The Harmless Pi-Hole Bug(kiyell.com)
kiyell.com
The Harmless Pi-Hole Bug
https://www.kiyell.com/The-Harmless-Pihole-Bug/
47 comments
If you don't assign CVE numbers to every security-related flaw, no matter how minor the flaw may be, you must come up with a way to draw the line on what flaws get CVEs and what ones don’t. That would be worse in pretty much every respect.
As it is now, I can look at a CVE and determine for myself and my organization whether it something we need to care about. I’d rather that decision stay in my hands, not someone else’s.
As it is now, I can look at a CVE and determine for myself and my organization whether it something we need to care about. I’d rather that decision stay in my hands, not someone else’s.
> I can look at a CVE and determine for myself and my organization whether it something we need to care about.
Except it doesn't work like this.
A security scanner will include a CVE. People want no red flags on the security scanner. They don't care what the CVE is, they just want red mark go away.
The attitude to accepting useless crap as a CVE is diluting what an important CVE actually is.
Except it doesn't work like this.
A security scanner will include a CVE. People want no red flags on the security scanner. They don't care what the CVE is, they just want red mark go away.
The attitude to accepting useless crap as a CVE is diluting what an important CVE actually is.
A decent security scanner allows you to exclude informational vulnerabilities. When I rolled out Wazuh in an org, it allowed for said function. And I still, personally, wanted to know about it at least once.
If that is your attitude to security scanning, you should not be in charge of anything more important than a speak and spell.
Seriously? Treating joke CVEs the same as true sev 1 issues is beyond silly and counter productive. There are very real limits to time, money and attention and pretending otherwise is foolish.
The person you’re replying to seems to agree with you.
Are you speaking from your experience in vulnerability management? If anything, I’ve seen the opposite behavior (ignore everything except where the risk is critical).
CVSS has been around since the mid-2000s, so it isn’t as if there’s no way to discern critical vulnerabilities from informational ones.
CVSS has been around since the mid-2000s, so it isn’t as if there’s no way to discern critical vulnerabilities from informational ones.
>Except it doesn't work like this.
You'll have to email my bosses that :)
You'll have to email my bosses that :)
> If you don't assign CVE numbers to every security-related flaw, no matter how minor the flaw may be, you must come up with a way to draw the line on what flaws get CVEs and what ones don’t.
That's already the case now, since there's no perfectly objective way to decide whether a bug is even security related or not.
This is just an example of where that already existing subjective distinction was applied in a way that not everyone agreed with. It's an unavoidable problem that is going to happen once in a while.
It doesn't mean that CVEs are useless and it doesn't necessarily mean we need to be more liberal about what warrants a CVE either.
That's already the case now, since there's no perfectly objective way to decide whether a bug is even security related or not.
This is just an example of where that already existing subjective distinction was applied in a way that not everyone agreed with. It's an unavoidable problem that is going to happen once in a while.
It doesn't mean that CVEs are useless and it doesn't necessarily mean we need to be more liberal about what warrants a CVE either.
>That's already the case now, since there's no perfectly objective way to decide whether a bug is even security related or not.
Sure, you are right that a line already exists. However, that line basically boils down to "could this bug conceivably affect security". The decision tree is 4 questions long -- very simple.
What I am opposed to is someone else answering "yes, this could conceivably affect security" and deciding on my behalf that I don't need to worry about it. That is a line for me (or someone who knows the organizations infrastructure, risk tolerance, etc.) to draw.
Sure, you are right that a line already exists. However, that line basically boils down to "could this bug conceivably affect security". The decision tree is 4 questions long -- very simple.
What I am opposed to is someone else answering "yes, this could conceivably affect security" and deciding on my behalf that I don't need to worry about it. That is a line for me (or someone who knows the organizations infrastructure, risk tolerance, etc.) to draw.
Except that in this case, the answer to that question is no, this could not conceivably affect security. It's the rough shape of something that could, but actually it could not.
