Friday, November 20, 2015

CVE's & My Vuln Disclosure Experience

Back in January I received my first CVE; CVE-2014-9354


The reference above, like usual, gives no actual information. Luckily, the bug was simple enough. Once you log in to the Netapp interface, on the page that contains the page (Active Directory tab) to enter in some domain credentials, you can view source and see the starred out credentials in the source of the HTML. Party like its 1999!

Netapp was responsive and easy to work with, I asked that they request a CVE which they did, they were forthcoming with fix information and the time line for patch release. The overall experience went, more or less, like I think it should.

The second experience was much worse. I attempted to obtain another CVE for some vulnerabilities myself and @javutin found with the Steelcase RoomWizard product.

I discovered the RoomWizards were running a vulnerable version of Apache Struts making them vulnerable to CVE-2013-2251. This led to Remote Code Execution as root.  We found another issue where the HSQL database with sa/null is exposed by default. This allows you to retrieve the administrator password which then allows you to ssh into the device. A CVE (CVE-2015-2879) has been reserved for this issue after directly contacting CERT/CC as the vendor declined to request one. The struts vulnerability was slightly more interesting because the device runs as root.  An example of the vulnerable request requesting the output of whoami (and response) is shown below.

The exploit was simple enough, I just had to add the arm payload to the existing Metasploit struts module and add the vulnerable URI.  Module is here. Screenshot below:

My Initial contact with them was March 5th, 2015 and the fix came out Oct 19th 2015 (8 months). I’ve included the vulnerability timeline below for additional information and lolz.

Disclosure Timeline

3/5/15 - Initial contact with Steelcase and request PGP key to send details
3/10/15 – Receive PGP key
3/11/15 – Send vulnerability details and request Steelcase request CVEs for the issues
3/16/15 – Send follow up email requesting confirmation of receipt of vulnerability details
3/16/15 – Confirmation Steelcase received and could view the vulnerability details
3/30/15 – Request an update
3/30/15 – Steelcase responds they will fix in June/July with next firmware update
4/23/15 – Follow up on CVE request
4/28/15 – Received no response to 4/23 email, emailed again
4/28/15 – Receive response from Product Manager. States “As you know, we are implementing a fix in the next firmware version, slated for release later this Spring. We plan on holding communication and publishing a CVE until that time.”
6/18/15 – Request clarification on Spring answer as it is now June
6/18/15 – Receive response that Firmware is in alpha testing and expect release July/Aug
6/18/15 – Ask again if Steelcase will be requesting CVEs for the issues
6/18/15 – Receive an Affirmative response “Yes, to my knowledge we will but I’ve cc’d some principals who would be involved in the actual submission to be sure.”
7/8/15 – Received no reply from the principals, asked again
7/14/15 – Received no reply to 7/8 email, emailed again
7/16/15 – Email again stating lack of response is disappointing since they were 30+ days over the normal 90 day fix/disclosure timeline
7/20/15 – Receive reply. Steelcase will not apply for CVE. States “After internal discussions, we have decided not to apply for a CVE. No other devices are built upon the RoomWizard platform and the device itself is generally in a controlled environment.” Also states 4.5 move into Beta testing next week.
8/20/15 – Request an update as no updated firmware had been released and no other communication from Steelcase
8/20/15 – Receive response “We are going to Beta testing next week with anticipated release two weeks later, assuming positive results.”
8/20/15 – Reply back : “30 days ago you said it was going to beta testing next week?!?!”
8/20/15 – Steelcase replies “We found some bugs in Alpha testing that we felt it was imperative to fix before releasing at customer Beta sites.” Asks if we want the beta software, we decline.
9/28/15 – Request update as it has been another 30 days
9/29/15 – Steelcase replies the updated firmware should be available on Oct 19th 2015 along with a new version of the Administrative Console (required to install the new firmware)
10/19/15 – Steelcase emails me (!!) that the updated firmware has been released


No comments: