Thursday, August 2, 2018

Adventures in vulnerability reporting

Posted by Natalie Silvanovich, Project Zero

At Project Zero, we spend a lot of time reporting security bugs to vendors. Most of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 time, this is a fairly straightforward process, but we occasionally encounter challenges getting information about vulnerabilities into cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 hands of vendors. Since it is important to user security that software vendors fix reported vulnerabilities in a timely matter, and vendors need to actually receive cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 report for this to happen, we have decided to share some of our experiences. We hope to show that good practices by software vendors can avoid delays in vulnerability reporting.

Effective Vulnerability Reporting Processes
There are several aspects of a bug reporting process that make reporting vulnerabilities easier from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug reporter’s perspective. To start off, it’s important for a bug reporting process to be easy to find and use. We sometimes have difficulty figuring out how to report a vulnerability in a piece of software if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability reporting process is not documented on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 project or vendor’s website, or if outdated material is not removed and instructions for reporting vulnerabilities are inconsistent. This can lead to delays in reporting. Effective vulnerability reporting processes are clearly documented, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation is easy to find.

We also appreciate when cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process for reporting a vulnerability is short and straightforward. Occasionally, we report dozens of vulnerabilities in a vendor’s products, and it is helpful when reporting does not require a lot of clicks and reading. Reporting processes that use email or bug trackers are usually cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 easiest, though webforms can be easy if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not excessively long. While Project Zero will always report a vulnerability, even if reporting it is very time consuming, this is not necessarily cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 case for ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r bug reporters. Long bug reporting processes can cause bug reporters to report bugs more slowly, spend less time working on a piece of software or even give up on reporting a bug. The easier a bug reporting process is, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 more likely it is that someone will go through with it.

It’s also important for bug reporting processes to be well-tested. While cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority we encounter are, we’ve occasionally had bug reporting email addresses bounce, webforms reject necessary information (like cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporter’s name) and security issues go unnoticed in bug trackers for months despite following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documented process. Vendors with good processes usually test that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir process and any systems it involves works correctly on a regular basis.

Mandatory legal agreements in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporting process are anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r problem that we encounter every so often. If a legal agreement contains language about disclosure or any ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r subject we don’t feel comfortable entering an agreement about on behalf of our company, deciding whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r to enter cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 agreement can require a lengthy discussion, delaying cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug report. While legal agreements are sometimes necessary for rewards programs and code contributions, good vulnerability reporting processes allow bug reporters to report bugs without cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m.

It is also helpful when vendors confirm that vulnerability reports have been received in a timely manner. Since bug reports can get lost for a number of reasons, including bugs in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporting interface and human error, it is a good idea to let reporters know that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir report has been received, even if it won’t be processed right away. This lets cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporter know that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y’ve reported cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug correctly, and don’t need to spend any more time reporting it, and makes it more likely that bug reporters will reach out if a bug report gets lost, as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y will be expecting a confirmation.

Finally, even if good practices are followed in creating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug reporting process, it is still possible that a bug reporting process has problems, so it is very helpful if vendors provide a way to give feedback on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process. It’s very rare for vendors to intentionally make bug reporting difficult, but unexpected problems happen fairly frequently, so it is good to provide a way bug reporters can reach out for help as a last resort if a reporting a bug fails for any reason.

Examples
One example of a bug we had difficulty reporting due to a vendor not following cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 practices described above is CVE-2018-10751.  CVE-2018-10751 is a remote memory corruption vulnerability in OMACP affecting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Samsung S7 Edge. The issue can be triggered by sending a single SMS to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 target device, and does not require any user interaction. The payload can be sent from an app on an Android device without root access or any special equipment. It is similar to CVE-2016-7990, which is described in detail here.

Samsung’s Vulnerability Reporting Process
CVE-2018-10751 is a serious vulnerability, and I wanted to report it immediately. I started off by reading Samsung Mobile’s Security Reporting page. This page has a button to create a bug report.