So we're back where we started. It's still subjective, how much you should "conceive the possibility", when it doesn't appear to actually be there.
So we're back where we started. It's still subjective, how much you should "conceive the possibility", when it doesn't appear to actually be there.
[deleted]
So you are happy to have 1 million cves to look for per year per product?
Unless there’s a minimum standard it becomes noise, and the real CVEs are lost.
Unless there’s a minimum standard it becomes noise, and the real CVEs are lost.
>So you are happy to have 1 million cves to look for per year per product?
Trying to ignore the extreme hyperbole here...
I want me or my team to see every security-related flaw affecting the products in our network, yes. That's literally our job.
A CVE like this takes maybe 2 minutes for a junior on the team to mark as no risk.
Trying to ignore the extreme hyperbole here...
I want me or my team to see every security-related flaw affecting the products in our network, yes. That's literally our job.
A CVE like this takes maybe 2 minutes for a junior on the team to mark as no risk.
I agree with ziddoap here. Not reviewing these minor bugs are exactly how we end up with sophisticated attacks using simple bugs that leave us arm chair experts commenting "How did they even think of this?!?!"
Because the people that do conduct sophisticated attacks are studying every knock and cranny for these types of things. If they can find it once, they can automate it and find more. And then they move on to the next piece of their puzzle of "what can I do from here?"
Because the people that do conduct sophisticated attacks are studying every knock and cranny for these types of things. If they can find it once, they can automate it and find more. And then they move on to the next piece of their puzzle of "what can I do from here?"
I don't know that this CVE would be trivial to knock out.
My CVSS score for this is as follows:
CVSSv3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (I said "Low" integrity issues, and "Low" availability issues, since I don't know if the DOS issue is real)
That reads out to a "Medium" CVE.
I have, in the past, worked with some banks, and they want all 4+ CVSSv3 CVEs enumerated and either remediated or for a plan to be in place to remediate them.
Maybe you're significantly better than I am at this, but I am hesitant to look at any CVE and say it's not a problem with how I have configured my software. Unless I have really deeply looked into the issue, I get really nervous saying a CVE is not going to affect my software.
My CVSS score for this is as follows:
CVSSv3.1:AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L (I said "Low" integrity issues, and "Low" availability issues, since I don't know if the DOS issue is real)
That reads out to a "Medium" CVE.
I have, in the past, worked with some banks, and they want all 4+ CVSSv3 CVEs enumerated and either remediated or for a plan to be in place to remediate them.
Maybe you're significantly better than I am at this, but I am hesitant to look at any CVE and say it's not a problem with how I have configured my software. Unless I have really deeply looked into the issue, I get really nervous saying a CVE is not going to affect my software.
Except this isn't a CVE anyone will encounter in the workplace because nobody in their right mind would run Pi-Hole on a Raspberry Pi in a professional setting. It's a waste of time.
If you want to dedicate staff to reviewing useless garbage issues you do that, go and review every issue logged against other non-commercial software.
The rest of us have a job to do.
If you want to dedicate staff to reviewing useless garbage issues you do that, go and review every issue logged against other non-commercial software.
The rest of us have a job to do.
>The rest of us have a job to do.
I'm not sure why you are being hostile about it, but okay.
Obviously you feel very strongly about the subject. You should engage with MITRE and encourage them to reconsider their current CVE inclusion decision tree.
I'm not sure why you are being hostile about it, but okay.
Obviously you feel very strongly about the subject. You should engage with MITRE and encourage them to reconsider their current CVE inclusion decision tree.
If Daniel Steinberg struggles to make headway with them…
Yeah except Bob, your uncle, is working from home and therefore needs to care about his home network security.
I look forward to your explanation of how the temperature of Bob's Raspberry Pi poses a threat to his employer.
I also wonder how the attacker got access to Bob's home network in the first place?
