The software component Curl is one of the most frequently used open source libraries. A controversial vulnerability report is causing problems for the project. The developer Daniel Stenberg sees fundamental problems in the CVE report process.
The story of the vulnerability report CVE-2020-19909 is reminiscent of the beginning of Franz Kafka's novel “The Trial”: Someone must have mistakenly identified a vulnerability in the Curl software component, because one morning it appeared in a CVE without there being a security problem on.
The Curl program library is probably one of the most frequently installed open source components in the world. It allows programmers to load data from the Internet. To do this, it offers a standard implementation of the web protocol HTTP and a number of other methods that can be used by developers without having to delve into the details of the transmission standards themselves.
Curl is an integral software component in the PHP programming language as well as in mobile phones or operating systems: In April 2018, Curl was included as an on-board tool in Windows 10 and is included in every standard Windows installation. In October last year, the Sovereign Tech Fund, which is funded by the Federal Ministry for Economic Affairs and Climate Protection (BMWK) and supported by the Federal Agency for Advanced Innovations SPRIND, announced that it would initially support the further development of Curl as an important infrastructure component of the Internet for six months.
Swedish software developer Daniel Stenberg has been leading work on the open source project since 1998. In addition to improving the software, the project is committed to quickly and completely resolving vulnerabilities: “In the Curl project, we work hard and committedly on security and we always cooperate with security researchers who report problems. We submit our own CVEs, document them and make sure the world knows about them,” writes Stenberg.
Stenberg was all the more surprised when, at the end of August, he was informed about a security-relevant vulnerability that an anonymous person had reported to the US coordination center MITER for security reports according to the industry standard CVE (Common Vulnerabilities and Exposures). Stenberg also found an entry for the vulnerability report with the number CVE-2020-19909 in the National Vulnerability Database (NVD), the US government's database for standards-based vulnerability management data. There, the danger of the security gap was given as 9.8 (out of ten maximum points) and the risk was classified as “critical”.
In fact, the report referred to a programming error in Curl: a certain option in the program allowed the entry of very large numbers, which could slow down downloads. The Curl team discovered the programming error after a tip in 2019 and published a fixed version in September of the same year. “I identified a bug that I fixed in 2019 and it said it was an integer overflow. It was actually an integer overflow, but I insist that it was never a security problem,” recalls Daniel Stenberg in an interview with Tagesspiegel Background. “I had actually forgotten about the stupid thing a long time ago.”
Daniel Stenberg contacted both MITER and the NVD. His goal: The withdrawal of the vulnerability report. “The problem, of course, is that the whole system of creating CVEs or CVE IDs is probably a good thing to begin with. And going to MITER and requesting a CVE is something anyone can do,” summarizes the developer. According to Stenberg, the problem is that when reporting a vulnerability, you don't have to provide a lot of details: "You can basically just say: There is a bug in this program somewhere, and you get a CVE number for it."
For Curl, this revealed a weakness in the process by which vulnerabilities are reported. The assessing body at NVD did not want to deviate from the assessment that it was a safety problem. Depublication of the CVE report was rejected, although it has since been added that the vulnerability was disputed and NVD lowered its risk assessment to 3.3 ("low") on its CVE information page.
This means that Curl no longer has the opportunity to have the vulnerability report withdrawn. Curl can no longer resolve a problem that has already been resolved with an update delivered four years ago with a new software version. The project presents its view of CVE-2020-19909 on its own website: “The issue does not affect any version. It is not a security issue. This is a bug that we fixed in mid-2019. Relax. Use Curl as usual.”
“That was basically it. “That was my only possible attempt to have it depublished,” said Stenberg, summarizing his rejected challenge to Tagesspiegel Background. Now the project is about living with the consequences.
To date, Stenberg has not been able to find out who the anonymous person behind the report was: “It seems to be a script or a user who was simply checking out all sorts of open source projects.” According to Stenberg, the database software also received a similar vulnerability report PostgreSQL. “There were several of these more or less crazy CVEs at the same time,” said the Curl developer. All related to outdated software versions. According to Stenberg, there is at least the suspicion that it is a message from an automated scanner or some kind of artificial intelligence.
Stenberg also sees a problem in the transparency of the process: “That’s another thing that I find really strange: that there is no transparency here at all. There is no one saying who submitted this or they are not even very open about which CVE Numbering Authority (CNA) issued the CVE number. It's a really strange system. It seems to have been designed a long time ago and lacks transparency.”
“As we rely on CVEs, they need to work much better”
Vulnerability reports in the form of CVEs and the associated security ratings are among the building blocks of cybersecurity that decision-makers rely on. That poses problems, according to Stenberg: “I think it's ultimately inevitable that we might not have to rebuild the reporting system, but at least we'll have to fix all these cracks and weird things in the process. As we do more and more with CVEs and rely on CVEs, they need to perform much better than they do today.”
The consequences of the vulnerability report also include desperate companies that have contacted Stenberg because their Windows installations no longer work. In some cases, he reports, security software has warned of the open Curl CVE, and a few companies have overzealously tried to silence the warning by deleting Curl from the hard drive. Since Curl is now an integral part of Windows, the systems could no longer carry out updates. Here he points out that, as an open source developer of a widely used software component, he cannot help in such cases: “It's not really my code. Well, I wrote it, but Microsoft delivers it. It is part of their operating system. It’s their responsibility, not mine.
Hi Daniel, as I accidently read into the curl project, I identify your unique position as the main security risk in this project. Harsh to say so as you obviously led the project to what it is by 25 years of hard work. But I am still correct on this matter, I guess. As I am the leading researcher and activist on democracy and decentralized group decision making, I suggest, you reach out to me for a talk on how you can put the curl project in a self government that will let it survive yourself without a loss in quality.