Dear Linux Kernel CNA, what have you done?

The purpose of CVEs is to ensure that people discussing vulnerabilities are talking about the same thing. CVEs aren&#x27;t a checklist, they aren&#x27;t a perfect enumeration, and it shouldn&#x27;t matter if a CVE is issued for a nonissue.<p>People who are burdened by requirements to ship (or produce rolling updates) to address every Linux kernel CVE are living in a state of sin. It doesn&#x27;t make sense for the kernel CNA to alter its behavior to accommodate them.

Has any one in this thread actually evaluated all ~320 CVEs since Feb 20? Because I have. And I literally just finished writing a filter script for MITRE&#x27;s cve.org API output.<p>1. Most of the new CVEs have potential security concerns. At the very least, they would have been assigned a CVE if they were reported by an external researcher.<p>2. Many of them don&#x27;t affect the older LTS branches.<p>3. I found 1 (1!) CVE that has a remote exploitation possibility. The rest are mostly local privilege exploit or DoS or crashes.<p>4. This Greg dude (heh) is backtracking to 2021 to flag bugs that have since been fixed. If your kernel repository is even semi up to date, you would have cut down the CVE count by 1&#x2F;3.<p>In my company, the majority consensus amongst the kernel developers is &#x27;patch your shit and do rolling release. We are too busy to evaluate all the CVEs.&#x27; On the opposite end, are embedded hardware kernel developers who barely had their kernels working on existing hardware. Both sides make good arguments and I don&#x27;t have any opinion I&#x27;d share.<p>There are other ways to lessen the CVE workload.<p>1. Disable unused components with defconf or make menuconfig.<p>2. Don&#x27;t stay on the bleeding edge branch (ie. 6.x)<p>3. Implement automatic minor version commit merges<p>Your mileage may vary, but with these implemented, the workload is managable imo.

While I understand the problems raised in this post, I think they&#x27;re going a bit too far. The CVEs assigned to the kernel were already specific to various parts of it. You&#x27;re not running linux-x.y.z, but rather linux-x.y.z + specific config. That means vendors already needed to look at CVEs and decide what applies to them and what doesn&#x27;t. It&#x27;s up to NVD records to include how likely something is to be a problem and give it some description &#x2F; score.<p>Choosing a random selection of CVEs posted so far... they look reasonable. They&#x27;re actual issues and they&#x27;ll potentially affect someone.<p>This reminds me of the cookie banners situation. Many people complain about the cookie banners being visible rather than about the companies doing things that requires them to notify you. Now if you say you care about the published vulnerabilities, you get to actually see them all. And potentially change the policies around how you worked with them. (yes, it&#x27;s not a great analogy, I&#x27;m not blaming linux for having each of those vulnerabilities)

<i>&gt; Typically, security researchers are held to higher standards when disclosing vulnerabilities. The expectation is that CVEs are assigned for ‘meaningful’ security vulnerabilities, and not for any software fixes that ‘might’ be a security vulnerability.</i><p>Maybe that&#x27;s the aspiration, but it&#x27;s clearly not the case in practice.<p>I reported a firefox bug 12 years ago where a malicious SVG could cause a hang - basically a 22-year-old XML bomb, adapted to SVG patterns. My bug turned out to be a duplicate of a 16 year old firefox bug.<p>No way of stealing user data. No sandbox escape. Not a crash that might indicate a buffer overrun. With a process per tab, it doesn&#x27;t even crash the browser. It&#x27;s just a file that takes a very long time to load - and it&#x27;s not even an image type that user-generated-content sites like facebook and reddit allow you to upload. Reasonably enough, 12 years ago it was triaged as a minor performance issue.<p>Apparently in 2023, this counts as a CVE.

Good. Forcing downstream consumers of open source projects to spend resources on identifying and fixing security issues is not just entirely appropriate, but direly needed.<p>If you&#x27;re already paying someone to maintain Linux for you, this shouldn&#x27;t be causing that much trouble; it might need some contractual adjustments but you&#x27;re already set up to get a stream of &quot;good&quot; updates. The patch frequency may be higher, but other people already do the majority of the work for you.<p>If you were just ingesting Linux &quot;for free&quot;… well, tough luck. You&#x27;re profiting from the work of others already, you don&#x27;t get to complain about not being spoon fed exactly what you need.<p>In practice, a small number of commercial entities (likely a mix of commercial distributions and designated security companies) will probably offer &quot;Linux as a service&quot;. People <i>could</i> do the same work on their own, but that&#x27;s not cost effective.<p>Either way, this shift in responsibilities has been long overdue.

