Using Security Reports As A Weapon?!?!
Вставка
- Опубліковано 3 лип 2024
- Recorded live on twitch, GET IN
Article
www.bleepingcomputer.com/news...
By: Ax Sharma | x.com/Ax_Sharma
My Stream
/ theprimeagen
Best Way To Support Me
Become a backend engineer. Its my favorite site
boot.dev/?promo=PRIMEYT
This is also the best way to support me is to support yourself becoming a better backend engineer.
MY MAIN YT CHANNEL: Has well edited engineering videos
/ theprimeagen
Discord
/ discord
Have something for me to read or react to?: / theprimeagenreact
Kinesis Advantage 360: bit.ly/Prime-Kinesis
Get production ready SQLite with Turso: turso.tech/deeznuts - Наука та технологія
DHOD: Distributed Harrasment of Developer
CVEDoS
Parallelized Paralysis
That's the one. It's a nightmare. GREAT to see this going into the public eye
HOPE it goes into their information system, not just in the brain and out butt
@@goldnutter412 given who owns GH now and that being part of the problem...good luck
it was me, i downloaded "ip" 17 million times...
You should have at least gone for 42...
Every week
Taking one for the team
It was me barry
@@IceQub3you never know when an update drops, better download it every minute, just to be sure
It's not just a DHOS on the projects, it also erodes trust in the CVE system.
The LAST thing you want is developers seeing a CVE and thinking "this is probably nonsense again" and not treating it seriously. Ideally, devs see a CVE and think "oh shit, I need to fix that!"
Exactly. If someone is a developer and don't take CVEs seriously at first glance. They should reconsider their career choices. Cybersecurity should be treated with upmost diligence and attention where as the integrity of their supply chain or the supply chain that they are a part of relies on their input and mindfulness. Though that some may take advantage of someone's alertness and exploit it. But still. Anything can happen.
@@Man-xk9rz "If someone is a developer and don't take CVEs seriously at first glance. They should reconsider their career choices."
Currently, if things keep going like they do, this may stop being the case.
And in this case I hope somebody comes around and starts a (better managed) way of dealing with it as a replacement.
This also lends new perspective to the recent reporting that the NIST NVD program is working under a backlog of CVE reports.
Especially when a large number of the CVEs can’t be attacked.
I don't know why people can't trust some random person who is maintaining the project but blindly trust a random person creating CVEs.
They don't trust the person who created the CVE, they trust the gatekeeping process that is supposed to only let credible reports become CVEs.
And the person mantaining a project is working his ass hard and probably for free, the guy reporting a cve doesn't.
As a rule of thumb, if someone works his ass of for something, he probably is better then someone who doesn't work his ass of lol
It could also be a targeted attack, targeted harassment is what happened to xz utils. That time it worked and was ultimately used target sshd before it was discovered
there are bunch of lazy ass devs nowadays and the fact they immediately grab npm packages without reading internal code is nuts, tbf they didn't read the docs either 😂
69 million or no balls
I love the InfoSec community but some CVE issuers have dubious ethics where they artificially overstate the severity rating because it allows their disclosure to essentially be higher reach product marketing for their firm. I’ve worked at companies where they privately disclosed vulnerabilities as a shakedown tactic for their “consulting services” along with filing a CVE request that overstated the severity by 3-4 points to what we evaluated it to internally.
Honestly, this makes sense, given that there's a profit motive. Other part of me thinks its because most infosec people don't actually know their trade that well and how to legitimately exploit systems and mostly are "update nannies".
This is what happens when there's no effective regulatory body to ensure bad actors get punished for spreading misinformation. People will always find a way to corrupt a system based on goodwill so long as there is profit to be made.
@@NotAFanMan88 Most people in infosec don't even know basic computer programming.
The threshold for creating these CVEs is getting too low. *Any* bug could potentially, possibly, have some kind of security impact.
Doesn't mean everything has to end up in the CVE database.
And even worse CVE are so bad, it makes all big project which would need them, become CDA (ie they can administer their own CVE), so now CVE mean nothing.
