WingNews logo WingNews
top | item 45728224

(no title)

jerrythegerbil | 4 months ago

Vulnerabilities can and often are chained together.

While the relevant configuration does require root to edit, that doesn’t mean that editing or inserting values to dnsmasq as an unprivileged user doesn’t exist as functionality in another application or system.

There are frivolous CVEs issued without any evidence of exploitability all the time. This particular example however, isn’t that. These are pretty clearly qualified as CVEs.

The implied risk is a different story, but if you’re familiar with the industry you’ll quickly learn that there are people with far more imagination and capacity to exploit conditions you believe aren’t practically exploitable, particularly in highly available tools such as dnsmasq. You don’t make assumptions about that. You publish the CVE.

discuss

order

landr0id|4 months ago

>that doesn’t mean that editing or inserting values to dnsmasq as an unprivileged user doesn’t exist as functionality in another application or system.

The developer typically defines its threat model. My threat model would not include another application inserting garbage values into my application's config, which is expected to be configured by a root (trusted) user.

The Windows threat model does not include malicious hardware with DMA tampering with kernel memory _except_ maybe under very specific configurations.

BobbyTables2|4 months ago

The developer is too stupid to define the threat model — they’re too busy writing vulnerabilities as they cobble together applications and libraries they barely understand.

How many wireless routers generate a config from user data plus a template. One’s lucky if they even do server side validation that ensures CRLFs not present in IP addresses and hostnames.

And if Unicode is involved … a suitcase of four leaf clovers won’t save you.

jerrythegerbil|4 months ago

> The developer typically defines its threat model.

The people running the software define the threat model.

And CNA’s issue CVEs because the developer isn’t the only one running their software, and it’s socially dangerous to allow that level of control of the narrative as it relates to security.

akerl_|4 months ago

> The developer typically defines its threat model.

Is this the case? As we're seeing here, getting a CVE assigned does not require input or agreement from the developer. This isn't a bug bounty where the developer sets a scope and evaluates reports. It's a common database across all technology for assigning unique IDs to security risks.

The developer puts their software into the world, but how the software is used in the world defines what risks exist.