The kernel becomes its own CNA
source link: https://lwn.net/Articles/961961/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
The kernel becomes its own CNA
As part of the normal stable release process, kernel changes that are potentially security issues are identified by the developers responsible for CVE number assignments and have CVE numbers automatically assigned to them. These assignments are published on the linux-cve mailing list as announcements on a frequent basis.Note, due to the layer at which the Linux kernel is in a system, almost any bug might be exploitable to compromise the security of the kernel, but the possibility of exploitation is often not evident when the bug is fixed. Because of this, the CVE assignment team are overly cautious and assign CVE numbers to any bugfix that they identify. This explains the seemingly large number of CVEs that are issued by the Linux kernel team.
(Log in to post comments)
The kernel becomes its own CNA
Posted Feb 13, 2024 19:49 UTC (Tue) by epa (subscriber, #39769) [Link]
I know in the past there have been strange security policies where a fix might go into git with a deliberately vague commit message, but then we have smoke signals about “strongly urged to upgrade”. Is that still happening? Could we have a situation where there is a vulnerability, but the kernel team doesn’t want to officially acknowledge it, so no CVE number can be allocated?
The kernel becomes its own CNA
Posted Feb 13, 2024 20:01 UTC (Tue) by khm (subscriber, #108825) [Link]
"No CVEs will be assigned for unfixed security issues in the Linux
kernel, assignment will only happen after a fix is available as it can
be properly tracked that way by the git commit id of the original fix."
Which, of course, completely misses the point of the CVE program, and renders it useless for tracking unpatched vulnerabilities within a software catalog. I don't suppose there's much anyone can do about it, since MITRE has been to all appearances desperate to keep the CVE program 'active' without actually doing any effective stewardship of it.
It's a bad situation.
The kernel becomes its own CNA
Posted Feb 13, 2024 20:05 UTC (Tue) by ewen (subscriber, #4772) [Link]
My guess is the way this plays out is that the Linux kernel team will only issue CVEs for problems being actively exploited in the wild or so serious someone has already written a proof of concept exploit. And the “everyone must upgrade” (ie always run the latest version) messaging will intensify :-/
The kernel becomes its own CNA
Posted Feb 13, 2024 20:46 UTC (Tue) by wtarreau (subscriber, #51152) [Link]
Nobody has ever refused, it's just that nobody has ever been able to provide the amount of manpower to achieve that absurd wet dream.
How many hundreds of people are you willing to assign to do that thankless job without hurting other developers ? I'm not kidding. Take the kernel 6.1 as an example. In the first year of existence it received 11865 fixes. That's 32.5 fixes every day, 365 days a year. How long does it take your talented experts to validate all the possible impacts of every such fix, for every architecture, and all imaginable use cases, and their respective impacts in stable branches considering that other patches are missing and interactions differ ? One week ? Two weeks ? If just one week you need 227 full-time persons with these skills.
It's easy to complain and not propose any help, but that's what has been heard for many years and that led to the situation where the only solution is to automate a lot of stuff to please those who don't want to risk missing a single vulnerability and want to know when to update.
The kernel becomes its own CNA
Posted Feb 13, 2024 20:51 UTC (Tue) by roc (subscriber, #30627) [Link]
The kernel becomes its own CNA
Posted Feb 13, 2024 21:45 UTC (Tue) by wtarreau (subscriber, #51152) [Link]
You're obviously saying this as someone who has never had to assess whether a bug in your code could have a security impact or not. I'm regularly having to do that in my code, which is far less complex than the kernel and it's already a nightmare. "what can be the impact of that flag that was not cleared in that struct between two calls, could anything go wrong with it left on?". Sometimes it even depends on build options.
When Linus used to say "a bug is a bug", it really means it: a bug is first and foremost a bug. And sometimes some people are smarter than others and manage to assemble several of them together and turn a sequence of tiny individual and unrelated bugs into an exploitable one. I'm sorry but it really requires skills that are far beyond the vast majority of developers'.
I remember once a security researcher reported a bug in my code, something like a trailing zero being written one byte past the end of an area, but in an unaligned struct so theoretically it wouldn't have had an impact. But being an off-by-one, I asked him whether he thought it could be exploited. He found the challenge tempting and ended up two weeks later explaining who he finally managed to combine that with something else to inject a pointer that ends with a zero on little endian 32-bit archs, and which depending where the program was loaded in memory, 255/256 times would do nothing but freeze your connection due to the bug, and 1/256 times manage to trigger a deref that allowed him to inject the payload that preceeded the pointer. He didn't even have a reliable reproducer, just studied the possibility. This is what assessing a bug's impact corresponds to.
