A security advisory for a vulnerability by MITRE has inadvertently exposed links to remote admin consoles. The links belonged to over dozens of vulnerable IP devices, that have been exposed since at least April.

What happened?

The incident came to light after a reader tipped off BleepingComputer about links to exposed systems listed within the references section.
  • The reference links would lead the readers to a remote administration dashboard of the exposed IP cameras or video devices, allowing any users to watch live camera feed or exploit the flaw.
  • The original source of the security mishap was a security writeup posted by Chinese security researchers on GitHub. Several vulnerable links were added as examples in that write-up.
  • MITRE's CVE entry for the flaw was reserved and awaiting production. However, the references section included the links to the vulnerable live IoT devices, which could be accessed and misused by attackers.

A large number of sources use MITRE for getting vulnerability feeds. The advisory has already been broadcasted by various public sources, vendors, and services providing CVE data.

What MITRE has to say?

  • According to MITRE, it is not an issue and has often listed URLs or other vulnerable points in its advisories in the past.
  • However, within a few hours of raising this issue, the CVE advisory was updated to remove the links to vulnerable IoT devices.

Conclusion

This security mishap is a serious matter. Therefore, while publishing security bulletins and vulnerability advisories, caution must be exercised. Further, make sure that only required details about a vulnerability are disclosed to help admins action the security flaws, without helping malicious actors.
Cyware Publisher

Publisher

Cyware