect against National-Scale Adversaries, who probably have all the traffic the want, anyway. immediate full disclosure means that any script kiddie or criminal gets access immediately. That would be bad.

    3. Re:That is the problem. by Anonymous Coward · · Score: 0

      National-Scale Adversaries

      and

      criminal

      You seem to be making an unjust dstinction.... I thought we'd seen enough proof that NSAs were engaging in criminal behaviour.

    4. Re:That is the problem. by laffer1 · · Score: 1

      That's not true. Script kiddies have to wait for someone to write a tool for them to use to actually exploit it. It takes a few days for these things to get out there in mass.

      When an upstream has a security advisory, I have to run around in circles to get the patch out to my users and then they have to run around patching everything. That's just how it works. When you don't get enough information to make a decision, it makes it hard to know if you should risk patching. For some folks, they're in system freeze for a busy time of year or have a lot of other risks by patching something. You really need as much info as possible to make this decision sometimes.

      For example, at work we have a vendor who recently told us they had a huge security issue. Anyone on the internet can change a setting and that in turn can change a link to an admin area of our product. The catch is that we never use the admin link it changes. They threatened to drop support of their product for us if we didn't patch immediately. However, we don't use that admin link. Further, the number of users in our org that uses it are on one team of 10 people. A huge risk in general does not mean a huge risk for one org.

      The OpenSSL team did the right thing on their end, but there are two dimensions to vulnerabilities, the severity in terms of the software and the number of users impacted. The latter in this case, was small.

      --
      MidnightBSD: The BSD for Everyone
  6. "...warn people without giving away...." by turkeydance · · Score: 1

    watch out. something could happen. any day now.

    1. Re: "...warn people without giving away...." by Anonymous Coward · · Score: 0

      This is the essence of most of the security industry. As such, it's "best current standard industry practice"... and it's crap.

  7. If only there was a rating system for this... by hilather · · Score: 1

    Oh wait. It's called the CVSS. Only your system admins and security folks will know how vulnerabilities apply to your organization. Temporal and environmental factors and only be assessed by people in the know. Windows shops obviously don't care about Linux vulnerabilities and vice versa. The base ratings are strictly focused on the vulnerability. Other factors you need to determine yourself... And there's already a system for that.

    1. Re:If only there was a rating system for this... by mx+b · · Score: 1

      Temporal and environmental factors and only be assessed by people in the know. Windows shops obviously don't care about Linux vulnerabilities and vice versa.The base ratings are strictly focused on the vulnerability. Other factors you need to determine yourself... And there's already a system for that.

      Yeah that's kind of the problem, most companies don't use temporal or especially environmental factors. If you base everything on the base score only, you're not getting a really accurate feeling for the severity of the vulnerability.

      The other problem is that CVEs tend to be treated in the researcher community as gold. You list CVEs on your resume, for example. CVEs are not meant to indicate severe vulnerabilities, or even all types of vulnerabilities -- many things that are important don't get CVEs, while many lame vulnerabilities do have a CVE. These systems need rethinking in general.

  8. Actual severity vs. number of users affected by Todd+Knarr · · Score: 1

    From what I read of the vulnerability, it was severe enough to merit the severity level given to it. If you were affected by it. That's the catch. This is the canonical "severe but unlikely" scenario, somewhat like one where cars are known to randomly explode killing everyone within a 10-mile radius but only the Ford Focus will do this and only if it's got the metallic purple paint job that was a custom order and there were only a couple dozen sold. You can't rate it low severity because losing that big a chunk of a major city is hardly "low severity", but you don't want to have everybody fretting about the safety of their cars when it's only a couple dozen people involved. There isn't a good way to describe this kind of scenario except by giving details, even if those details will let black-hats know which cars to steal to use as rolling bombs. And then there's the usefulness of the warning. IMO if the notification doesn't contain either instructions on how to mitigate the vulnerability or enough information that I can work out what the vulnerability is and how to mitigate against it, the notification's of absolutely no use to me. If you can't/won't give me enough information for me to protect my systems then I'd rather you didn't bother with a vulnerability notification, just fix the problem and flag the next release with "important security fix, details are in the changelog". But I'd prefer that you just provide the information.

    1. Re:Actual severity vs. number of users affected by rich_salz · · Score: 1

      "the notification is of no use to me." Then ignore/killfile the notifications. But many others see benefit from advance notice and starting to crank up their patch machinery. Even if they end up not patching, they seem to find it worthwhile as "disaster prep."