Pressing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 button led to a sign-up page. I didn’t have a Samsung account, so I tried to sign up. Unfortunately, it led to this page:


Not speaking Korean, I wasn’t sure what to do here. I eventually went back to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 previous page and tried cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ‘Sign-in’ button.

This brought me to an English sign-up page, which cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n brought me to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 account creation page. According to this page, I had to read and agree to some terms. Clicking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 links led to over twenty separate agreements, most of which had nothing to do with vulnerability reporting.
https://account.samsung.com Accessed February 22, 2018

That’s a lot of text to read and review. Let’s just say I skimmed a bit. Once I clicked ‘Agree’, I was taken to a page where I could enter account information. The page required my birthdate and zip code, which I wasn’t thrilled to have to provide to report a vulnerability, but I wanted to get cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue reported, so I entered cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m. Finally, my account was created! I logged in, hoping to start reporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug, only to be greeted with more conditions.

https://account.samsung.com Accessed February 22, 2018

These ones were in Korean, and I couldn’t figure out how to change cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 language. Eventually, I just selected confirm. Finally, I got to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 form where I could report bugs!


I filled out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability information, and scrolled down, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re was one more set of terms to agree to:

These terms included:

- You MUST hold off disclosing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability in reasonable time, and you MUST get Samsung’s  consent or inform Samsung about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 date before disclosing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability.
- In some cases, Samsung may request not to disclose cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability at all.

I was not able to submit this form without agreeing to allow Samsung some level of control over disclosure of reported vulnerability. I looked around Samsung’s security page to see if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y provided an email address I could report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue to, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y did not provide one. I was not comfortable reporting this bug through cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 mechanisms Samsung provides for vulnerability reporting on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir website.

Problems with Vulnerability Reporting Processes

I encountered several problems while trying to report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above vulnerability—most of which have been since resolved by Samsung.

To start off, Samsung’s bug reporting process did not seem adequately tested. The many times that Korean text showed up while attempting to report this vulnerability suggests that it was not tested in English. As described above, is important for vendors to test vulnerability reporting processes, including for internationalization issues. The workflow is also excessively long, and requires cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporter to agree to a very large number of agreements, many of which have nothing to do with vulnerability reports. I suspect that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 people testing this interface might have already had accounts, and not seen how long cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 process is for someone who just wants to report a bug.

This isn’t an uncommon problem. The Android security reporting template requires creating a GMail account, which can require clicking through many screens and verification via SMS in some circumstances. As a result of our feedback, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Android Security team has improved cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 documentation that vulnerability reports can be filed via email (security@android.com), although using cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web form is still required to participate in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Android Security rewards program.

Anocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r problem was that in order to report a bug, a reporter had to agree to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 rewards program. This is an issue that Project Zero has been seeing increasingly often. When software vendors start rewards programs, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y often remove existing mechanisms for reporting vulnerabilities, leaving bug reporters with no way to report vulnerabilities without entering into agreements.

This also occurred when Tavis Ormandy attempted to report cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability he reluctantly dubbed CloudBleed. Cloudflare’s vulnerability reporting process is tied to its rewards program with HackerOne, and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no clear way to report a vulnerability without creating a HackerOne account in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir Vulnerability Disclosure Policy. The policy even states “We agree with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir disclosure philosophy, and if you do too, please submit your vulnerability reports here” without providing an alternative for vulnerability reporters who don’t agree or don’t want to participate in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 program for whatever reason. In Project Zero’s case, our disclosure deadline is 90 days meanwhile HackerOne’s deadline is 180 days. This vulnerability was also very urgent as it was actively leaking user data onto cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet, and we didn’t want to delay reporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue while we read through HackerOne’s terms to determine whecá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y were compatible with our disclosure policy.

We find that vendors generally don’t intend to prevent bug reports from anyone who won’t agree to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir disclosure rules, but this was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end result of Samsung and Cloudflare replacing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bug reporting process with a rewards program.