So basically CVE is like the TSA at airport: it's there just to pretend it's doing something, while in reality the reason you are safe is that there is someone nobody knows doing the lord job
Destroying the signal to noise is a security issue.
This is because the industry has to "make work", similar to lawyers.
At work most "bug bounty reports" I see are "wEaK SeCUritY hEaDerS", "found" by a web scanner website. Oh and half of these HTTP security headers don't even make that much sense to use.
Actually the point of the CVE database is that every bug gets an ID.
I sometimes get annoyed by the cyber security community for things like this. There's a whole class of "security researchers" who basically just exist to point out bugs like, "if a cosmic ray comes down and changes the transistor state, this library displays inconsistent behavior..." And then, they ask for some sort of bounty. It almost seems like the CVE system is being shared between these people and people who understand that the impact of a vulnerability also relies on the actual feasibility of exploiting the vulnerability, as well as the risk displayed upon successful exploitation. It's a sort of scare tactic used because people see "vulnerability" and commonly lack the ability to differentiate a severe vulnerability from a theoretical, unexploitable one.
How to Jia Tan any npm package:
- find low maintenance, high downtown count npm package
- create fake security reports against it
- show up with PRs and/or money in maintainers DMs
- ????
- profit
Any time I see wide harassment of devs after a report or similar makes me think of Jia Tan and the xz-tools case
I am legitimately concerned about spurious CVE filings.
I am sick and tired of "independent security reasearchers" that send in irrelevant "security vulnerabilities" and pushing for rewards.
9.8 criticality would make you shit firework similar experience, duuh but I really think that some of these devs that do JS and review github code doesn't really think what such a small change can do if they file a fake CVE
btw, if you are using anything related to cryptography in node, there's a 90% chance you'll use code by this guy Fedor.
He is one the MOST prolific cryptography developers in the node ecosystem.
This is probably the LAST person you want to stop taking CVE's seriously :(
Wild thing is that a state actor will submit bogus vulnerability reports, but will keep real ones for their own use
10:00 - that’s not really a vulnerability. It’s the network owner’s job to make the private network unreachable, this is dumb. No route to host 404. Malicious CVE reports could be bad
You can't make your database server unreachable from your app server for obvious reasons. If your app server is making HTTP requests to arbitrary third parties upon a user's request, and an adversary can fool it to request e.g. your own elasticsearch because your IP parsing library says the private IP address is a public one, you do have a severe security issue.
@@benediktradtke6338if you have designed an app where the client can change the domain you use for your database server you are just a bad dev.
This is going to end up creating some kind of board that approves CVEs
Distributed Harrassment is a good description of this crap.
Allowing anyone on the Internet to be a CNA has been a debate for the linux kernel as well because they had an increase in the number of CVEs being created
CVE only when registed with your id. Also only possible with a working proof of concept in real software.
1:16 your project starts getting used by companies making millions off your software who never return any of it even when making demands for improvement.
Right? Like I've had issues with stuff before, you know what I do? Submit a PR with a fix so they don't have to do it.
I would expect 9.8 to automatically take over your PC if you run it and a hacker spends 10 seconds trying to break in, hacker optional.
I was today years old when I noticed Jackson is a play on words (JSON/Jason/Jackson). 🤯
It’s even better. It’s based on the concept Saxon which is a XML parser.
Bruh I was half asleep when i saw the title and read it as "Using security raptors as a weapon, " and thought someone managed to bring the dinosaurs back
Nature found a way?
Most businesses aren't using their raptors to the fullest possible extent. Its sad really.
I will point out one attack vector that this enables: Server Side Request Forgery (SSRF)
Imagine you have a web hook the user can put an address into. You have to prevent them from making requests to other private services in your infra. Generally this is done by resolving the dns and checking if it falls into dangerous ip spaces. I can imagine an attack were the hex ip address is could bypass this kind of check if they used this library.
Still not really a vuln on its own, mostly a “gadget” in an attack chain
Yeah this is the problem, it's not a vulnerability in and of itself, but it can enable a vulnerability (SSRF) if it is used in a specific way (only allow the request if the library thinks the address "isPublic").