&gt; Known vulnerabilities are in practice defined as ‘something with a CVE’<p>Then change that definition and stop operating off of it. It has never been correct.

For another opinion on this topic <a href="https:&#x2F;&#x2F;jericho.blog&#x2F;2024&#x2F;02&#x2F;26&#x2F;the-linux-cna-red-flags-since-2022&#x2F;" rel="nofollow">https:&#x2F;&#x2F;jericho.blog&#x2F;2024&#x2F;02&#x2F;26&#x2F;the-linux-cna-red-flags-sinc...</a><p>Having a large number of new, unscored, CVEs in the Linux kernel is going to make things... interesting. From their lists <a href="https:&#x2F;&#x2F;lore.kernel.org&#x2F;linux-cve-announce&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lore.kernel.org&#x2F;linux-cve-announce&#x2F;</a> these just have a CVE and not really enough detail for anyone to assign a score without a lot of additional analysis, which reduces their usefulness.<p>To an extent it could be suggested they&#x27;re just exposing an existing flaw in the system (CVSS scores which may be taken to be scientifically applied, are actually just matters of opinion in many cases), but it will cause a lot of problems with automated tooling and compliance.

I cannot really speak to the &quot;Radio Equipment Directive&quot;, but what the author claims or implies with regards to the Cyber Resilience Act is not correct.<p>These Annexes explain the imposed Vulnerability Handling Processes imposed on manufacturers. The EU obviously only speaks about _exploitable_ vulnerabilities, because they know the problems of the CVE system all too well.<p>Best of all, open source projects are actively excluded by the CRA. [2] &quot;Open source projects will not be required to directly implement the mandated processes described in the CRA. But every commercial product made available in the EU which is built on top of those open source projects will.&quot;<p>[1]: <a href="https:&#x2F;&#x2F;eur-lex.europa.eu&#x2F;resource.html?uri=cellar:864f472b-34e9-11ed-9c68-01aa75ed71a1.0001.02&#x2F;DOC_2&amp;format=PDF" rel="nofollow">https:&#x2F;&#x2F;eur-lex.europa.eu&#x2F;resource.html?uri=cellar:864f472b-...</a><p>[2]: <a href="https:&#x2F;&#x2F;eclipse-foundation.blog&#x2F;2023&#x2F;12&#x2F;19&#x2F;good-news-on-the-cyber-resilience-act&#x2F;" rel="nofollow">https:&#x2F;&#x2F;eclipse-foundation.blog&#x2F;2023&#x2F;12&#x2F;19&#x2F;good-news-on-the-...</a>

CVE DOS - aka denial of service through legislative&#x2F;regulatory requirements instead of technical attack is going to be fun.<p>Edit: by that I mean filing bogus report or just non-security related CVEs. That is also reason why a lot of projects are trying to register themselves as CNA (see curl etc).

I think I speak for the whole 0day and 1day market when I say &quot;Thank you for this idiocy, Linux community&quot;<p>In their attempt to get revenge on security researchers for &#x27;being more important&#x27;, they have made it much easier for us to keep our exploits on the market for longer than before.<p>The idea that &#x27;only the latest linux kernel is secure&#x27; is absolutely bananas, because it completely disregards the fact that legacy systems exist, they power very critical parts of our society, and they cannot be updated (as a general rule). Only components can be updated in-place.<p>So, again: thank you for the free money and for making exploits have a longer shelf life.

Oh great, now the previously lazy companies will pressure researchers to &quot;not have discovered&quot; bugs due to the legislatively required response to anything put into the system formally... and we will start hearing, &quot;I don&#x27;t use open source because it involves triage of too many CVEs. Michaelsoft <i>never</i> gives my engineers mandatory work.&quot;

