Build an open future with us.

Invest in Mycroft and become a community partner.

Responding to our first CVE and developing our CVE process


#1

Originally published at: http://mycroft.ai/blog/cve-process/

This blog post is primarily for our readers who have a technical background; if you are non-technical, you can safely ignore it.

As our software becomes more mature, and our user base grows - we have nearly 20k registered users - we’re inevitably going to encounter security issues. Because we’ve been predominantly developer-focused over the last three years, how we handle common exploits and vulnerabilities (CVEs) is something that’s been on the backburner.

So, in a way, it’s another milestone that we’ve had our first CVE identified.

Community Member @nhoya recently identified a web socket server vulnerability in mycroft-core code, that, if you know how, is vulnerable to a remote code execution exploit. You can read more on the exploit itself here, and join the discussion on our Forum if you’re interested.

First up, we’d like to take the opportunity to thank Community Member @nhoya for his excellent work in identifying this CVE, and for practising responsible disclosure. This vulnerability was disclosed to us in confidence at Mycroft 90 days before it was made public. We assessed the impact of this issue as low risk, given that it is reasonably complex to undertake, and that it affected only the GitHub-based installations of Mycroft, not our Mark 1 or Picroft offerings. If you’re interested in how CVEs are assessed, you can read more about the Common Vulnerability Scoring System here.

We also saw this as an opportunity to put some more structure around the way we approach the identification, reporting, assessment and mitigation of CVEs. Prior to the web socket server vulnerability being disclosed, we hadn’t yet developed a CVE process. Being a startup, process is something that we tend to build as-needed, instead having a focus on continuous delivery of features to our end users.

However, it’s time that we put this in place.

To this end, we’ve drafted a process, and we’d really like to get your feedback - particularly if you practice in the infosec space. This document outlines why we need a process, what the process steps are and how the process contributes to the overall success of Mycroft AI as a company.

Let us know what you think in the forum.

  • Are the steps appropriate?
  • Are there steps missing?
  • What would you like to see in our CVE log? Should it be public?

CVE details

With a very big thank you to the folks at MITRE, our first CVE number is CVE-2018-1000621. You can read more on the Distributed Weakness Filing Project spreadsheet, or you can also see the JSON data below.

{
   "data_version":"4.0",
   "references":{
      "reference_data":[
         {
            "url":"https://github.com/Nhoya/MycroftAI-RCE"
         },
         {
            "url":"https://community.mycroft.ai/t/zero-click-remote-code-execution-in-mycroft-ai-vocal-assistant/3930/13"
         }
      ]
   },
   "description":{
      "description_data":[
         {
            "lang":"eng",
            "value":"Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration - https://github.com/MycroftAI/mycroft-core/blob/1f4c98f29ceb6a7981474f1620441e43aa364d00/mycroft/messagebus/service/main.py#L28-L57 that can result in This impacts ONLY the Mycroft for Linux and \"non-enclosure\" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable via Full proof of concept with thanks to @nhoya at: https://github.com/Nhoya/MycroftAI-RCE - method of exploitation is to open a connection to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available."
         }
      ]
   },
   "data_type":"CVE",
   "affects":{
      "vendor":{
         "vendor_data":[
            {
               "product":{
                  "product_data":[
                     {
                        "version":{
                           "version_data":[
                              {
                                 "version_value":"18.2.8b and earlier"
                              }
                           ]
                        },
                        "product_name":"mycroft-core"
                     }
                  ]
               },
               "vendor_name":"Mycroft AI"
            }
         ]
      }
   },
   "CVE_data_meta":{
      "DATE_ASSIGNED":"2018-07-08T15:52:41.202073",
      "DATE_REQUESTED":"2018-06-12T17:08:05",
      "ID":"CVE-2018-1000621",
      "ASSIGNER":"kurt@seifried.org",
      "REQUESTER":"security@mycroft.ai"
   },
   "data_format":"MITRE",
   "problemtype":{
      "problemtype_data":[
         {
            "description":[
               {
                  "lang":"eng",
                  "value":"Incorrect Access Control"
               }
            ]
         }
      ]
   }
}{
   "data_version":"4.0",
   "references":{
      "reference_data":[
         {
            "url":"https://github.com/Nhoya/MycroftAI-RCE"
         },
         {
            "url":"https://community.mycroft.ai/t/zero-click-remote-code-execution-in-mycroft-ai-vocal-assistant/3930/13"
         }
      ]
   },
   "description":{
      "description_data":[
         {
            "lang":"eng",
            "value":"Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration - https://github.com/MycroftAI/mycroft-core/blob/1f4c98f29ceb6a7981474f1620441e43aa364d00/mycroft/messagebus/service/main.py#L28-L57 that can result in This impacts ONLY the Mycroft for Linux and \"non-enclosure\" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable via Full proof of concept with thanks to @nhoya at: https://github.com/Nhoya/MycroftAI-RCE - method of exploitation is to open a connection to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available."
         }
      ]
   },
   "data_type":"CVE",
   "affects":{
      "vendor":{
         "vendor_data":[
            {
               "product":{
                  "product_data":[
                     {
                        "version":{
                           "version_data":[
                              {
                                 "version_value":"18.2.8b and earlier"
                              }
                           ]
                        },
                        "product_name":"mycroft-core"
                     }
                  ]
               },
               "vendor_name":"Mycroft AI"
            }
         ]
      }
   },
   "CVE_data_meta":{
      "DATE_ASSIGNED":"2018-07-08T15:52:41.202073",
      "DATE_REQUESTED":"2018-06-12T17:08:05",
      "ID":"CVE-2018-1000621",
      "ASSIGNER":"kurt@seifried.org",
      "REQUESTER":"security@mycroft.ai"
   },
   "data_format":"MITRE",
   "problemtype":{
      "problemtype_data":[
         {
            "description":[
               {
                  "lang":"eng",
                  "value":"Incorrect Access Control"
               }
            ]
         }
      ]
   }
}

 

 


#2

what score did you get? https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System

i think this is useful information for users to have, specially if you can explain the scores, non technical users would be better able to judge the impact for them


#3

Reviewed the document. An excellent beginning.

When reading section Process Step - CVE mitigation and/or resolution it might be nice to identify the potential scope of resolution/mitigation.

Example: Whenever the team I was on identified an issue the resolution involved both the immediate resolution/bug fix, and also included suggested improvements to our existing procedures to mitigate future occurrences.


#4

From memory it was around 3-4


#5

Great feedback, thanks so much @RobRaft.

I’ve proposed a change to this process step based on your feedback - the change is in the document if you want to have a look.

Again, a huge thanks for taking the time to review and provide constructive feedback.

Kind regards,
Kathy