It's as you say, it's more a gadget. I don't think these sorts of things should have CVEs assigned.
Also random question, are you the same Amy that does (did?) browser security research and featured in a LiveOverflow video?
@@xB-yg2iw any link in an attack chain deserves a CVE if you ask me. The severity could be lower, though, unless the attack vector it enables is extra dangerous
Issues I see with "open source" are quite a bit different. Developer #1 creates an LLM project, Developers #s 2-11 create forks that still depend upon Dev#1's project. After weeks, Dev#1's project encounters dependency hell. Developers 2-11 continue to charge money for their custom installers, even though all 11 repos have been broken for months.
Ideally Developers would assist the 1st project, at some point, rather than make it a dependency & let all the projects die with the first round up dependency updates for the 10 forks.
So we'll have 10+ forks that none of which can use due to the original project being (seemingly) abandoned or it may receive updates like once a year... & either way, the packages only typically work if a user happens to find the project the first week of its debut, and the odds diminish after this point of working for other users who found the project during week 2, 3, 4, etc.
It looks to me like the "Open Source" 'community' is destroying itself. & Content Creators cloning a repo to sell botched installs, is one of many contributing factors to this continuing problem.
Aitrepreneur for example, how many original repo said they were going to let them maintain their projects. But unless you buy aitrepreneur's 80$ 1 file simple installers, the projects seem entirely abandoned under the false pretense that aitrepreneur was making the software easier for users, when that's not true, nobody can use it unless they pay this guy who literally hijacks projects for his own benefit.
I don't mean to single out aitrepreneur, there are dozens of other scummy AI channels on UA-cam doing this too. However, without fail aitrepreneur will title his videos "free, local install, no gpu" etc, & all of which is clickbait to try and sell a installer for a repo HE KILLED.
People need to start calling these scammers out, or the problem isn't going to solve itself.
isnt this just javascript?
other than python i really cant think of 'dependency hell' type of situations, php ruby and other html generators are also simple to use especially with tools like rails and laravel around
What if there was a “reputation” system? It would be similar to how Waze evaluates traffic reports from users.
Let’s say that someone submits their first report. It’s not trusted as a report, but is open for a form of peer review. The more people that verify the report, the more it is trusted. The higher the credentials of the verifiers, the more it is trusted.
A reporter’s trust is based on how many of their reports get verified, and how many reports that they verify early on are verified. The earlier in the process someone verifies another’s report, the more credible they get.
Bonus cred if the owner of the project verifies that the bug / security flaw is real.
Security audits would check not only for reports, but would also give their trustworthiness. I’d bet there’d be enough data points for there to be statistics on “report cred vs report final validity”.
Distributed harassment was already a thing against any Rust OSS project that dared to use "unsafe"
1:40 As a tip for the ones who want to walk away, but also want to encourage people to not use it anymore.
When you push out your last version, also add something a long the lines of
for (let i = 0; i < 10; ++i) {
console.log("the package is end of life and not supported anymore
please stop relying on it");
}
at the beginning of all of your functions.
Especially the print debugger will QUICKLY want to move away from it.
This will work even better if the last version is a security fix (yep, bundle that together).
That way it still works and at the same time, people will want to not use it anymore.
Actually, this is reason why several open source projects getting their own CVE numbering authority status.
When you're validating webhooks, you want to be sure they aren't providing private ips since it could hit internal systems.
thanks for the sic info
3:50 basically a measurement of "active use" of a project / package, especially in CI, that's about it. Any claims other than that are a marketing meme. Like most node stuff, its probably 50 layers deep in some other library like React.
At least numeral systems are noted consistently in verilog, none of this 0 octal nonsense. Rare but important hardwarebro W.
to know that it's octal you need to know that it's a leeading zero and the next one isn't an x
CSV formatting enters the chat.
oh that's a " after the delimiter? Time to escape everything until the next ". Sync! You put two in a row! That " is escaped from the escape!! Keep going. But you know, these " are all optional, so it's okay to not have one at the start.
