CramHacks Chronicles #35: GPT Exploits 87% of Sampled Vulnerabilities

🥳 Happy Monday! 🥳

I hope those attending BSides SF / RSA are having a great time! I tell myself I should go every year, but I never do.

May 15th, 2024, I’ll be co-presenting How to Shift Left with the Semgrep AppSec Platform; come learn how to keep engineers sane while promoting secure code!

May 21st, 2024, I’ll be on the Absolute AppSec Podcast! I’m excited to complain about all things software supply chain security 🤣.

Free Training!!!
Building An Application Security Program, Level 1
An introductory course to teach application security from scratch. Taught by none other than Semgrep’s Tanya Janca 🥳.

Table of Contents

• General News

• Malware / Exploits

• Open-Source Tooling

• Vulnerability Management

• Until Next Time! 👋

General News

The npm package ‘request’ is the 3rd most depended-on project in the npm ecosystem, used by over 35,000 open-source projects. It has been fully deprecated since Feb 2020.

Drata’s Acquisition of oak9 Ushers in New Era of Compliance as Code
Monitoring compliance pre-and post-production, automating risk alerts, remediation, and aligning with frameworks like SOC 2, ISO 27001, HIPAA, and PCI DSS.

👋 I can’t speak to the quality of oak9’s technology, but this was a well-timed acquisition, in my opinion. I’ve noticed an uptick in discussions around Vanta code security integrations.

CVE® Numbering Authority (CNA) Operational Rules v4.0
CNAs have new rules to follow and have 90 days to adopt them.

“There is a fundamental concept embedded throughout the rules, and also explicitly defined in section “4.2.1 First Refusal.” It goes like this:

The CNA with the most appropriate scope gets the first opportunity to assign. This is often the Supplier (vendor, developer) CNA. This CNA also gets the first opportunity to not assign. If the CNA does not assign, for any reason (including but not limited to EOL), then another CNA with appropriate scope can assign. For already Publicly Disclosed vulnerabilities, prefer CNA-LRs to assign, to reduce the chances of duplicate assignments.”

New CVE Record Format Enables Additional Data Fields at Time of Disclosure
The CVE Program has expanded its record format to include additional data elements like CVSS, CWE, and CPE directly from authoritative sources, enhancing automation and data accuracy in vulnerability management.

👋 This will maybe alleviate some of the workload for NIST’s NVD, which has historically had to enrich CVEs themselves. That said, people have actually to leverage this for it to be worth anything 🤷.

Malware / Exploits

LLM Agents can Autonomously Exploit One-day Vulnerabilities
Richard Fang, Rohan Bindu, Akul Gupta, and Daniel Kang, the authors of Llm agents who can autonomously hack websites, disclose that providing GPT-4 CVE descriptions resulted in an 87% success rate for exploiting 15 one-day vulnerabilities.

👋 I reviewed some of the CVEs included in the research. Are these incredibly difficult to exploit? No, not at all. But, this does mean the skill bar for exploiting new vulnerabilities is lowering. What a time to be a script kiddie!

1,400 GitLab Servers Impacted by Exploited Vulnerability
CVE-2023-7028 has officially been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog. Shadowserver suggests that 1,400 internet-accessible servers are vulnerable.

“GitLab Community and Enterprise Editions contain an improper access control vulnerability. This allows an attacker to trigger password reset emails to be sent to an unverified email address to ultimately facilitate an account takeover.”

Open-Source Tooling

GitHub: Introducing Artifact Attestations–now in public beta
GitHub has introduced the public beta of Artifact Attestations, a new feature that allows project maintainers to create secure links between software artifacts and their origins, utilizing Sigstore.

👋 The versatility with this is 🔥 - I’ll likely cover this more in future weeks.

Vulnerability Management

Are you familiar with the Exploit Prediction Scoring System (EPSS) model? You might find this discussion interesting regarding whether EPSS scores are meaningful for vulnerabilities impacting transitive dependencies. The comments offer some great insights!

State of Exploitation - A Peek into the Last Decade of Vulnerability Exploitation
VulnCheck’s Patrick Garrity digs into vulnerability disclosure and exploitation trends between 2014 and 2023, highlighting a significant increase in known exploited vulnerabilities (19.7%) and publicly available Proof-of-Concept exploits (11.8%).

On the Effect of Transitivity and Granularity on Vulnerability Propagation in the Maven Ecosystem
Amir M. Mir, Mehdi Keshani, and Sebastian Proksch of Delft University of Technology evaluated the effect of transitivity and how vulnerabilities propagate to projects. The study employed call graphs to analyze reachability. “Potentially affected” means a vulnerable version was used, while “Actually affected” indicates a call path to the vulnerable function in a transitive dependency.

👋 Call graph analysis is impactful in this context, but “Actually affected” is a misleading label (in my opinion). Call graph analysis omits other conditions required for a project to be impacted. Thank you, Jeffrey Luszcz, for letting me know about this study!

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle