Responsible Vulnerability Disclosure

An ongoing responsible (but frustrating) vulnerability disclosure with a well-known cybersecurity vendor.

After reading through this, please leave your feedback at one of the following polls:

• LinkedIn: https://www.linkedin.com/posts/rneel_would-appreciate-feedback-on-this-attempt-activity-6834201555776917504-4uDY
• Twitter: https://twitter.com/redeemedHacker/status/1428435495122575372

The vulnerability risk scores somewhere between a 4.0 and 4.2 on a CVSS calculation (ex. https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N), so not a huge deal. We could certainly develop a working PoC (with time), but that doesn’t change the calculation much. Additionally, it is a very well-known “don’t do that, there are much better ways” practice. It’s reminiscent of days old when sysAdmins gave everyone local admin because “we need the users’ software to work”.

If the vendor had responded with “we plan to address this in the next one to two quarters,” it would have been a reassuring response. Instead, we’ve grown from being a little worried that this vendor may not have the best secure coding practices to they are likely putting our clients at grave risk with other vulnerabilities yet to be discovered in their products.

Support Ticket Conversation

Note: This initial release is highly redacted as a responsible disclosure is still being attempted.

robert neel
2021-08-08 09:58:00 (PT)

Good morning! I would like to confirm feedback we received from you all in regards to a vulnerability in some of your products (ex. [product name redacted]). Please confirm this is your public stance on these issues, as it impacts several of our clients and partners. We plan to start sharing these details, unless some of it needs to go through a disclosure process.

We’ve noticed various products of yours [vulnerability details redacted]. Example:[redacted curl command that demonstrates the vulnerability].

[redacted results confirming the vulnerability].

[redacted explanation of the vuln]. The feedback we saw from [vendor name] support was that [redacted insecure config details] as to allow clients to [redacted vendor’s excuse for having the insecure config].

That is certainly a workaround for that, but not a secure one. It’s troubling that you do not appear to provide an option for a customer to disable this insecure configuration, or, better yet, not enable it unless they purposely choose to. Can you please confirm?

Another, more troubling, item we saw from [vendor name] support was that you do not consider something a “security issue” unless “a real PoC is provided”. Is that true?

Thank you!
Robert

Mary [last name redacted]
2021-08-09 21:47:00 (PT)

Dear Robert,

Greetings!

Thank you for contacting [vendor name] Customer support team. I have taken ownership on this ticket.

Sure, we can certainly look into it for you.

Our Tech Team is the one who can help you on this.

Please provide us with the device serial number to get technical support further.

Thank you and have a nice day.

robert neel
2021-08-10 05:24:00 (PT)

Thank you for getting back to me! As mentioned in my ticket, this is not specific to a single device. It is something we see with every client that uses your products. As such, we do not have a serial number, and if we did, it would not be relevant to our ticket.

However, there are about ~2,000 examples of your devices that [redacted vuln description]:

– https://[product name 1].[vendor domain].com
– https://[product name 2].[vendor domain].com
– Thousands of your customer deployments: https://www.google.com/search?q=[redacted search terms]

Mary [last name redacted]
2021-08-11 02:22:00 (PT)

Dear Robert,

Greetings!

Thank you for writing back to us. I will check with this link with our technical team internally and get back to you.

Have a nice day.

Mary [last name redacted]
2021-08-12 02:14:00 (PT)

Dear Robert,

Greetings!

As you have mentioned there is a vulnerability detected in [vendor name] product, we should have at least a CVE code of that vulnerability to research and assist you further.

If you can run a vulnerability scanner, that scanner itself will list the CVEs.Please check and let us know.

Please provide us sufficient details to assist you further.

Have a nice day.

Mary [last name redacted]
2021-08-15 17:31:00 (PT)

Dear Robert,

Greetings!

As you have mentioned there is a vulnerability detected in [vendor name] product, we should have at least a CVE code of that vulnerability
to research and assist you further.

If you can run a vulnerability scanner, that scanner itself will list the CVEs.Please check and let us know.

Please provide us sufficient details to assist you further.

Have a nice day.

robert neel
2021-08-16 19:38:00 (PT)

Mary,

Thanks for your response! I’ve held off responding as it has taken me a while to formulate a constructive response to your request.

First, I do not blame you and am extremely grateful for your time. But, please understand, your leadership has failed to train you on even the most basic of cybersecurity topics. My recommendation to you would be to request that your leadership better equip you and your co-workers to understand more about this industry. It is painfully apparent that [vendor name]’s culture is not one that understands or follows cybersecurity best practices.

