Tony Turner of Fortress Information
Security suggested to me this week that one thing that has been sorely missing
in both “official” and unofficial discussions of VEX is real use cases; he implied that there’s been far too
much focus on formats and too little focus on why we need the formats in the
first place. That made sense to me, and I decided to explore what I think will
be one of the most important use cases for VEX: patching vulnerabilities. As
you’ll see below, in the process I came to see that the number of steps that
can be taken to describe what might seem to be a simple action can be huge, as
can the benefits the supplier can realize from taking those steps.
Here is a scenario, along with
steps that can (but don’t have to) be taken when a single serious vulnerability
is patched in a single software product:
1.
Vulnerability
CVE-2022-12345 has been identified in the NVD as exploitable in Bob’s Browser
v4, which is a component of the supplier’s Product A.
2.
The supplier confirms,
through their own testing, that this is indeed the case. They also confirm that
Bob’s Browser v4 has been a component of Product A in every version, starting
with v3.0.0 through the current version 3.5.2 (the supplier follows a best practice
called semantic versioning, which requires a version string structure of [Major
release].[Minor release].[Patch]).
3.
When they investigate
the exploitability of CVE-2022-12345 in Product A, the supplier discovers that
the vulnerability was not exploitable until version 3.2.0, due to a code change
in version 3.2.0. They also discover that, in all versions from 3.2.0 through
3.5.2, the vulnerability is exploitable.
4.
The supplier develops a
patch that fixes CVE-2022-12345 in versions 3.3.1 through 3.5.2 of Product A.
5.
At the same time, the
supplier determines that a fix for versions 3.2.0 through 3.3.0 would be very difficult,
and they decide to recommend that users of those versions upgrade to the
current version as soon as possible.
6.
The new version
created by applying the patch to version 3.5.2 is 3.5.3. When a customer
patches their instance of 3.5.2, the version number is automatically
incremented to 3.5.3.
7.
Similarly, when the
patch is applied to any other version “A.B.C”, the version number will change
to “A.B.(C+1)”. This is the normal procedure with semantic versioning.
8.
The supplier creates a
VEX (in either the currently available CycloneDX
VEX format or the upcoming CSAF-based VEX format)
that indicates the following:
a)
CVE-2022-12345 is
exploitable in Product A versions 3.3.1 through 3.5.2. The new patch should
immediately be applied to all of these versions.
b)
CVE-2022-12345 is also
exploitable in Product A versions 3.2.0 through 3.3.0. However, due to
technical problems, the vulnerability will not be fixed in these versions.
Users of these versions need to upgrade to the current version as soon as
possible.
c)
CVE-2022-12345 is not
exploitable in versions 3.0.0 up to (but not including) 3.2.0.
d)
The supplier has not tested
for CVE-2022-12345 in versions before 3.0.0, since all of these versions are
now unsupported. The supplier makes no assertion regarding whether
CVE-2022-12345 is exploitable in unsupported versions of Product A.
Are you surprised that there are
so many steps? After all, VEX has been advertised as a simple yet
machine-readable way for a supplier to alert their customers that a
vulnerability that is exploitable in a component of their product is not in
fact exploitable in the current version of the product. These steps go far
beyond that mission.
I agree with this analysis, but remember:
The main reason why VEX is being developed is that some large suppliers are
concerned that, when they start regularly providing SBOMs to their customers,
their support lines will be overwhelmed with calls. This will happen when a serious
vulnerability in a component in the current version of a product has been
identified and customers want to know if it is exploitable in the product
itself. If that were the only concern, a VEX would only need to state – in the
above example – that CVE-2022-12345 is exploitable in the current version 3.5.2,
and that a patch is available.
But should this be the supplier’s
only concern? When customers learn that a vulnerable component has been
included in the product through a number of versions, won’t they also call with
questions like:
1.
“I’ve heard a lot
about the new serious vulnerability CVE-2022-12345. Have you released a patch
for it yet?”
2.
“I’m running [a
non-current version] of Product A. Is CVE-2022-12345 exploitable in this
version? And if it is, is there a patch for it?”
3.
“I work for an
integrator, and we have customers running a number of versions of Product A. In
which of those is CVE-2022-12345 exploitable, and in which is it not
exploitable? Of those versions where it’s exploitable, for which ones is a
patch available and what’s the URL to download it? And is the only solution for
the other exploitable versions to upgrade to the latest release?”
4.
“I’m running [an unsupported
version] of Product A. Will a patch for CVE-2022-12345 be released for my
version?”
5.
“I’m running [a supported
version] of Product A. I noticed you’re not patching this version, even though
it’s under support. What’s the deal?”
All of these questions – and
potentially a lot more - are likely to be asked, as a result of the above
scenario. Without a VEX, the supplier will have no choice but to hold on and
hope there aren’t too many of these calls. With VEX, the supplier will be able
to answer some percentage of these questions, without tying up a single support
person.
So it’s very likely that releasing
a VEX will lead to a significant reduction in support calls for most products,
after SBOMs have been made widely available. But here’s another consideration:
What if Product A has 4,500 components, as some products do? There might be scenarios
like this one every day, or even every hour. Without having recourse to VEXes,
will the supplier of Product A even release an SBOM for it? After all, to do so
might literally open the gates to a flood of support calls that could threaten
the financial stability of the supplier.
This is why I have said
repeatedly, “As long as suppliers can’t release VEXes in volume, they won’t
release SBOMs in volume.” And that’s why getting VEX right is so important.
Here’s an extra credit question
for you, based on an issue that has come up in VEX discussions: If the VEX
weren’t able to handle version numbers and especially version ranges, would the
above scenario be at all feasible? Of course not. There’s no way that the patch
application use case could ever be addressed without having the ability to
specify version numbers in the VEX.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they necessarily shared by CISA’s Software Component Transparency
Initiative, for which I volunteer as co-leader of the Energy
SBOM Proof of Concept. If you would
like to comment on what you have read here, I would love to hear from you.
Please email me at tom@tomalrich.com.
No comments:
Post a Comment