Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Responsible Disclosure

Ramadhan Amizudin
April 05, 2018
Education
0
71

Responsible Disclosure

Ramadhan Amizudin

April 05, 2018
Tweet

More Decks by Ramadhan Amizudin

See All by Ramadhan Amizudin
Hunting Exploit Kit
ramadhanamizudin
0
51

Other Decks in Education

See All in Education
Padlet opetuksessa
matleenalaakso
4
12k
HCL Domino 14.0 AutoUpdate を試してみた
harunakano
0
1.5k
学習指導要領から職場の学びを考えてみる / Thinking about workplace learning from learning guidelines
aki_moon
1
680
2024年度春学期 統計学 第14回 分布についての仮説を検証する ― 仮説検定(1) (2024. 7. 11)
akiraasano
PRO
0
150
Lisätty todellisuus opetuksessa
matleenalaakso
1
2.3k
Blogit opetuksessa
matleenalaakso
0
1.6k
Flip-videochat
matleenalaakso
0
14k
construindo uma carreira com opensource
caarlos0
0
220
開発終了後こそ成長のチャンス!プロダクト運用を見送った先のアクションプラン
ohmori_yusuke
2
150
Bonum Certamen Certavi, Fidem Servavi - A Vida de Santo Edmundo Campeão e a Defesa da Fé em Tempos de Crise
cm_manaus
0
100
HCI and Interaction Design - Lecture 2 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
790
本の虫になろう
kenjiro56
0
140

Featured

See All Featured
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Done Done
chrislema
181
16k
4 Signs Your Business is Dying
shpigford
180
21k
Facilitating Awesome Meetings
lara
49
6.1k
Bash Introduction
62gerente
608
210k
We Have a Design System, Now What?
morganepeng
50
7.2k
Scaling GitHub
holman
458
140k
Statistics for Hackers
jakevdp
796
220k
A Philosophy of Restraint
colly
203
16k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
27
1.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
264
13k

Transcript

  1. Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class:

    [--Confidentiality Class--] Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Version: 1.0 Date: 2018-04-05 Author: R. Amizudin Responsible: R. Amizudin Confidentiality Class: Public OWASP Malaysia Meetup 2018 Responsible Disclosure

  2. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Ahmad Ramadhan Amizudin ▪ Security Consultant at SEC Consult Malaysia ▪ OWASP Project Leader ▪ Wordpress Vulnerability Scanner ▪ Ex-MyCERT Who am I 2

  3. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved “Responsible disclosure is a vulnerability disclosure model in which a vulnerability or issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched.” Wikipedia Definition 5

  4. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Full Disclosure ▪ Release full detail of the vulnerability as early as possible to the public, without any restriction Coordinated Disclosure ▪ Terminology for older “Responsible Disclosure” ▪ Preferred terms by CERT/CC ▪ Often abbreviated as CVD Definition 6

  5. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Limited Disclosure ▪ Very little information will be disclosed ▪ Slow down exploit development No Disclosure ▪ The detail(s) will be kept private. ▪ Often enforced by non-disclosure agreements (NDA) Reference: https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642 Definition 7

  6. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Common Vulnerabilities and Exposures ▪ Maintains by MITRE Corporation ▪ CVE-[YEAR]-[ID] ▪ https://cve.mitre.org/ CVE Numbering Authorities (CNAs) ▪ 84 CNAs as of March 5, 2018 ▪ Types of CNA: root, vendors, CERT, bug bounty, vulnerability researcher CVE 8

  7. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure Responsible Disclosure Process 9

  8. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved • Always include full information • Vulnerable version • Proof of concept • Portion of code(s) – if there’s source code • Define impact • CVSS3 Score Writing The Advisory 10 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  9. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved • A colleague will be assigned to proof-read the advisory • It's normally done by Head of Vulnerability Lab Quality Assurance 11 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  10. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Vendor Notification – Security Contact 13 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure Finding Contact Security Contact Customer Service Communication Encrypted Plain Text Update Advisory

  11. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Update vendor contact timeline section ▪ Add short description ▪ Adjust release date as soon as patch date is known ▪ Vendor should provide: ▪ Affected version ▪ Fixed version (or patch version) ▪ CVE number if applicable Vulnerability Validation & Resolution 14 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  12. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Coordinate with the vendor & CERT as soon as patch is available ▪ Include proof of concept if an update is available ▪ Send the latest version of the advisory to vendor before the publication ▪ If the vendor is unresponsive ▪ Publication on “possible release date” ▪ Proof of concept will be removed Coordinated Disclosure 15 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  13. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Advisory 19

  14. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ➢ Unresponsive Vendor ➢ No Respond ➢ Delaying Patch To Be Release ➢ Spoon Feeding Service ➢ Fixing ➢ Consulting ➢ Vendor does not allow to publish the advisory ➢ No Disclosure ➢ Legal Action ➢ No Credit Challenges 20

  15. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved CVE-2018-1000019 & CVE-2018-1000020 21 Reference: https://www.sec-consult.com/en/blog/advisories/os-command-injection-reflected-cross-site- scripting-in-openemr/index.html

  16. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved VLC for iOS 22 Reference: https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc-media-player-ios- app/index.html

  17. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ➢ Allow vendor to fix security issue ➢ Avoid bad guy from weaponizing the vulnerability ➢ Marketing tool :) ➢ Keeping the internet safe Conclusion 23

  18. Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X /

    YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Question? 25

  19. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Position: Security Consultant ▪ Required Skills: Penetration testing, report writing ▪ Bonus Skill: Secure code review ▪ Send CV/resume to [email protected] Vacancy @ SEC Consult Malaysia 26

  20. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Contact 27 LITHUANIA UAB Critical Security, a SEC Consult company Sauletekio al. 15-311 10224 Vilnius Tel +370 5 2195535 Email [email protected] RUSSIA CJCS Security Monitor 5th Donskoy proyezd, 15, Bldg. 6 119334, Moscow Tel +7 495 662 1414 Email [email protected] SINGAPORE SEC Consult Singapore PTE. LTD 4 Battery Road #25-01 Bank of China Building Singapore (049908) Email [email protected] CANADA i-SEC Consult Inc. 100 René-Lévesque West, Suite 2500 Montréal (Quebec) H3B 5C9 Email [email protected] GERMANY SEC Consult Unternehmensberatung Deutschland GmbH Bockenheimer Landstraße 17-19 60325 Frankfurt / Main Tel +49 69 175 373 43 Email [email protected] THAILAND SEC Consult (Thailand) Co.,Ltd. 29/1 Piyaplace Langsuan Building 16th Floor, 16B Soi Langsuan, Ploen Chit Road Lumpini, Patumwan | Bangkok 10330 Email [email protected] www.sec-consult.com MALAYSIA SEC Consult Malaysia Sdn. Bhd. Unit C-12-4, Megan Avenue II, Jalan Yap Kwan Seng, 50450 Kuala Lumpur Email [email protected] AUSTRIA SEC Consult Unternehmensberatung GmbH Mooslackengasse 17 1190 Vienna Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15 Email [email protected]