Episode 203: What’s wrong with CVEs? Daniel Stenberg of cURL wants you to know

Guests Daniel Stenberg | Dan Lorenc Panelist Richard Littauer Show Notes Today, we are switching things up and doing something new for this episode of Sustain, where we’ll be talking about current events, specifically security challenges. Richard welcomes guest, Daniel Stenberg, founder, and lead developer of the cURL project. Richard and Daniel dive into the complexities of Common Vulnerabilities and Exposures (CVEs), discussing issues with how they are reported, scored, and the potential impact on open source maintainers. They also explore the difficulty of fixing the CVE system, propose short-term solutions, and address concerns about CVE-related DDOS attacks. Dan Lorenc, co-founder, and CEO of Chainguard, also joins us and offers insights into the National Vulnerability Database (NVD) and suggests ways to improve CVE quality. NDS’s response is examined, and Daniel shares his frustrations and uncertainties regarding the CVE system’s future. Hit download now to hear more! [00:01:00] Richard explains that they will discuss Common Vulnerabilities and Exposures (CVEs) and mentions that CVEs were launched in September 1999, briefly highlighting their purpose. He mentions receiving an email about a CVE related to the cURL project, which wasn’t acknowledged by the cURL team. [00:01:50] Daniel explains that the email about the CVE was sent to the cURL library mailing list by a contributor who noticed the issue. He describes the confusion about the old bug being registered as a new CVE. discusses the process of requesting a CVE. He also mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:03:54] Daniel discusses the process of requesting a CVE which involves organizations like MITRE, and he mentions the National Vulnerability Database (NVD) and how it consumes and assigns severity scores to CVEs. [00:06:21] Richard asks about how NVD assigns severity scores to CVEs and specifically in the case of CVE 2020, and Daniel describes the actual bug in curl, which was a minor issue involving retry delays and not a severe security threat. [00:09:57] Richard questions who at NVD determines these scores and whether they are policy makers or coders, to which Daniel admits he has no idea and discusses his efforts to address the issue. He expresses frustration with NVD’s scoring system and their lack of communication. [00:11:18] Daniel and Richard discuss their concerns about the accuracy and relevance of CVE ratings, especially in cases where those assigning scores may not fully understand the technical details of vulnerabilities. [00:14:37] We now welcome Dan Lorenc to get his point of view on this issue. Dan introduces himself and talks about his experience with the NVD, highlighting some of the issues with CVE scoring and the varying quality of CVE reports. [00:16:11] Dan mentions the problems with the CVSS scoring and the incentives for individuals to report vulnerabilities with higher scores for personal gain, leading to score inflation. Dan suggests that NVD could improve the quality of CVEs by applying more scrutiny to high-severity and widely used libraries like cURL, which could reduce the noise and waste of resources in the industry. [00:18:23] Richard presents NVD’s response to their inquiry. Then, Daniel and Richard discuss NVD’s response and the discrepancy between their assessment and that of open source maintainers like Daniel who believe that some CVEs are not valid security issues. [00:20:44] Richard asks if anyone offered to fund the work to fix vulnerabilities in important open source projects like cURL when a CVE is reported. Daniel replies that no such offers have been made, as most involved in the project recognize that some CVEs are not actual security problems, but rather meta problems caused by the CVE rating system. [00:21:40] Daniel explains his short-term solution of registering his own CNA (CVE Numbering Authority) to manage CVEs for his products and prevent anonymous users from filing CVEs. [00:23:04] Richard raises concerns about the potential for a CVE DDOS attack on open source, overwhelming them with a flood of CVE reports. [00:24:20] Daniel comments on the growing problem of both legitimate and invalid CVEs being reported, as security scanners increasingly scan for them. Richard reflects on the global nature of the problem, and Daniel emphasizes the importance of having a unique ID for security problems like CVEs. Links SustainOSS SustainOSS Twitter SustainOSS Discourse [email protected] SustainOSS Mastodon Open Collective-SustainOSS (Contribute) Richard Littauer Twitter Richard Littauer Mastodon Daniel Stenberg Twitter Daniel Stenberg Mastodon Daniel Stenberg Website Dan Lorenc Twitter National Vulnerability Database CVE cURL Chainguard Sustain Podcast-Episode 185: Daniel Stenberg on the cURL project Sustain Podcast-Episode 93: Dan Lorenc and OSS Supply Chain Security at Google Credits Produced by Justin Dorfman & Richard Littauer Edited by Paul M. Bahr at Peachtree Sound Show notes by DeAnn Bahr Peachtree Sound Special Guests: Dan Lorenc and Daniel Stenberg.