Milan Duric (EBU)
Even software that has undergone the most rigorous security testing can exhibit security bugs after release. Vendors should, therefore, prepare a vulnerability management procedure that will ensure a smooth and efficient process once a new vulnerability is identified.
Certain standards and processes for vulnerability management are already widely deployed in the general IT industry, with the CVE* process being a notable example. Among the many aspects of vulnerability management it encompasses, one of the most important is communication. The process ensures that each vulnerability eventually becomes public knowledge through a public CVE list that provides unambiguous information about the affected product version and the severity of the vulnerability.
Over the last year, the EBU Media Cybersecurity (MCS) group has identified over a dozen security vulnerabilities in various media systems. Although most of the vendors have demonstrated readiness to resolve the issues, few have announced security fixes transparently, let alone engaged in the CVE process. As a vendor, being more transparent about security not only helps your customers, but also demonstrates your maturity as an organization and willingness to follow industry best practices.
Nevertheless, even if you refuse to follow the CVE process, the CVE process might not refuse to follow you. One of the major entities in the CVE process is the CVE numbering authority (CNA). CNAs are external entities that assign CVEs and orchestrate communication between security researchers and vendors. Each CNA works on a predefined scope, which is a set of vendors and products it can assign CVEs for. Vendors that do not have a more specific CNA responsible for them fall within the realm of either national CNAs or CNAs of last resort, like MITRE.
Before publishing a CVE, CNAs typically require evidence that sufficient effort has been invested in contacting the vendor. CNAs aim to maintain a delicate balance between the importance of notifying the vendor and the rest of the world. This means that if you, as a vendor, do not respond in reasonable time, the CVE process might continue without you.
Sensitive details
To test this claim, the EBU MCS group recently crawled public CVE databases, seeking CVEs for products from vendors that are SMPTE members. We were surprised to find CVEs that were several years old and of which the respective vendors were completely unaware. Moreover, as the vendors did not participate in the CVE process, the entries were written by external security researchers and typically included sensitive details, such as code to exploit the vulnerability.
These trends demonstrate the importance of two things. Firstly, as a vendor, you must publicly advertise a security contact that should be used for reporting vulnerabilities. Publishing a security.txt file is a good way to do this.
Secondly, the broadcast industry may benefit from running its own CNA programme. This would not only facilitate the adoption of the CVE process by the vendors, but also greatly reduce the risk of a CVE being published without the vendor’s knowledge. Indeed, national CNAs and CNAs of last resort are required, per CVE rules, to check if a CNA with a more specific scope exists in a particular situation. Thus, all new vulnerability findings would flow through such a broadcast CNA that would, by any means necessary, ensure the critical information reaches relevant personnel of the affected vendor.
*Common Vulnerabilities and Exposures
This article first appeared in issue 60 of EBU tech-i magazine.