I just remembered that IPv6 does support IPv4 addresses through a specific prefix. I am very confident in this because I read it from a book just last week.
There was no mention of how the network-stack is expected to handle these. It might be that IPv4 stack would be used instead.
Parsing an IPv6 address does include parsing IPv4 addresses. And all the rules concerning special IPv4 ranges thus need to be considered. If the site is relying on spotting a private IPv4 address this does seemingly bypass it.
The only thing I can think for exploiting this is two servers in a subnet. Firewall secures the subnet from outside, and this node-module makes sure clients can’t access the other servers resources. For external resources the firewall is responsible for blocking any LAN->WAN connections that aren’t in an allow-list. So the server only is concerned about enforcing the access policy of LAN resources.
The first check is one of these function-calls. If the IP is private, resource access policy logic happens in the webservers stack. The other server does not do any, and hands out whatever the webserver asks.
More likely this would be used with some other exploit.
Things I thought before you said them:
- a public address identified as private is dangerous, a private address identified as public is not (unless you have assumed something really stupid in the program using this library).
- IPv6 doesn't have that problem since IP addresses are a) in hex anyway, and b) easily classifiable with a scope of host, link or world by the first 16 bits (or even less).
- the CVE system is broken, *anybody* can just request a CVE number for any software. There is no check if it even is a bug, much less if it is a security vulnerability.
- AI makes this worse. No, really.
- the security impact of software trying to protect you (npm audit) is often worse than the actual problem, breaking stuff all over the place.
And a few thoughts of myself:
- automation will make this scalable for the attacker, just like DDOS.
- you can basically thank Digital Equipment Corporation (DEC) for octal, if the PDP/11 (and other DECs) wasn't primarily programmed in octal we wouldn't have that problem. It came from PDP/11 assembly through C to javascript and just about any other programming language that is not COBOL. Oh, nevermind, COBOL as well. Sigh.
Just allow non-integer powers and then the 0 and 3 in the CVE are both powers of 2.
Two to the power of -infinity and log(3)/log(2), respectively, I believe.
StoneLabs being in the chat 🤣
5:54 - I kind of knew what it meant. I knew it marked a spelling or grammatical error that appeared in the source text. I thought it stood for "spelling in context". I had never actually looked it up, I just learned the meaning from where I always saw it used.
To think that JiaTan employers just stopped trying is beyond naive.
This actually could have been the reason why MS acquired github.
Im bumping peer deps that originally implemented that package to newer versions that dont use this library as I am watching this video. Wasnt aware of this controversy (just saw come vulns from dependabot and started working on it) until this popped up on YT 👍
27:17 Prime is accepting money and providing services to Sanctioned Counties confirmed???
The Internet - tis' a silly place.
And the Hex stuff in IP addresses is because it makes netmasking and resolution easier. If you look at subnet masks and think of them in binary (and how easily binary is translated to hexadecimal) you will see why it’s there. You can also use octal but that isn’t as clean since it’s 3bits to a character instead of 4.
14:52 I was just thinking of this yesterday.
Incorrectly deciding if an IP is public can be a security problem.
Scanario: your webpage fetches a profile picture provided via an URL by the user. This might be used as a trampoline into your internal systems that only allow connections from internal IPs, so you must filter it to disallow "fetching an image" from private IPs.
It's far from high severity tho, it can be part of an exploit chain but can't be used as-is, like the XZ one were.
17m? users who depend on the npm registry for their build machines and don't cache packages
Shouldn't there be some kind of penalty for frivolous cve's, I feel like manipulating that system could destroy someone's business etc.
This is some crazy shit ... great video.
With that CVE on IPv4 address check. Perhaps the real issue is actually with the lack of specificity in the original definition of IPv4 address space?
I always though sic in quoting was an acronym that stood for ‘spelling incorrect’
And I thought it was some latin acronym for "shortened for brevity"
7:47 - I had the exact same tought!
fs.unlink is a vulnerability. It could lead to data loss :O
Oh wait, you shouldn't let the user decide which file to delete on your server????
