Skip to main content

#Windows users running stupid scanners now contact us for support regarding CVE-2023-46218 which the scanners say affects #curl 8.4.0 shipped by Microsoft.

It would, if their version was built to use #iibpsl, a prereq for this CVE, which #Microsoft does not.

Security scanners. A snake oil business.

curl.se/docs/CVE-2023-46218.ht…

curl - cookie mixed case PSL bypass - CVE-2023-46218

curl.se
#Windows #microsoft #curl #iibpsl
This entry was edited (3 weeks ago)
in reply to daniel:// stenberg://

Advanced Persistent Teapot
Advanced Persistent Teapot

if scanners were trained to identify pictures of venomous snakes:

Rattlesnake: scanner says venomous snake, cvss9.8
Coral snake: scanner says venomous snake, cvss10.0
Milk snake: scanner says venomous snake, cvss10.0
Slow worm: scanner says venomous snake, cvss8.5
A coil of rope: scanner says venomous snake, cvss 9.0
A baby's rattle: scanner says venomous snake, cvss 9.8

in reply to daniel:// stenberg://

Thomas Broyer
Thomas Broyer
The problem is not the tools themselves (not entirely at least because they have many shortcomings, like not accounting for Debian/Ubuntu fixes backports) but how people (don't) analyze the results.
We do use vulnerability scanners (sending SBOMs to Dependency-Track) but this clearly requires work to analyze the results and determine if you're actually vulnerable (false positive, non-exploitable vuln, only if configured in some specific way, etc.)
Contacting project maintainers for assistance without even some prior analysis is just plain wrong I 💯 agree!
in reply to Thomas Broyer

daniel:// stenberg://
daniel:// stenberg://
yeah, I also hear from many of these users that they have rules and regulations put in place that makes it mandatory for them to address all the complaints above a certain threshold from the scanners within N days. Which just makes everything even worse.
This entry was edited (3 weeks ago)
in reply to daniel:// stenberg://

João Santos
João Santos
@tbroyer that by itself is fine if there's an option to say it's not a real vulnerability or that it's not exploitable in the context.
@Thomas Broyer
in reply to daniel:// stenberg://

bluGill
bluGill
@tbroyer Probably not worth it, but you could/should check with a lawyer about sending those scanners a cease and desist for bogus reports...
@Thomas Broyer
in reply to daniel:// stenberg://

linus
linus
for anyone in ops, every day has the potential to be the day when you again have to explain to someone who ran some bullshit scanner that you cannot derive CVE vulnerabilities from reported versions alone on supported linux distros. oh, this Apache version is vulnerable? really? is it really though?