If only he had the chance to focus on actual important security issues instead of constant notifications about useless noise like the temperature of his Pi-Hole.
I also wonder how the attacker got access to Bob's home network in the first place?
If only he had the chance to focus on actual important security issues instead of constant notifications about useless noise like the temperature of his Pi-Hole.
>I look forward to your explanation of how the temperature of Bob's Raspberry Pi poses a threat to his employer.
Hmm, anything like this can be used as part of side channel if an attacker is able to influence the temperature of Bob's RPi.
Hmm, anything like this can be used as part of side channel if an attacker is able to influence the temperature of Bob's RPi.
Informational vulnerabilities are often nothing to worry about, until they are.
That's a good way to get people to turn off security scanners
Some reduction might not be so bad. I would love to know how many times I've said the phrase "the version string/CVE is irrelevant because our vendor backports patches"
A lot of this can/should be boiled down to: are our updates and mirrors current?
One selects an OS vendor/distribution explicitly to make this kind of thing their ~problem~ responsibility. They gave me "foo", they can fix it.
There's usually no problem because nobody builds everything from upstream sources. The security vendor yells at me and the OS vendor about discoveries in something they never packaged.
Each distribution gets sufficiently involved that I refuse to mind most CVEs. Eternally grateful my current role allows me to drop this charade
A lot of this can/should be boiled down to: are our updates and mirrors current?
One selects an OS vendor/distribution explicitly to make this kind of thing their ~problem~ responsibility. They gave me "foo", they can fix it.
There's usually no problem because nobody builds everything from upstream sources. The security vendor yells at me and the OS vendor about discoveries in something they never packaged.
Each distribution gets sufficiently involved that I refuse to mind most CVEs. Eternally grateful my current role allows me to drop this charade
> I can look at a CVE and determine for myself and my organization whether it something we need to care about.
Yes, but one can envision a scenario where everything gets a CVE number and you, or members of your team, spend an inordinate amount of time looking up CVE numbers. Then along comes a service that you have to pay for that scores each CVE number for you. Due to any lack of discretion (in a database maintained by "experts"), you'll pay with your time, or your money.
Yes, but one can envision a scenario where everything gets a CVE number and you, or members of your team, spend an inordinate amount of time looking up CVE numbers. Then along comes a service that you have to pay for that scores each CVE number for you. Due to any lack of discretion (in a database maintained by "experts"), you'll pay with your time, or your money.
I'm quite happy with the current scenario and decision tree used to assign CVEs. As it stands right now, it is not "everything" that gets a CVE number.
If they change the decision tree and spelling mistakes start being assigned CVEs, I am sure I will change my mind.
If they change the decision tree and spelling mistakes start being assigned CVEs, I am sure I will change my mind.
I disagree, that's pretty easy to turn into a occupancy sensor. I think people need to get away from the "is this piece of information sensitive" in isolation and start thinking about it more like leaking bits. Leaking bits is bad, you don't know how a clever person might leverage them
Not exactly that, someone can change the unit used to display the temperature for authenticated users.
[deleted]
Now we just sit back and wait for the side channel attack where someone figures out how to use temperature changes to exfil data.
Yeah this is generating CVE numbers for resume clout.
Maybe this is actually a good thing. Check a few of the cves they found and if it's things like this, you're dealing with a clown. I'd feel ashamed requesting to get a cve assigned for something like that.
In this particular case they probably should have reported it as a regular bug and not as a vulnerability, but I am not sure this generalizes to CVE numbers being meaningless since I am not sure how often it happens.
Most CVE numbers are useful, but there are enough meaningless ones that will set off commercial security scanners to extort a sale to make them unreliable enough that you need to dig into most of them (rather than just assume they're security risks and treat them with the correct priority). Annoyingly, there are also plenty of security bugs that don't make it through the CVE system.