Have a good Fourth of July Primeagen and Flip🧨
Bro uses gimp
What a chad
That's why I love CVEs
I want to do this each time our infosec team tells me to use parameterized stored procedures in our webservice (we use a strongly-typed ORM). or when they tell me not to allow uploads cause someone could upload an executable script file and run it on our server. Our service is a .Net Restful API hidden behind an API gateway. If you upload a JSP, ASP, PHP, etc file to it (if you even could), our service would not even know what to do with it except give it right back to you as plaintext. That is, IF you could somehow figure out how to upload a file to a service that doesn't even listen for file uploads on any of its endpoints.
It's like they copy and paste a PHP best practices document and forward it to the .Net team just to look busy. The sheer number of times I've yelled at one of these guys to "PLEASE DEMONSTRATE THIS VULNERABILITY YOU'VE 'FOUND' IN OUR SERVICE".
As the metaphor goes, in most programming languages you can point your gun at your foot -- we call that a bug. An exploit is somebody able to make you point your gun at your foot. Saying "a gun can be dangerous" without an actual exploit in mind does not a CVE make.
Allegedly it can allow for an SSRF (server side request forgery) attack if linked.
The CI/CD pipeline should be proxy and caching project dependencies and only need to download a package if it changed.
This is INSANE!!!!
That was me, I left this running:
while true; do
npm install node-ip && npm remove node-ip
done
Never let people rate on scales, Google hasn't yet learned that the star-rating system doesn't work, even though it got removed from here
3 steps to attack OSS tool chains and gain entry to supply chains.
shoutout to all the state actors in chat
Cybersecurity is the HR of technology
Why would you need to parse an IP with a language used for DOM manipulation ?
Wait until The Hoffs comes in...
what happened to using Excalidraw? curious
its the biggest number they could find.
How was the xz exploit 7.8 severity... I commonly get 8s or 9s after not updating go packages for a while...
From what I read, it was extremely specific at the time. It had the hooks to exploit more setups but they didn't take those into account yet.
While I do agree there are a lot of bogus CVEs and 9.8 is way too critical, this /could/ be considered a security issue, if people rely on the IP package to check if an IP is private or not, in order to mitigate SSRF vulerabilities, I think?
Yeah you're exactly right. CVEs are so frustrating to work with because their severities are all over the place and there's so rarely enough information to easily understand if you are impacted. In this case though it really seems like a real issue that is high impact if you're using node-ip for SSRF protection.
Yep. This is one of well known tricks to bypass SSRF checks. So if a package was using this directly or indirectly solely to determine if the requested IP addr / resolved IP addr is private or public before allowing them to request the resource (take any x to y converters online that have a URL field to them as an example) could have drastic implications.
recently something similar was a 6K USD bounty in reddit bug bounty program.
Once you get a SSRF you're basically bypassing most WAF / Firewalls you have active so exploiting from there gets much easier.
Sure but the example shows a private IP getting mismatched as a public one.
I failed to see a situation where you want a public address to not have strictly less privileges/protections than a private one.
I might be wrong and there might be a way to have a public IP missmatched as private
But I'm guessing the IP check would be pattern matching to know private private IP (that hexadecimal don't match). I fail to see room for a mislabeling as private.
@@aredrih6723 Think of any case where you input a remote URI and the website fetches it for you - for example: uploading an image via a URL, checking if a website is down or not, or whatever, and disclosing the results to the user. You usually want to be able to access public addresses, but not local ones, as they might contain services which should be accessible only from the internal network (think other APIs, Redis database, etc). If you could access internal services you could possibly issue API requests, or exfiltrate data.
So if the server is willing to attempt to fetch any external resource based on user-request, it now is willing to attempt to fetch any resource in loopback or LAN network.
Still: there was no real life example, nor even a plausible usecase example. It definitely isn’t a 9.
make it a legal action you are liable for if your posting CVEs. if you can't take the risk of submitting then just raise a normal issue or speak to the community.
any situation where you raise cve without due diligence and evidence of risk then you can be legally charged with damages to brand and security of the project.
