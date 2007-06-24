Risky Biz News: The Linux CNA mess you didn't know about:
The Linux Kernel project was made an official CVE Numbering Authority (CNA) with exclusive rights to issue CVE identifiers for the Linux kernal in February this year.
While initially this looked like good news, almost three months later, this has turned into a complete and utter disaster.
Over the past months, the Linux Kernel team has issued thousands of CVE identifiers, with the vast majority being for trivial bug fixes and not just security flaws.
Just in May alone, the Linux team issued over 1,100 CVEs, according to Cisco's Jerry Gamblin—a number that easily beat out professional bug bounty programs/platforms run by the likes of Trend Micro ZDI, Wordfence, and Patchstack.
Ironically, this was a disaster waiting to happen, with the Linux Kernel team laying out some weird rules for issuing CVEs right after the moment it received its CNA status.
We say weird because they are quite unique among all CNAs. The Linux kernel team argues that because of the deep layer where the kernel runs, bugs are hard to understand, and there is always a possibility of them becoming a security issue later down the line. Direct quote below:
"Note, due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team is overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team."
[...] Instead, the Linux Kernel team appears to have adopted a simpler approach where it puts a CVE on everything and lets the software and infosec community at large confirm that an issue is an authentic security flaw. If it's not, it's on the security and vulnerability management firms to file CVE revocation requests with the precise Linux Kernel team that runs the affected component.
The new Linux CNA rules also prohibit the issuance of CVEs for bugs in EOL Linux kernels, which is also another weird take on security. Just because you don't maintain the code anymore, that doesn't mean attackers won't exploit it and that people wouldn't want to track it.
The Linux team will also refuse to assign CVEs until a patch has been deployed, meaning there will be no CVEs for zero-days or vulnerabilities that may require a longer reporting and patching timeline.
[...] And if this isn't bad enough, the Linux kernel team appears to be backfiling CVEs for fixes to last year's code, generating even more noise for people who use CVEs for legitimate purposes.
[...] Unfortunately, all of this CVE spam also could have not happened at a worse time. Just as the Linux Kernel team was getting its CNA status, NIST was slowing down its management of the NVD database—where all CVEs are compiled and enriched.
NIST cited a staff shortage and a sudden rise in the number of reported vulnerabilities—mainly from the IoT space. Having one of every fifth CVE being a Linux non-security bug isn't helping NIST at all right now.
(Score: 1) by Runaway1956 on Saturday June 08, @12:59PM
(Score: 2) by stormreaver on Saturday June 08, @01:04PM
This is the kind of crap that gets your commit rights revoked. While every bug has the potential to be a security issue, not every bug is a security issue. Don't file a CVE unless a real security issue can be identified. Otherwise, you're just as bad as Viagra spam.
(Score: 1) by pTamok on Saturday June 08, @01:06PM
In reverse order:
An EOL kernel is End-of-Life. It gets no further support. People running EOL kernels need to move to non-EOL kernels. Yes, it is hard, but supporting kernels indefinitely is even harder, especially with limited resources.
All bugs are potential security bugs. Greg Kroah-Hartman has made it quite clear. [soylentnews.org]
So, what can you do about it to protect yourself?
It's a message people don't want to hear. Lots of "But surely...", or "I'm a special case...".
(Score: 2) by Unixnut on Saturday June 08, @01:09PM
Quite frankly a lot of Linux has become a disaster waiting to happen in the last 10 or so years. I mean Linux was always a loose collection of hacks, but this wasn't such a big deal when Linux was a niche hobby OS run by enthusiasts for enthusiasts. For flexibility, hackability and rapid feature development Linux is top IMO, to this day.
However things like stability, bug fixing (especially security bugs), etc.. are rarely considered. After all developers like to hack on things they enjoy, and very few find joy in bug fixing (especially other peoples) and security flaw handling. That usually gets lumped with upstream to handle (including sometimes the end users).
Thing is now Linux runs most of the serious IT infrastructure of the world, and this attitude does not match with that responsibility.
I always thought the Linux kernel team as a whole were by far the most professional, simply by virtue of (many of them) being paid kernel developers and the kernel being the core of every single Linux system out there (including derivatives like Android). If anything there should not be any issues with funding preventing them from doing things properly.
This CVE mess however has thrown my above belief in doubt. They seem to be treating the CVE database like a "potential security bug" tracking system, odd considering they already have their own internal tracking system.
Also their "due to the layer" excuse also sounds weak to me. They are not the only kernel on earth. There are other OSes, and yet I've not heard of any similar issues with Microsoft, Apple or FreeBSD OS'es. They somehow managed to handle their kernel security issues and CVEs just fine without resorting to what the Linux kernel devs are doing.