With that said, I’ll address your response…

Generally, the process to have a CVE assigned would be (1) identification of weakness, (2) reporting that to the vendor, (3) vendor acknowledges the issue, (4) vendor determines patch/change needed, (5) CVE is assigned…usually in cooperation with the vendor, (6) publishing of CVE is postponed some to give the vendor time to push out a patch to affected customers, (7) CVE is publicly released.

We are at step 2 in this long process. With that said, here are a few examples of vendors, who take security more seriously, have disclosed about [redacted vulnerability descritpion] in their products: [three redacted links to CVEs in the last 12 months], etc.

This was not found with a scanner, but since you requested that, here is one you could use: [redacted link]. I threw a handful of your customers’ deployments in here, and they all come back with a “High severity finding”.

Another vulnerability scanner vendor has this: https://www.tenable.com/plugins/was/[redacted].

A third source says this, “[redacted guidance that addresses the vulnerablity].” Source: [redacted link]

Based on a review of many of your client deployments, there only appears to be a small number who [redacted vendor’s lame excuse as to why it is insecurely configured] that would benefit from [redacted details of the insecure configuration]. At most, [redacted the insecure configuration details] if custom code is present. That is a really easy change for your developers.

A step up from that would be to automatically [readacted mitigation] when/if a client adds custom code and [redcated, part two of the mitigation]. This is also a fairly easy change for your developers, adds no extra burden to your users, and eliminates [redcated the misconfiguration].

Hopefully that helps.

Thanks,
Robert

Mary [last name redacted]
2021-08-17 20:46:00 (PT)

Dear Robert,

Greetings!

Thank you for your detailed email.I will check this query with our technical team and get back to you.

Have a nice day.

Mary [last name redacted]
2021-08-17 21:01:00 (PT)

Dear Robert,

I have checked with our technical team and they have advised me to ask to raise technical case with that serial number and they would be able to address accordingly but your email account does not have any device listed to transfer to them further.

I would request you to raise a technical case further specific to the device. Please feel free to contact us again should you need further help.

Have a wonderful day. Thank you for choosing [vendor name], we value your Business!

robert neel
2021-08-18 06:03:00 (PT)

Thanks, Mary. How am I to do this when I do not have a serial number, as mentioned in this ticket (2021-08-10 05:24:00 (PT))?

Mary [last name redacted]
2021-08-18 22:59:00 (PT)

Dear Robert,

You are most welcome.

As this vulnerability issue needs technical assistance, I would request you to reach our [vendor name] Partners.

Here is the link https://www.[vendor name].com/partners/ where you can find region wise [vendor name] Resellers

For all pre-sales questions and requirements, it is best to get in touch with any of the [vendor name] Re-sellers in your location.

I wish I could, however we from Customer Service Team do not have much information about.

Therefore, I do not want to share any information that is not complete.

As you are interested in our Product, I would suggest you to get in touch our [vendor name] Reseller and they would be happy to assist you with complete details of the product and would help you with demo as well, if possible.

Our [vendor name] Re-seller would understand your environment where you are trying to install our [redacted product] and make recommendations accordingly.

robert neel
2021-08-19 08:00:00 (PT)

I would recommend that you do not close this ticket without answering the following questions:

1) Are you saying I need to contact one of your resellers (a 3rd party) to report a vulnerability that affects ALL of YOUR customers instead of here ([vendor name] technical support)?!?!?!?
2) Am I understanding you correctly – I need to buy your product in order to report a vulnerability?
3) Does [vendor name] still hold to their “it is not a security issue unless an exploit is provided” policy?
4) How much has your company spent training you, and your co-workers, in the last 12-months?

Hopefully I’m misreading your response and am way off base. Your response is absolutely terrifying coming from a vendor that claims to be a cybersecurity vendor. I’ve reviewed the ticket above – this is my 5th time trying to clarify this situation. It might be my last.

Robert

Mary [last name redacted]
2021-08-19 17:59:00 (PT)

Dear Robert,

Greetings!

Here are the below answers for the question asked

1.Partner will not support on the vulnerability but can assist you on a device with active support to get technical assistance.
2.If this needs to be fixed you need to have a product with active support.
3.As CVE’s provided we can get technical assistance only for paid customers
4.I am not sure of this.We are from Customer service team and we do not deal with vulnerabilities and if assistance required a technical case should be raised on priority.

I can guide you on this and a solution cannot be provided from our Customer service end unfortunately.

Thanks for your emails.