In a perfect world, you should be able to treat a CVE number in a scan or bug report as something of importance, but in practice you need to filter out the "time protocol allows reading the time" class of CVEs as well. CVEs might as well be links to Github issues if they're treated like this.
In a perfect world, you should be able to treat a CVE number in a scan or bug report as something of importance, but in practice you need to filter out the "time protocol allows reading the time" class of CVEs as well. CVEs might as well be links to Github issues if they're treated like this.
My favourite is CVE-1999-0524, people can tell the time set on your system with ICMP Timestamp messages.
Someone's added it to a commercial security scanner recently, so we have a lot of "severity 1" tickets to disable it.
Yes, severity 1 for something that's been there for 25 years. Very important CVE obviously.
https://nvd.nist.gov/vuln/detail/CVE-1999-0524
Someone's added it to a commercial security scanner recently, so we have a lot of "severity 1" tickets to disable it.
Yes, severity 1 for something that's been there for 25 years. Very important CVE obviously.
https://nvd.nist.gov/vuln/detail/CVE-1999-0524
OP here, it's been interesting seeing people's view of this. I wanted to clarify two things.
The bug here is that unauthenticated users can change a setting that only an administrator should be able to. The maintainers acknowledged the bug and accepted a patch to fix it.
Is changing the temperature unit shown on a dashboard a serious problem? No. But it is a problem and one that could be classified as a security issue.
What's the point of the CVE assignment? Well it creates a public record of this flaw and helps Pi-hole administrators make their own decisions (patch / ignore). It also puts the issue in the hands of other security researchers. For example, is there a possibility of using this vulnerability to conduct a DoS attack? I didn't test this and have moved on to other things but others can.
The bug here is that unauthenticated users can change a setting that only an administrator should be able to. The maintainers acknowledged the bug and accepted a patch to fix it.
Is changing the temperature unit shown on a dashboard a serious problem? No. But it is a problem and one that could be classified as a security issue.
What's the point of the CVE assignment? Well it creates a public record of this flaw and helps Pi-hole administrators make their own decisions (patch / ignore). It also puts the issue in the hands of other security researchers. For example, is there a possibility of using this vulnerability to conduct a DoS attack? I didn't test this and have moved on to other things but others can.
[deleted]
[deleted]
[deleted]
There's a lot of discussion here in the comments on whether this can meaningfully be called a vulnerability if you can only "see the temperature of your server".
Setting aside that the vulnerability doesn't actually allow that, isn't this potentially a Spectre / Meltdown vulnerability? This is an unprotected endpoint that conditionally executes code taken from user input. If the branch predictor can be trained to speculatively execute arbitrary code from the input, information could be extracted via endpoint timing using a similar methodology to Spectre or Meltdown, right?
Setting aside that the vulnerability doesn't actually allow that, isn't this potentially a Spectre / Meltdown vulnerability? This is an unprotected endpoint that conditionally executes code taken from user input. If the branch predictor can be trained to speculatively execute arbitrary code from the input, information could be extracted via endpoint timing using a similar methodology to Spectre or Meltdown, right?
This is what annoys me about internal security teams. No, this doesn't make us vulnerable because it's in the DMZ, we have ACLs, it's behind a firewall, we have traffic monitoring, process monitoring, MFA, geofences, etc etc. Just because there's a possibility this could be exploited in some convoluted way in a targeted attack doesn't mean all the other walls we have stood up around this are suddenly useless. I'm constantly pestered and forced to waste my time explaining that your little CVE scanner tool is not the end all for our security posture.
Not to snap at you, but I'm forced to deal with these "what if" scenarios weekly and it drives me nuts. I know the security guys have a job to do, but I feel like half of their job is just trying to drum up scary looking things to justify their employment.
Not to snap at you, but I'm forced to deal with these "what if" scenarios weekly and it drives me nuts. I know the security guys have a job to do, but I feel like half of their job is just trying to drum up scary looking things to justify their employment.
This is just generating CVE numbers for the sake of it.