Security Advisory Accidentally Exposes Vulnerable Systems

11 July 2022

A security advisory for a vulnerability (CVE) published by MITRE has accidentally been exposing links to remote admin consoles of over a dozen vulnerable IP devices since at least April 2022.

Researcher became aware of this issue yesterday after getting tipped off by a reader who prefers to remain anonymous. The reader was baffled on seeing several links to vulnerable systems listed within the "references" section of the CVE advisory.

CVE advisories published by MITRE get syndicated verbatim across a large number of public sources, feeds, infosec news sites, and vendors providing this data to their customers.

The "references" section of these advisories typically lists links to the original source (a writeup, blog post, PoC demo) that explains the vulnerability. However, including links to publicly exposed unpatched systems can potentially allow threat actors to now target these systems and conduct their malicious activities.

Researcher conducted some additional investigation as to how this issue may have occurred and reached out to MITRE as well as some security experts to better understand if this is a normal, or even acceptable, practice.

Security advisory spills the beans

A vulnerability advisory published by MITRE for a high-severity information disclosure vulnerability in April ironically disclosed links to over a dozen live IoT devices vulnerable to the flaw.

It isn't unusual for security advisories to include a "reference" section with several links that validate the existence of a vulnerability. But, any such links typically lead to a proof of concept (PoC) demonstration or writeups explaining the vulnerability rather than to vulnerable systems themselves.

After vulnerabilities are made public, attackers use public IoT search engines like Shodan or Censys to hunt for and target vulnerable devices.

All of which makes this a particularly uncanny case for a public security bulletin to list not one but locations of several vulnerable devices that are still connected to the internet. 

Because a large number of sources rely on MITRE and NVD/NIST for receiving vulnerability feeds, the CVE advisory (redacted below) has already been syndicated by several vendors, public sources, and services providing CVE data, as observed by researcher.

Clicking on any of the above "reference" links would lead the user to a remote administration dashboard of the (vulnerable) IP cameras or video devices, potentially allowing them to view the live camera feed or exploit the vulnerability.

Note, researcher did not perform any kind of penetration test or further engage with these links other than ensuring these were live and immediately notified MITRE of the issue.

MITRE: What's wrong? We've done it before

Researcher notified MITRE yesterday of this issue and why this could be a security concern.

Surprisingly, we were asked by MITRE, why did we "think these sites should not be included in the advisory," and were further told that MITRE had, in the past, "often listed URLs or other points that may be vulnerable" in similar CVE entries.

MITRE's response prompted researcher to further contact security experts.

Will Dormann, a vulnerability analyst at the CERT Coordination Center (CERT/CC) called this "both not normal and a very BAD thing" to do. And, security researcher Jonathan Leitschuh said much the same in a statement to researcher.

"It's disrespectful to the affected parties to list live vulnerable instances within a CVE entry," Dormann tells researcher.

"The parties involved in the creation of CVE entries should know better. Somewhat surprisingly, according to the GitHub repo for CVE-2022-25584, the author was MITRE themselves."

It is true the CVE advisory itself was published by MITRE, the parent organization of the CVE project that is often the first point of contact for users reporting security vulnerabilities in third-party systems and requesting CVE identifiers.

But, researcher discovered the original source of the mishap was a security writeup published by one or more Chinese security researchers on GitHub while MITRE's CVE entry for the vulnerability had been "reserved" and awaiting production.

It is in this GitHub version of the advisory that several links to vulnerable devices were listed as "examples." And this information appears to have been copied-pasted in the MITRE's CVE entry that was later syndicated across several sites:

Ironically, the original advisory published to GitHub has long been deleted.

Dormann further added, "I just copied and pasted somebody else's work" isn't really a valid excuse and "not living up to MITRE's standards."

It seems this isn't the only time MITRE's CVE database has fallen short of validating links provided in its advisories or retroactively removing dead links:

Note, within a few hours of our email to MITRE, the CVE advisory was swiftly updated to remove all "reference" links pointing to vulnerable IoT devices, from both MITRE's CVEProject GitHub repo and the database. But this update may not remove this information from third-party sources that have already retrieved and published an earlier copy of the entry.

Related News

The Benefits of Building a Mature and Diverse Blue Team

15 Aug 2022

A few days ago, a friend and I were having a rather engaging conversation that sparked my excitement. We were discussing my prospects of becoming a red teamer as a natural career progression. The reason I got stirred up is not that I want to change either my job or my position, as I am a happy camper being part of blue team.

Read More

Hackers scan for vulnerabilities within 15 minutes of disclosure

08 Aug 2022

System administrators have even less time to patch disclosed security vulnerabilities than previously thought, as a new report shows threat actors scanning for vulnerable endpoints within 15 minutes of a new CVE being publicly disclosed.

Read More

QBot phishing uses Windows Calculator sideloading to infect devices

01 Aug 2022

The operators of the QBot malware have been using the Windows Calculator to side-load the malicious payload on infected computers.

Read More