  9. minimized score by Anonymous Coward · · Score: 0

    Half the problem is inconsistent use of the scoring system. OpenSSL uses CVSS to measure the impact to the SSL channel that is compromised with no attention to the additional damage it directly enables. Some other vendors follow this approach. Others (like myself) include everything you can now access through exploiting the measured vuln as part of the impact of the vuln.

    This means that (a) different places use the same scores to mean different things and (b) it is possible to minimize the score while not demonstrating the true impact.

  10. CVSSv2 by radicimo · · Score: 1

    CVSSv2 is a perfectly usable metric by which to classify risk of security incidents.

    From what I have seen, Mitre and NIST often show inaccurate CVSS scores on the CVE pages. In order for the metric to be truly useful, every organization has to localize measurement to their environment and each vendor needs to measure impact against their use or non-use of the underlying code. At the end of the day, it's all about risk measurement, but with those steps you end up with a reasonably accurate assessment.

    I speak as someone who monitors RSS feeds of CVEs and deals with both responses to and creation of CVE statements. There is nothing wrong with the current system that wider spread adoption and education cannot fix. Part of the problem is the media hype surrounding the bugs. If every little issue wouldn't get a cute name -- Shellshock, Logjam, POODLE -- the reactions might be a little less kneejerk.

    --
    100 REM PISS OFF CODE FASCISTS 200 GOTO 100
    1. Re: CVSSv2 by mx+b · · Score: 1

      From what I have seen, Mitre and NIST often show inaccurate CVSS scores on the CVE pages.

      Have to stop you there, sorry for perhaps being a bit pedantic, but the NIST score is more or less the "official" score of a vulnerability, given how closely they work with organizations like MITRE. The CVSS scoring rules have some nuance to them, and in some scenarios the official rules on scoring a vector is not what you'd expect. NIST tries to follow the official scoring rules as strictly as possible. You may not agree with the rules (and many people don't, I'm not trying to knock you), but technically their scores are the most accurate.

      CVSS recently released v3.0 scoring in order to try to address some criticisms in scoring. It did this by upgrading its base vector to be a bit more easily comprehensible by adding obvious metrics like "user interaction required", which was previously embedded in "access complexity" in v2. I think in general I like the concepts and it makes it easier for the most part, but time will tell if the general public agrees. The sticking point I think is the idea of scope, which is not a bad idea in general, but the definition seems a little fuzzy to me. We may have only shifted where the nuance is, and so disagreement in scoring may continue into the future.

      In order for the metric to be truly useful, every organization has to localize measurement to their environment and each vendor needs to measure impact against their use or non-use of the underlying code. At the end of the day, it's all about risk measurement, but with those steps you end up with a reasonably accurate assessment.

      Exactly. CVSS allows for this by use of temporal and environmental scores, but unfortunately, most organizations don't use them. This means most people run around talking about the base score without a clear sense of how it applies to them. I've seen vulnerabilities with a base score of let's say 7.0 or so being knocked down to 1.5, after you factor in its temporal factors (such as a patch being available) and environmental factors (such as not very widely deployed). I wish more people would talk about the environmental factors. CERT is one of the few places that lists temporal and environmental metrics, though their database is not comprehensive.

      CVSSv3.0 is weakest in the fact that they essentially threw out the environmental metrics; yeah, its technically there, but its shadow of its former self -- it doesn't include important metrics like population anymore. I hope they will put that back in for CVSSv3.1, and encourage more widespread adoption.

      There is nothing wrong with the current system that wider spread adoption and education cannot fix. Part of the problem is the media hype surrounding the bugs. If every little issue wouldn't get a cute name -- Shellshock, Logjam, POODLE -- the reactions might be a little less kneejerk.

      I agree, but education can sometimes take a while and be harder than you think. There's momentum -- and money -- behind the current system. You get everyone wound up, and then offer to sell a widget that "protects against it". There's a lot of snake oil for sale in the industry right now, and so far, companies and governments are eating up. It will continue as long as money is being made. The bigger question is, how do you make it more profitable to tell the truth about threats?

      Organizations like CERT tend to straight talk it and provide honest feedback with their temporal and environmental scores, but they're not picked up in the media as much as these security start-ups that are out to cause a ruckuss and make money. The start-ups seem to me to be more marketing companies than security companies these days; they tend to overinflate the CVSS base score and talk it up by reaching out to media directly, when in reality, the base score itself may not be that high, nevermind that temporal and environmental factors might lower it more. Fear makes money right now.

