Originally published at: http://mycroft.ai/blog/cve-process/
This blog post is primarily for our readers who have a technical background; if you are non-technical, you can safely ignore it.
As our software becomes more mature, and our user base grows - we have nearly 20k registered users - we’re inevitably going to encounter security issues. Because we’ve been predominantly developer-focused over the last three years, how we handle common exploits and vulnerabilities (CVEs) is something that’s been on the backburner.
So, in a way, it’s another milestone that we’ve had our first CVE identified.
Community Member @nhoya recently identified a web socket server vulnerability in mycroft-core code, that, if you know how, is vulnerable to a remote code execution exploit. You can read more on the exploit itself here, and join the discussion on our Forum if you’re interested.
First up, we’d like to take the opportunity to thank Community Member @nhoya for his excellent work in identifying this CVE, and for practising responsible disclosure. This vulnerability was disclosed to us in confidence at Mycroft 90 days before it was made public. We assessed the impact of this issue as low risk, given that it is reasonably complex to undertake, and that it affected only the GitHub-based installations of Mycroft, not our Mark 1 or Picroft offerings. If you’re interested in how CVEs are assessed, you can read more about the Common Vulnerability Scoring System here.
We also saw this as an opportunity to put some more structure around the way we approach the identification, reporting, assessment and mitigation of CVEs. Prior to the web socket server vulnerability being disclosed, we hadn’t yet developed a CVE process. Being a startup, process is something that we tend to build as-needed, instead having a focus on continuous delivery of features to our end users.
However, it’s time that we put this in place.
To this end, we’ve drafted a process, and we’d really like to get your feedback - particularly if you practice in the infosec space. This document outlines why we need a process, what the process steps are and how the process contributes to the overall success of Mycroft AI as a company.
Let us know what you think in the forum.
- Are the steps appropriate?
- Are there steps missing?
- What would you like to see in our CVE log? Should it be public?
CVE details
With a very big thank you to the folks at MITRE, our first CVE number isCVE-2018-1000621. You can read more on the Distributed Weakness Filing Project spreadsheet, or you can also see the JSON data below.
{
"data_version":"4.0",
"references":{
"reference_data":[
{
"url":"https://github.com/Nhoya/MycroftAI-RCE"
},
{
"url":"https://community.openconversational.ai/t/zero-click-remote-code-execution-in-mycroft-ai-vocal-assistant/3930/13"
}
]
},
"description":{
"description_data":[
{
"lang":"eng",
"value":"Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration - https://github.com/MycroftAI/mycroft-core/blob/1f4c98f29ceb6a7981474f1620441e43aa364d00/mycroft/messagebus/service/main.py#L28-L57 that can result in This impacts ONLY the Mycroft for Linux and \"non-enclosure\" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable via Full proof of concept with thanks to @nhoya at: https://github.com/Nhoya/MycroftAI-RCE - method of exploitation is to open a connection to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available."
}
]
},
"data_type":"CVE",
"affects":{
"vendor":{
"vendor_data":[
{
"product":{
"product_data":[
{
"version":{
"version_data":[
{
"version_value":"18.2.8b and earlier"
}
]
},
"product_name":"mycroft-core"
}
]
},
"vendor_name":"Mycroft AI"
}
]
}
},
"CVE_data_meta":{
"DATE_ASSIGNED":"2018-07-08T15:52:41.202073",
"DATE_REQUESTED":"2018-06-12T17:08:05",
"ID":"CVE-2018-1000621",
"ASSIGNER":"kurt@seifried.org",
"REQUESTER":"security@mycroft.ai"
},
"data_format":"MITRE",
"problemtype":{
"problemtype_data":[
{
"description":[
{
"lang":"eng",
"value":"Incorrect Access Control"
}
]
}
]
}
}{
"data_version":"4.0",
"references":{
"reference_data":[
{
"url":"https://github.com/Nhoya/MycroftAI-RCE"
},
{
"url":"https://community.openconversational.ai/t/zero-click-remote-code-execution-in-mycroft-ai-vocal-assistant/3930/13"
}
]
},
"description":{
"description_data":[
{
"lang":"eng",
"value":"Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration - https://github.com/MycroftAI/mycroft-core/blob/1f4c98f29ceb6a7981474f1620441e43aa364d00/mycroft/messagebus/service/main.py#L28-L57 that can result in This impacts ONLY the Mycroft for Linux and \"non-enclosure\" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable via Full proof of concept with thanks to @nhoya at: https://github.com/Nhoya/MycroftAI-RCE - method of exploitation is to open a connection to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available."
}
]
},
"data_type":"CVE",
"affects":{
"vendor":{
"vendor_data":[
{
"product":{
"product_data":[
{
"version":{
"version_data":[
{
"version_value":"18.2.8b and earlier"
}
]
},
"product_name":"mycroft-core"
}
]
},
"vendor_name":"Mycroft AI"
}
]
}
},
"CVE_data_meta":{
"DATE_ASSIGNED":"2018-07-08T15:52:41.202073",
"DATE_REQUESTED":"2018-06-12T17:08:05",
"ID":"CVE-2018-1000621",
"ASSIGNER":"kurt@seifried.org",
"REQUESTER":"security@mycroft.ai"
},
"data_format":"MITRE",
"problemtype":{
"problemtype_data":[
{
"description":[
{
"lang":"eng",
"value":"Incorrect Access Control"
}
]
}
]
}
}