We discussed responsible disclosure and vulnerability disclosure policies in class.
Give two reasons a company would want to develop and publish a disclosure policy.
Describe two parts of a company’s disclosure policy valuable that a security researcher might find particularly valuable, and explain why they are valuable to the researcher.
Locate a bug bounty program with the largest potential pay-out that you can find. How much is it, and what type of vulnerability and what conditions must be met to get that award?
Both the CWE Top 25 and the OWASP Top 10 describe the methodology used to create the list. Briefly describe the similarities and differences in approaches taken by these two projects.
In the CWE Top 25 list, some weaknesses might be a major concern for some developers and simply not an issue for others. Give an example of a CWE that is very important for people coding in C, but not very important for people coding in Java. Explain why this weakness is viewed differently depending on programming language.
In the OWASP Top 10, each of the Top 10 vulnerability categories maps to a set of CWEs. However, the number 1 CWE in the “CWE Top 25” (CWE-787) doesn’t appear at all in any OWASP Top 10 category. Describe why that is in a few sentences.
For this question, you are to investigate a specific CVE and find out as much information as you can. To determine what CVE you are investigating, see the list below and use the CVE that corresponds to the first letter of your last (family) name.
Start with the NVD entry to get the basic information, and then use a combination of that information and what you can find via web searches to describe: What software package contains the vulnerability, what that software does, what language the software is written in, and what type of weakness is involved (i.e., which CWE). Describe as best as you can what the potential impact of this is, using the CVSS and other information as a guide. As much as you can determine, explain where data to trigger the vulnerability comes from (so where an attacker would be): over the network, by sending a malicious file/attachment, or something else. Finally, can you find an exploit or proof-of-concept for this vulnerability, either directly in the NVD references or elsewhere?
Last name starting with A-B: CVE-2019-20788
Last name starting with C-H: CVE-2020-0452
Last name starting with I-K: CVE-2021-3502
Last name starting with L-Z: CVE-2021-44790
While classifications in the NVD are generally reliable, the information isn’t perfect. For example, CVE-2020-6061 is currently shown as CWE-787 (Out-of-bounds Write). However, that’s not accurate. Explore the references in the NVD entry to find a description of the vulnerability, and study that to understand what the problem is. Then explain it (briefly!) in your answer, and describe a CWE that accurately describes the weakness (there’s a different CWE in the “Top 25” that fits). [Instructor’s note: I have submitted a correction request for this, so it might actually be fixed by the time you answer this question. If so, that gives away the correct CWE, but still answer the rest of the question - explain why this is the correct CWE, but CWE-787 is not.]
In the following code, function f is called with some secret value that the user is not supposed to know, and function f calls function g to do something seemingly unrelated in a function that does not have the secret value. If you don’t have much C background, the scanf function, used like this, just reads an integer value from the user – just like the Java Scanner class method nextInt() does. This code does have a serious vulnerability. Describe what it is, and how it could be exploited by an attacker. This type of weakness is in the CWE Top 25 list, and is obvious from the name of the CWE. Which CWE is it?