Setting a minimum threshold to be qualified to report and disqualifying bad reporters is the only solution I can think of.
gyre tan gyre tan gyre tan
Good luck CVEing my vlang projects. AI be like, what's a Vlang?
11:00
Two non powers of two. 1+1=2
Has a developer even gone F+*^ it and deleted their repo?
Who in the actual fuck writes an ipv4 in hex?!
Someone trying to exploit a bug in private IP blacklist
Qual a resolução da tela desse mano? 8k?
That Mastodon burn, bro. Also 69.
The only valid response to people complaining about vulnerabilities in your project is - "Fork and fix"
Or don't open source it. Open source is really starting to suck.
@@CommanderRiker0 I guess it really depends on the perspective. Like there is no obligations in open source. If you care about what people tell you or about you then yes, I guess it is better to not make your project open source. I don't. So for example for me there is no reason to not make it open source.
@@laljaka It has nothing to do with "what people tell me", what ever that means. Its about monetizing your work. The open source track is a flop in most cases without huge corporate sponsors which at that point you might as well be closed source.
@@CommanderRiker0 Open source was never about monetization. It's about doing public work for free :D
@@laljaka LOL, no its not. The most used projects are little more than corporate extensions for their benefit, aka redhat, etc
there is no chat displayed
yes they are spamming the cve system for personal gain.
Also we need to trivialize security research to the point that a 10 year old can do it.
1) why is IP parsing not a native function in JavaScript.
2) as a former open source maintainer. I tried handing a project off to anyone in the community that was interested in actually carrying the project forward. I no longer used it myself so had no cares about doing anything with it and actively tried pushing people to other projects. At one point I was blindly accepting pull requests then finally archived the project. It still gets thousands of weekly downloads.
everybody hates handling security vulnerabilities
Npm installs are most stupid metrics what happens is people setup builds and every time they release or run tests they hit npm ci which just spams npm libraries. Developers now don't write any logic even if it's 1 simple function they would rather pull in a library just for 1 line of code... I seen this with dates where instead of using built in function for transforming 1 date a library is pulled in
4:20 The popularity of random shit as a metric for how good it is has infected everything in the last few years. I went on a videogame messageboard for the first time in about a decade, and like half the posts aren't even talking about the games anymore they're just staring at line charts for how many people are downloading them on Steam.
My gut reaction is to blame tiktok and social media for making people obsessed with how many likes and views they get as a metric for how good they think the content is.
I knew.
So hypothetically speaking some absolute loser can take an LLM and condition it into BOMBARDING multiple projects with legit-looking CVE's of various types, and a group of such people would launch a full scaled attack against open source projects... I hope I am delusional
And about Chuck Norris bridge... I've been there and made out with a girl under that bridget :D
More than a state actor over signaling security vulnerabilities to burn out devs, it would make more sense to me if it was simply people trying to get a nice CVE discovery on their resume...
A bit like bogus open source contributions but on the security side
wtf people read articles, books, newspapers their whole lives and never bother to look up minor things up until their 40s
Hey maybe, just maybe, consider not using JS on the server...
If you think this is bad you should see what the Linux Kernel CNA is doing to make all Kernel CVEs worthless
This and the DEI attack being aimed at multiple projects, open source is in big trouble.
When a conservative says DEI they just mean the N word
@@thewhitefalcon8539 And what do I mean then as a Russian Soviet communist?
the fact that 17 million people downloaded an ip parsing package is disgusting to me. Like can't you write a regex to parse ips
The cve is an example of why you don't want everyone just writing their own regex, because most of them will get it wrong, and rather than having one thing to fix you now have 10000.
you don't get it
5:55 1
Or they could just drop the dependency. Harassing OSS developers is pure entitlement.
I wonder if we need a government department to help manage open source. Maybe we need state actors to fight state actors. If for nothing else, they could vet the people allowed to fole CVEs.
Cause government does everything so brilliantly😂
Fox guarding the henhouse
The llms need to just stop offering cve advice. This is one area of the industry where some gatekeeping may be reasonable
Is this why the NIST NVD project is working under a backlog? Lazy copy pasta BB bros?