Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Responsible Disclosure

Ramadhan Amizudin
April 05, 2018
Education
0
66

Responsible Disclosure

Ramadhan Amizudin

April 05, 2018
Tweet

More Decks by Ramadhan Amizudin

See All by Ramadhan Amizudin
Hunting Exploit Kit
ramadhanamizudin
0
48

Other Decks in Education

See All in Education
View Manipulation and Reduction - Lecture 9 - Information Visualisation (4019538FNR)
signer
PRO
1
1.5k
AWS認定試験 DEA受験記
nnydtmg
1
300
ロータリー地域社会共同隊(RCC)について:国際ロータリー 2720地区 2023-2024年度 社会奉仕部門 部門長・ 熊本西稜ロータリークラブ・ 有限会社 誠商店 代表取締役社長 追立 武 氏
2720japanoke
0
580
Case Studies and Course Review - Lecture 12 - Information Visualisation (4019538FNR)
signer
PRO
1
1.4k
🎓 ChatGPT を組み込んだ24時間TA : 教育現場における LLM 活用の課題と改善
yasslab
PRO
0
600
2024年度春学期 統計学 第13回 不確かな測定の不確かさを測る ― 不偏分散とt分布 (2024. 7. 4)
akiraasano
PRO
0
110
H5P-työkalut
matleenalaakso
3
34k
小・中・高等学校における情報教育の体系的な学習を目指したカリキュラムモデル案/curriculum model
codeforeveryone
0
240
Updated Medicare 101 Presentation
robinlee
PRO
0
160
Unlocking the Top Marketing Secrets for L&D
tmiket
1
300
VALORS A IMPULSAR
cumclavis
PRO
0
130
Course Review - Lecture 12 - Next Generation User Interfaces (4018166FNR)
signer
PRO
0
1.4k

Featured

See All Featured
Large-scale JavaScript Application Architecture
addyosmani
506
110k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
129
32k
Designing on Purpose - Digital PM Summit 2013
jponch
113
6.6k
How to train your dragon (web standard)
notwaldorf
79
5.5k
The Mythical Team-Month
searls
217
43k
The Pragmatic Product Professional
lauravandoore
29
6.1k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.9k
The World Runs on Bad Software
bkeepers
PRO
63
11k
Making Projects Easy
brettharned
111
5.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
29
2.5k
Happy Clients
brianwarren
94
6.6k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
224
21k

Transcript

  1. Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class:

    [--Confidentiality Class--] Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Version: 1.0 Date: 2018-04-05 Author: R. Amizudin Responsible: R. Amizudin Confidentiality Class: Public OWASP Malaysia Meetup 2018 Responsible Disclosure

  2. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Ahmad Ramadhan Amizudin ▪ Security Consultant at SEC Consult Malaysia ▪ OWASP Project Leader ▪ Wordpress Vulnerability Scanner ▪ Ex-MyCERT Who am I 2

  3. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved “Responsible disclosure is a vulnerability disclosure model in which a vulnerability or issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched.” Wikipedia Definition 5

  4. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Full Disclosure ▪ Release full detail of the vulnerability as early as possible to the public, without any restriction Coordinated Disclosure ▪ Terminology for older “Responsible Disclosure” ▪ Preferred terms by CERT/CC ▪ Often abbreviated as CVD Definition 6

  5. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Limited Disclosure ▪ Very little information will be disclosed ▪ Slow down exploit development No Disclosure ▪ The detail(s) will be kept private. ▪ Often enforced by non-disclosure agreements (NDA) Reference: https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642 Definition 7

  6. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Common Vulnerabilities and Exposures ▪ Maintains by MITRE Corporation ▪ CVE-[YEAR]-[ID] ▪ https://cve.mitre.org/ CVE Numbering Authorities (CNAs) ▪ 84 CNAs as of March 5, 2018 ▪ Types of CNA: root, vendors, CERT, bug bounty, vulnerability researcher CVE 8

  7. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure Responsible Disclosure Process 9

  8. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved • Always include full information • Vulnerable version • Proof of concept • Portion of code(s) – if there’s source code • Define impact • CVSS3 Score Writing The Advisory 10 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  9. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved • A colleague will be assigned to proof-read the advisory • It's normally done by Head of Vulnerability Lab Quality Assurance 11 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  10. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Vendor Notification – Security Contact 13 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure Finding Contact Security Contact Customer Service Communication Encrypted Plain Text Update Advisory

  11. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Update vendor contact timeline section ▪ Add short description ▪ Adjust release date as soon as patch date is known ▪ Vendor should provide: ▪ Affected version ▪ Fixed version (or patch version) ▪ CVE number if applicable Vulnerability Validation & Resolution 14 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  12. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Coordinate with the vendor & CERT as soon as patch is available ▪ Include proof of concept if an update is available ▪ Send the latest version of the advisory to vendor before the publication ▪ If the vendor is unresponsive ▪ Publication on “possible release date” ▪ Proof of concept will be removed Coordinated Disclosure 15 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

  13. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Advisory 19

  14. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ➢ Unresponsive Vendor ➢ No Respond ➢ Delaying Patch To Be Release ➢ Spoon Feeding Service ➢ Fixing ➢ Consulting ➢ Vendor does not allow to publish the advisory ➢ No Disclosure ➢ Legal Action ➢ No Credit Challenges 20

  15. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved CVE-2018-1000019 & CVE-2018-1000020 21 Reference: https://www.sec-consult.com/en/blog/advisories/os-command-injection-reflected-cross-site- scripting-in-openemr/index.html

  16. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved VLC for iOS 22 Reference: https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc-media-player-ios- app/index.html

  17. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ➢ Allow vendor to fix security issue ➢ Avoid bad guy from weaponizing the vulnerability ➢ Marketing tool :) ➢ Keeping the internet safe Conclusion 23

  18. Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X /

    YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Question? 25

  19. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Position: Security Consultant ▪ Required Skills: Penetration testing, report writing ▪ Bonus Skill: Secure code review ▪ Send CV/resume to [email protected] Vacancy @ SEC Consult Malaysia 26

  20. © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

    [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Contact 27 LITHUANIA UAB Critical Security, a SEC Consult company Sauletekio al. 15-311 10224 Vilnius Tel +370 5 2195535 Email [email protected] RUSSIA CJCS Security Monitor 5th Donskoy proyezd, 15, Bldg. 6 119334, Moscow Tel +7 495 662 1414 Email [email protected] SINGAPORE SEC Consult Singapore PTE. LTD 4 Battery Road #25-01 Bank of China Building Singapore (049908) Email [email protected] CANADA i-SEC Consult Inc. 100 René-Lévesque West, Suite 2500 Montréal (Quebec) H3B 5C9 Email [email protected] GERMANY SEC Consult Unternehmensberatung Deutschland GmbH Bockenheimer Landstraße 17-19 60325 Frankfurt / Main Tel +49 69 175 373 43 Email [email protected] THAILAND SEC Consult (Thailand) Co.,Ltd. 29/1 Piyaplace Langsuan Building 16th Floor, 16B Soi Langsuan, Ploen Chit Road Lumpini, Patumwan | Bangkok 10330 Email [email protected] www.sec-consult.com MALAYSIA SEC Consult Malaysia Sdn. Bhd. Unit C-12-4, Megan Avenue II, Jalan Yap Kwan Seng, 50450 Kuala Lumpur Email [email protected] AUSTRIA SEC Consult Unternehmensberatung GmbH Mooslackengasse 17 1190 Vienna Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15 Email [email protected]