    2. Re: CVSSv2 by radicimo · · Score: 1

      Fair enough on your pedantry, so what I should have said is perhaps "often enough". Case in point:

      https://web.nvd.nist.gov/view/...

      There is no logical reason that should be a 10, unless I am missing something. I presume that Hanno is the guy who found it ... "The bug does not crash less, it can only be made visible by running less with valgrind or compiling it with Address Sanitizer. The security impact is likely minor as it is only an invalid read access."

      https://blog.fuzzing-project.o...

      That was just the first and most graphic example that came to mind. Otherwise we largely agree, especially that fear makes money right now and for always. I don't have much of an opinion on CVSSv3, not having used it. v2 works well enough for my needs at present.

      --
      100 REM PISS OFF CODE FASCISTS 200 GOTO 100
  11. TLSv1 still in use by google amazon ebay paypal by Anonymous Coward · · Score: 0

    You can check by running sslscan.

    If this issue was really what they said it was, why are people still running it?

    The PCI folks said the end of June was the cutoff - but was it?

  12. New severity categories were announced by Anonymous Coward · · Score: 0

    Whatever
    Meh
    Bad
    Very Bad
    Very, Very Bad
    OMG!
    ZOMG!!
    OMFG!!!

    1. Re:New severity categories were announced by redwraith94 · · Score: 1

      Wasn't there a rainbow chart around here for that... I know I had the link somewhere. Oh! Here it is:

      https://www.google.com/search?...

      --
      I art more snarky, and terse than thou. I art Slashdot!
  13. It isn't possible by redwraith94 · · Score: 1

    You mean, can we somehow keep our users from needing to RTFM? There is an easy answer for stupidity, or laziness. You make bad decisions. The severity is the severity; it is up to the user to know if they are running the code or not. If they can't be bothered to know that, then they should not be in charge of security, since they'll be making shitty decisions anyway.

    I like Einstein's quote: Make everything as simple as possible, and no simpler. We miss that last part, usually.

    --
    I art more snarky, and terse than thou. I art Slashdot!
  14. Acheter Chaussures Nike Air Max Pas Cher by zhenjixian · · Score: 0

    then you can definitely realized it. Almost all famous celebrities are aiming to own and wear different Gucci accessories, clothing, perfume and cologne and other products. Gucci world offices and headquarters are in Florence, Paris, London, and New York. To date, the brand is very popular in fashion capitals of the world like New York, Paris, and London timberland Homme .Peter Rock generally writes on perfumes, beauty product, and beauty lotion etc. He has written many articles on beauty products. Peter Rock also writes this article. Visit the site; find out various remarkable Gucci perfume.Royalty Free Stock Photofrom © Dreamstime.com Gucci shoes are some of the most widely imitated shoes on the market. Before buying a pair of Gucci shoes online, make sure that you are not accidentally investing in a fake. Browse the guidelines below for tips on how to avoid a cheap imitation of the Gucci brand. What to look for on the inside of a genuine Gucci shoe: Each authentic Gucci shoe is given an eight digit serial number that is stamped on the shoe's leather lining. All serial numbers are exactly eight digits long, so count before you buy! This serial number should be discreet; it is usually placed on the inside of the shoe next to the shoe size. The "Gucci" brand should be stamped inside the shoe on the heel. Next to the brand name should be a stamp saying "Made in Italy". Both of these stamps should be easily visible.

  15. Yes, we need better classification by Jawnn · · Score: 1

    This latest episode was announced as if it had serious and broad impact. It did not, but that didn't help those of us who, on less than two days notice, moved things around to prepare for another round of mitigation of a "severe" security issue. Yes, we're all glad it's not as bad as it might have been, but the point is that somebody was aware of that when the announcements went out. They should have been more forthcoming.

  16. Facepalm by suso · · Score: 1

    The recent OpenSSL vulnerability got the internet all hyped up for a security issue that, in the end, turned out to have a very limited impact.

    Oh right, just like the hype around Y2K turned out to be nothing right? The point is that some big problems would have resulted if the problem hadn't been hyped and fixed beforehand or in the early hours of the problem being exposed. Whenever I hear someone say "That Y2K thing turned out to be nothing" I just shake my head. Why is this concept of prevention so hard for the general public to understand?

  17. Criticality is what you make of it. by 0x25 · · Score: 1

    I think the level of severity is something that should be determined by the individual or organization.

    Disclosing severity gives some idea of what we're up against. But the actual damage is dependent on environment.

    --
    =