Hence when you don't know, in doubt, it may have security impacts.
Now regarding asking the kernel devs, even the top-level subsystem maintainers who are regularly asked to validate some reports that land on the security list can sometimes scratch their heads for quite a moment before figuring whether or not there really is something, after someone reported it.
The point is that it's never written on the bug that it has a security impact, and in general if you say no in less than one week of studying, you're just wrong.
The kernel becomes its own CNA
Posted Feb 13, 2024 21:53 UTC (Tue) by Wol (subscriber, #4433) [Link]
Well, if you investigate and tell them, then they'll know what to tell you!
Kernel devs are NOT omniscient. Kernel devs do NOT know everything. Kernel devs are too busy *fixing* the bug to have time to waste investigating what security impact it may (or may not) have.
Please do NOT assume that kernel devs are cleverer than you. Please do NOT assume that kernel devs know more than you. (Unless of course, you yourself are happy to assume you are an idiot :-)
At the end of the day, if you're not prepared to do the work, don't assume someone else will. They won't. And that INCLUDES investigating the security implications of fixing a bug. As a developer myself, I DON'T CARE what the consequences of a bug are - unless, of course, it's forced upon me by something going wrong. All I care about is if there's a logic error, I want it fixed.
I go on about this story, but I took over a code base. It was dodgy, unreliable, and we didn't know what was wrong. I jacked the warning level to max, fixed all the warnings, and the problems went away. Were those bugs security bugs? Were those bugs serious bugs? Were those bugs trivial bugs? Were those bugs in code that was never reached? I didn't know, I didn't care, I'll never find out.
Why would the kernel devs know or care?
Cheers,
Wol
The kernel becomes its own CNA
Posted Feb 13, 2024 21:56 UTC (Tue) by kleptog (subscriber, #1183) [Link]
Ok, my view as a by-stander was that this is exactly what many people are asking for. Always accompanied with vague insinuations that there is some conspiracy to hide known security issues from the public.
> We just want kernel devs to tell us whatever they already know.
"Kernel devs" are not a well defined group. Of the ~12k fixes in 6.1 in a year, the people who might have thought about the security implications of each fix might be the author and perhaps a handful of reviewers. Figuring out if some fix might be security related is somewhat of an art, and something most people just aren't very good at.
Never attribute to malice that which can be adequately explained by stupidity, incompetence or laziness.
On a higher level, it's not clear to me the point of issuing lots of CVEs for things that you don't actually know are a problem. You could create a CVE for every invalid memory reference, that might make several hundred extra CVEs, but what's the point here? The only way to get fixes is to upgrade, at which point it makes no difference if there was one CVE issued or 500. Every single released version of the Linux kernel has vulnerabilities, so what exactly is the purpose of assigning lots of CVEs in the first place? It's good for pretty graphs, I'm sure.
(Some of this is from irritation from a constant stream of "security alerts" which amount to "package X has a problem if you use it in a way that's clearly stupid or a situation which is very rare". There's a cost to assigning a CVE and at some point that cost outweighs the benefits. It's would be nice if there was a numbering scheme for security things things that should be highlighted in a changelog but are not likely to affect a significant number of people.)
The kernel becomes its own CNA
Posted Feb 14, 2024 2:04 UTC (Wed) by pizza (subscriber, #46) [Link]
... or if you make changes to the system/package configuration that you've not fully thought through (eg disable selinux or systemwide hardening/sanitizing options or running a daemon as root instead of an unprivileged user, or configuring highly verbose logging that includes logging credentials or other secrets, or....)
The kernel becomes its own CNA
Posted Feb 14, 2024 1:48 UTC (Wed) by makendo (subscriber, #168314) [Link]
The kernel becomes its own CNA
Posted Feb 13, 2024 20:13 UTC (Tue) by sashal (subscriber, #81842) [Link]
For that matter, you'll be seeing more CVEs assigned than (ever) before, and the assignments will happen for security issues that were previously were not explicitly acknowledged as such.
The kernel becomes its own CNA
Posted Feb 13, 2024 23:30 UTC (Tue) by npws (subscriber, #168248) [Link]
This statement seems a bit odd before even a single CVE has actually been assigned.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK