Security Advisory Accidentally Exposes Vulnerable Systems

11 July 2022

A security advisory for a vulnerability (CVE) published by MITRE has accidentally been exposing links to remote admin consoles of over a dozen vulnerable IP devices since at least April 2022.

Researcher became aware of this issue yesterday after getting tipped off by a reader who prefers to remain anonymous. The reader was baffled on seeing several links to vulnerable systems listed within the "references" section of the CVE advisory.

CVE advisories published by MITRE get syndicated verbatim across a large number of public sources, feeds, infosec news sites, and vendors providing this data to their customers.

The "references" section of these advisories typically lists links to the original source (a writeup, blog post, PoC demo) that explains the vulnerability. However, including links to publicly exposed unpatched systems can potentially allow threat actors to now target these systems and conduct their malicious activities.

Researcher conducted some additional investigation as to how this issue may have occurred and reached out to MITRE as well as some security experts to better understand if this is a normal, or even acceptable, practice.

Security advisory spills the beans

A vulnerability advisory published by MITRE for a high-severity information disclosure vulnerability in April ironically disclosed links to over a dozen live IoT devices vulnerable to the flaw.

It isn't unusual for security advisories to include a "reference" section with several links that validate the existence of a vulnerability. But, any such links typically lead to a proof of concept (PoC) demonstration or writeups explaining the vulnerability rather than to vulnerable systems themselves.

After vulnerabilities are made public, attackers use public IoT search engines like Shodan or Censys to hunt for and target vulnerable devices.

All of which makes this a particularly uncanny case for a public security bulletin to list not one but locations of several vulnerable devices that are still connected to the internet. 

Because a large number of sources rely on MITRE and NVD/NIST for receiving vulnerability feeds, the CVE advisory (redacted below) has already been syndicated by several vendors, public sources, and services providing CVE data, as observed by researcher.

Clicking on any of the above "reference" links would lead the user to a remote administration dashboard of the (vulnerable) IP cameras or video devices, potentially allowing them to view the live camera feed or exploit the vulnerability.

Note, researcher did not perform any kind of penetration test or further engage with these links other than ensuring these were live and immediately notified MITRE of the issue.

MITRE: What's wrong? We've done it before

Researcher notified MITRE yesterday of this issue and why this could be a security concern.

Surprisingly, we were asked by MITRE, why did we "think these sites should not be included in the advisory," and were further told that MITRE had, in the past, "often listed URLs or other points that may be vulnerable" in similar CVE entries.

MITRE's response prompted researcher to further contact security experts.

Will Dormann, a vulnerability analyst at the CERT Coordination Center (CERT/CC) called this "both not normal and a very BAD thing" to do. And, security researcher Jonathan Leitschuh said much the same in a statement to researcher.

"It's disrespectful to the affected parties to list live vulnerable instances within a CVE entry," Dormann tells researcher.

"The parties involved in the creation of CVE entries should know better. Somewhat surprisingly, according to the GitHub repo for CVE-2022-25584, the author was MITRE themselves."

It is true the CVE advisory itself was published by MITRE, the parent organization of the CVE project that is often the first point of contact for users reporting security vulnerabilities in third-party systems and requesting CVE identifiers.

But, researcher discovered the original source of the mishap was a security writeup published by one or more Chinese security researchers on GitHub while MITRE's CVE entry for the vulnerability had been "reserved" and awaiting production.

It is in this GitHub version of the advisory that several links to vulnerable devices were listed as "examples." And this information appears to have been copied-pasted in the MITRE's CVE entry that was later syndicated across several sites:

Ironically, the original advisory published to GitHub has long been deleted.

Dormann further added, "I just copied and pasted somebody else's work" isn't really a valid excuse and "not living up to MITRE's standards."

It seems this isn't the only time MITRE's CVE database has fallen short of validating links provided in its advisories or retroactively removing dead links:

Note, within a few hours of our email to MITRE, the CVE advisory was swiftly updated to remove all "reference" links pointing to vulnerable IoT devices, from both MITRE's CVEProject GitHub repo and the database. But this update may not remove this information from third-party sources that have already retrieved and published an earlier copy of the entry.

Related News

Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code

25 Mar 2024

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.

Read More

NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

20 Mar 2024

The National Institute of Standards and Technology has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.

Read More

Proactive Ransomware Mitigation

15 Mar 2024

A ransomware attack has a direct impact on a business’s bottom line. Ransomware payments nearly doubled from 2022 to 2023 to $1.5 million14, and the average total cost of a data breach disclosed by the attacker has risen to $5.2 million15.

Read More