Security News > 2024 > January > Ivanti and Juniper Networks accused of bending the rules with CVE assignments

Ivanti and Juniper Networks accused of bending the rules with CVE assignments
2024-01-22 15:00

The networking giant was accused of patching security flaws without disclosing them as standalone vulnerabilities, while Ivanti was called out for seemingly bundling multiple vulnerabilities under a single registered Common Vulnerabilities and Exposures ID. Security vulnerabilities that are serious enough to require patching to avoid problems for organizations generally need to be registered with a CVE Numbering Authority and added to the CVE program.

Once registered with a CVE ID, vulnerabilities can be more easily identified and tracked by organizations, making their patching routine more easily manageable.

Hammond claims he had found four vulnerabilities included in Juniper's latest batch of patches that didn't appear to have received CVE IDs, including a missing authentication vulnerability - which he described as "Often the easiest vulnerabilities to exploit."

A researcher looking into the exploited zero-days said they'd discovered that for CVE-2024-21887, which leads to remote code execution, they could find at least five different command injection vulnerabilities under a single registered CVE ID. Security expert Kevin Beaumont called the practice "a bit naughty."

"The CVE Program expects separate CVE IDs to be assigned to independently fixable vulnerabilities. If one vulnerability can be fixed without fixing the other, then the vulnerabilities should receive separate CVE IDs.".

Despite Juniper being a CNA itself, it's possible that delaying the assignment of CVE IDs is being done to allow customers time to learn about and patch the issues before information is publicly disclosed, along with a CVE. Plus, while not disclosing individual vulnerabilities is against industry best practice, Juniper did fix them and offer patches for customers in line with its typical schedule, so there's no flagrant abuse of the rules and expectations here.


News URL

https://go.theregister.com/feed/www.theregister.com/2024/01/22/ivanti_and_juniper_networks_criics_unhappy/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2024-01-12 CVE-2024-21887 Command Injection vulnerability in Ivanti Connect Secure and Policy Secure
A command injection vulnerability in web components of Ivanti Connect Secure (9.x, 22.x) and Ivanti Policy Secure (9.x, 22.x) allows an authenticated administrator to send specially crafted requests and execute arbitrary commands on the appliance.
network
low complexity
ivanti CWE-77
critical
9.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Juniper 27 0 227 223 49 499
Ivanti 27 0 51 157 75 283