This article largely misses the point from the Linux kernel&#x27;s point of view.<p>They have always said &quot;Every bug is a security bug&quot;. I don&#x27;t know about more global content, but at Kernel Recipes (2019?) gregkh took a Pixel that was running latest Google security patches that contained all CVEs. Then looked at non-CVE patches he merged in his LTS. And it took him less than an hour to find a DoS vulnerability.<p>I understand the author&#x27;s frustration from the Linux Kernel community to not want to classify bugs, but the reality is that a huge portion of the bug fixes are actually security fixes [1], so between requiring 20% of the patches to be merged, and 100%, is there really a point?<p>The author mentions Cyber Resilience Act, and I believe that Linux Kernel team created this CNA &#x2F;on purpose&#x2F; to have an impact on the CRA. They believe that the only way to have a secure Linux Kernel is to have an up-to-date Linux kernel. (cf <a href="https:&#x2F;&#x2F;social.kernel.org&#x2F;notice&#x2F;ARWvggnOvXny0CUCIa" rel="nofollow">https:&#x2F;&#x2F;social.kernel.org&#x2F;notice&#x2F;ARWvggnOvXny0CUCIa</a> ). With the CRA enacted, doing such a every-bug-is-a-security-bug CNA is a way for them to enforce their view.<p>[1] FWIW, my personal opinion there is that this shows that Linux&#x27;s monolith architecture is getting old, but I see nothing that could reasonably replace it. I think that &quot;the dream&quot; would be to have a LKL-like linux &quot;arch&quot; to compile every driver as an independent process of Hurd, with GKI-like stable-ish ABI.

This article does a good job explaining the Linux kernel position on cves: <a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;961978&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;961978&#x2F;</a><p>The relevant part:<p>&gt; Kroah-Hartman put up a slide showing possible &quot;fixes&quot; for CVE numbers. The first, &quot;ignore them&quot;, is more-or-less what is happening today. The next, option, &quot;burn them down&quot;, could be brought about by requesting a CVE number for every patch applied to the kernel.<p>They intend to burn down the cve system, and complaining about it is not a plan to stop it.

I just assume that there is always a 0day lurking in my kernel. If you can execute any code on my system I assume it&#x27;s game over

It is often difficult to assess the consequences of a bug, especially in large and complicated project like an OS kernel. It could take lot of time, and it is easier just to fix the bug and err on the safe side by calling it a potential &quot;vulnerability&quot;. Especially when nobody pays a bounty for proof-of-concept.

I wonder how much time discussing if something is or isn’t a CVE has wasted.<p>As and end user if you don’t have a script that causes an exploit for a given CVE i don’t care. I have had to patch too many systems from hypothetical issues ASAP!! because management wants to look like they know something

Is it true that the Linux Kernel has traditionally deprecated the idea of &quot;security bugs&quot;? I thought the kernel crew took the view that a bug is a bug.<p>So perhaps this policy is a kind of spoiler response to efforts to require all security bugs to have a CVE allocated.

seems like they are creating noise and chaos in the infosec space to centralize their own role and discretion in &quot;managing&quot; it.<p>Cynically, I&#x27;d bet there are more than a few less technical but academic operators on the board who would run this play.

Recent and related:<p><i>Linux Is a CVE Numbering Authority (CNA)</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39406088">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39406088</a> - Feb 2024 (10 comments)<p><i>The Linux kernel project becomes a CVE numbering authority</i> - <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39361511">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=39361511</a> - Feb 2024 (24 comments)

Right now, the vast majority of CVEs reported are bullshit filed by wannabe security researchers for resumé padding. Look at all the useless CVSS 9.8&#x27;s filed against curl. With LLMs, even more bogus reports get filed every single day.<p>CVEs assigned to every linux commit are more valid than each and every one of those bogus CVEs. Each and every one of them is associated with an actual change in a security-critical project.<p>If you want the flood of useless CVEs to stop, you have to clean your own house first.

To me the most disingenuous thing here on Linux’s part is that they won’t issue CVEs for vulnerabilities which aren’t fixed. And thus the latest Linux release is always tautologically CVE-free. Magic. Maybe at work I should raise the idea that our Jira bug tickets should have only one possible status: “fixed”. I’m learning from the best.

<i>&gt; Because of this, the CVE assignment team is overly cautious and assign CVE numbers to any bugfix that they identify</i><p>Shouldn&#x27;t this strategy lead to the opposite? By being overly cautious they should only assign CVEs for real demonstrable security issues.

I hate to get all meta (no I don’t sorry not sorry), but there is 100% a thing where every word that means (a) some important thing and (b) some less important thing ends up being a word that, for the vast majority of people, carries something like the emotional impact of definition (a) and the actual meaning of definition (b). For example, “literally” now means “figuratively”, “scan” now means “skim”, “authentic” means “expensive”, and so on. It’s basically Gresham’s Law [0] where less-consequential definitions of words drive more-consequential definitions of the same out of the marketplace.<p>0. <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Gresham%27s_law" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Gresham%27s_law</a>

I think I speak for the whole 0day and 1day market when I say &quot;Thank you Linux&quot;