Responsible Disclosure

Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class:
[--Confidentiality Class--] Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class: [--Confidentiality Class--] Version: 1.0 Date: 2018-04-05 Author: R. Amizudin Responsible: R. Amizudin Confidentiality Class: Public OWASP Malaysia Meetup 2018 Responsible Disclosure

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:
[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Ahmad Ramadhan Amizudin ▪ Security Consultant at SEC Consult Malaysia ▪ OWASP Project Leader ▪ Wordpress Vulnerability Scanner ▪ Ex-MyCERT Who am I 2

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved “Responsible disclosure is a vulnerability disclosure model in which a vulnerability or issue is disclosed only after a period of time that allows for the vulnerability or issue to be patched.” Wikipedia Definition 5

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Full Disclosure ▪ Release full detail of the vulnerability as early as possible to the public, without any restriction Coordinated Disclosure ▪ Terminology for older “Responsible Disclosure” ▪ Preferred terms by CERT/CC ▪ Often abbreviated as CVD Definition 6

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Limited Disclosure ▪ Very little information will be disclosed ▪ Slow down exploit development No Disclosure ▪ The detail(s) will be kept private. ▪ Often enforced by non-disclosure agreements (NDA) Reference: https://vuls.cert.org/confluence/pages/viewpage.action?pageId=4718642 Definition 7

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Common Vulnerabilities and Exposures ▪ Maintains by MITRE Corporation ▪ CVE-[YEAR]-[ID] ▪ https://cve.mitre.org/ CVE Numbering Authorities (CNAs) ▪ 84 CNAs as of March 5, 2018 ▪ Types of CNA: root, vendors, CERT, bug bounty, vulnerability researcher CVE 8

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure Responsible Disclosure Process 9

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved • Always include full information • Vulnerable version • Proof of concept • Portion of code(s) – if there’s source code • Define impact • CVSS3 Score Writing The Advisory 10 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved • A colleague will be assigned to proof-read the advisory • It's normally done by Head of Vulnerability Lab Quality Assurance 11 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Vendor Notification – Security Contact 13 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure Finding Contact Security Contact Customer Service Communication Encrypted Plain Text Update Advisory

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Update vendor contact timeline section ▪ Add short description ▪ Adjust release date as soon as patch date is known ▪ Vendor should provide: ▪ Affected version ▪ Fixed version (or patch version) ▪ CVE number if applicable Vulnerability Validation & Resolution 14 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Coordinate with the vendor & CERT as soon as patch is available ▪ Include proof of concept if an update is available ▪ Send the latest version of the advisory to vendor before the publication ▪ If the vendor is unresponsive ▪ Publication on “possible release date” ▪ Proof of concept will be removed Coordinated Disclosure 15 Write Advisory Quality Assurance Notification Vulnerability Validation Coordinated Disclosure

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Advisory 19

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ➢ Unresponsive Vendor ➢ No Respond ➢ Delaying Patch To Be Release ➢ Spoon Feeding Service ➢ Fixing ➢ Consulting ➢ Vendor does not allow to publish the advisory ➢ No Disclosure ➢ Legal Action ➢ No Credit Challenges 20

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved CVE-2018-1000019 & CVE-2018-1000020 21 Reference: https://www.sec-consult.com/en/blog/advisories/os-command-injection-reflected-cross-site- scripting-in-openemr/index.html

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved VLC for iOS 22 Reference: https://www.sec-consult.com/en/blog/advisories/local-file-disclosure-in-vlc-media-player-ios- app/index.html

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ➢ Allow vendor to fix security issue ➢ Avoid bad guy from weaponizing the vulnerability ➢ Marketing tool :) ➢ Keeping the internet safe Conclusion 23

Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X /
YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Question? 25

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved ▪ Position: Security Consultant ▪ Required Skills: Penetration testing, report writing ▪ Bonus Skill: Secure code review ▪ Send CV/resume to [email protected] Vacancy @ SEC Consult Malaysia 26

[--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X / YYYY-MM-DD--] | Confidentiality Class: [--Confidentiality Class--] © 2014 SEC Consult Unternehmensberatung GmbH All rights reserved Title: OWASP 2018 Q1 – Responsible Disclosure | Responsible: R. Amizudin Version / Date: 1.0 / 2018-04-05 | Confidentiality Class: Public © 2018 SEC Consult Malaysia Sdn. Bhd. All rights reserved Contact 27 LITHUANIA UAB Critical Security, a SEC Consult company Sauletekio al. 15-311 10224 Vilnius Tel +370 5 2195535 Email [email protected] RUSSIA CJCS Security Monitor 5th Donskoy proyezd, 15, Bldg. 6 119334, Moscow Tel +7 495 662 1414 Email [email protected] SINGAPORE SEC Consult Singapore PTE. LTD 4 Battery Road #25-01 Bank of China Building Singapore (049908) Email [email protected] CANADA i-SEC Consult Inc. 100 René-Lévesque West, Suite 2500 Montréal (Quebec) H3B 5C9 Email [email protected] GERMANY SEC Consult Unternehmensberatung Deutschland GmbH Bockenheimer Landstraße 17-19 60325 Frankfurt / Main Tel +49 69 175 373 43 Email [email protected] THAILAND SEC Consult (Thailand) Co.,Ltd. 29/1 Piyaplace Langsuan Building 16th Floor, 16B Soi Langsuan, Ploen Chit Road Lumpini, Patumwan | Bangkok 10330 Email [email protected] www.sec-consult.com MALAYSIA SEC Consult Malaysia Sdn. Bhd. Unit C-12-4, Megan Avenue II, Jalan Yap Kwan Seng, 50450 Kuala Lumpur Email [email protected] AUSTRIA SEC Consult Unternehmensberatung GmbH Mooslackengasse 17 1190 Vienna Tel +43 1 890 30 43 0 | Fax +43 1 890 30 43 15 Email [email protected]

Responsible Disclosure

Responsible Disclosure

Ramadhan Amizudin

More Decks by Ramadhan Amizudin

Other Decks in Education

Featured

Transcript

Version: [--VX.X--] Date: [--YYYY-MM-DD--] Author: [--Author--] Responsible: [--Responsible--] Confidentiality Class:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

Title: [--Title--] | Responsible: [--Responsible--] Version / Date: [--VX.X /

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title:

© 2013 SEC Consult Unternehmensberatung GmbH All rights reserved Title: