Hunting CVE’s for fun and learning
As every security researcher idea of tagging CVE’s to my name was a dream when I started my career in infosec. I wondered how this whole process works starting from hunting a bug in ‘xyz’ product to the point CVE’s get assigned and then watching them get published✌️. Now, here I am sharing my journey of first CVE’s.☺️
CVE is a dictionary that provides definitions for publicly disclosed cybersecurity vulnerabilities. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services) with these definitions. CVE Records are comprised of an identification number, a description, and at least one public reference.
Choosing the Product: As I mentioned earlier it was more on the process I wanted to understand rather than the bug itself😅 . So, the product I chose was something I already worked on earlier as to utilize my time efficiently and concentrate on finding the vulnerability reducing my recon time.
Hunting for Bugs: After spending some 30 min of time found couple of entry points where the input validation was missing. I was able to execute javascript payloads with little or no tweak, leading to multiple stored XSS.
Reporting: The product already has security page where the contact email has been provided to report all the security related issues. That’s a good sign, it makes the whole process a lot easier. I immediately reported the vulnerabilities with description, detailed steps to reproduce along with the recommendations for fix. Post confirming the vulnerability is not duplicate, I raised request in MITRE page. For additional details you can refer here — https://cve.mitre.org/cve/request_id.html
CVE Publication: Once the bug was made public in the product change log, I updated the same to MITRE — which goes for review by a CVE Assignment team member, post which the CVE’s are published.
Timeline:
22 Oct 2020 — Reported vulnerabilities to product security team.
22 Oct 2020 — Confirmation from product security team on the vulnerability and a note saying the vulnerability will be addressed in their next release and will be updated in change log.
29 Oct 2020 — Confirmation from product team that change log has been updated for the reported vulnerabilities. Post confirmation raised request in MITRE for CVE assignment.
13 Nov 2020 — Confirmation on the new version release with the bug fixes. Immediately, Updated MITRE team on the new release along with the link for product change log with the fixes - https://www.nagios.com/downloads/nagios-xi/change-log/
16 Nov 2020 — CVE’s published. CVE-2020–27988, CVE-2020–27989, CVE-2020–27990, CVE-2020–27991 🙃