The specific terms of Samsung’s agreement were also fairly vague. In particular, it wasn’t clear what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 consequences of breaking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms would be. For example:

- You MUST hold off disclosing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability in reasonable time, and you MUST get Samsung’s  consent or inform Samsung about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 date before disclosing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability.

Does this mean that if someone discloses a vulnerability without permission, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are not eligible for a reward? Does it mean that if someone discloses cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability without permission, Samsung can take legal action against cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m? While requiring that bug reporters not disclose vulnerabilities to receive rewards is a policy with debatable benefit, I would have been much more comfortable agreeing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se terms if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y had spelled out that violating cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m would simply mean I would not receive a reward, as opposed to ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r legal consequences.
Overall, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issues of poorly tested bug reporting interfaces and requiring legal agreements to report vulnerabilities have come up multiple times, and led to delays of Project Zero reporting vulnerabilities. We recommend that vendors test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir vulnerability reporting interfaces from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 perspective of someone who’s never reported a bug from outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir corporate network, and make sure to do localized testing. It is also important to allow bug reports without requiring cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporter to enter into excessive legal agreements.

While only accepting vulnerability reports via web forms can reduce cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 number of invalid reports, which is a major challenge for teams accepting vulnerability reports, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y can also be unreliable and prevent vulnerability reporting in situations that were not expected by those designing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365m, unless cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are very well tested. Having an alternate email address that vulnerability reporters can use to report bugs if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y encounter problems is a good way to prevent this type of problem.

Reporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Bug
I eventually contacted some members of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Knox security team at Samsung that I had worked with on previous bugs and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y recommended reporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 issue to mobile.security@samsung.com. This email is not documented on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Samsung website, except for a single blog post from 2015.

The difficulty I encountered reporting this serious vulnerability delayed my report one week. It might have caused a longer delay if I did not have contacts at Samsung who could help.

Samsung started rolling out updates for CVE-2018-10751 (Samsung’s identifier SVE-2018-11463) in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir April maintenance release.

Samsung has updated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir account creation page so that it always displays English text if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 language is set to English. Also, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vulnerability report form can now be submitted without agreeing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 terms for cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Samsung’s rewards program, though cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 user still has to agree to two ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r agreements. They have also updated cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bug reporting page to provide an email address as well as a webform. We appreciate cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 changes cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y have made to make reporting vulnerabilities in Samsung products easier for everyone.

Conclusion
Project Zero has occasionally had difficulty reporting vulnerabilities, leading to delays in reporting cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 bug. Usually, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se are due to problems in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 reporting process that were not intended or expected by cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor. A difficult vulnerability reporting process can have a negative impact on user security due to delays in vulnerability reports, lost vulnerability reports and even bug reporters choosing not to report a vulnerability. We appreciate when vendors do cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following to make cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir bug reporting processes easier for bug reporters:

  • Vendors should regularly test cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir vulnerability reporting interfaces in all supported languages
  • Vendors should streamline cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir vulnerability reporting processing as much as possible, and remove excessive clicks and legal agreements
  • Vendors should regularly solicit feedback on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir vulnerability reporting mechanisms from vulnerability reporters and people cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y think are likely to report vulnerabilities

2 comments:

  1. Admitting that one's product can have vulnerabilities seems to be cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 biggest blocker to me.

    ReplyDelete
  2. So Project Zero reports a vulnerability to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor and doesn't request a CVE-ID if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendor doesn't want one?

    The example about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 SMS exploit is really interesting. People always think cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's isn't any potential for harm if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y don't interact anything. Wondering if a similar thing is happening/possible through voicemail, maybe visual voicemail.

    Vendors probably fear cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 entire process..but still need to to be more transparent about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se type things so cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 average person isn't walking around thinking cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir phone is magical. If everyone was more realistic about all this companies wouldn't worry cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir stock price/sales will be impacted and consumers wouldn't be as careless if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y weren't mislead in such an extremely unethical way.

    I was also wondering if cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re's any way to request that someone from Project Zero look into something unusual? Sort of related to code signing, ocsp requests, javascript, and some ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r persistence features (I think).

    ReplyDelete