A dispute between software maker JetBrains and security vendor Rapid7 has highlighted ongoing concerns with coordinated vulnerability disclosure policies and practices.
On March 4, JetBrains disclosed two critical vulnerabilities tracked as CVE-2024-27199 and CVE-2024-27198 that allow for authentication bypass against on-premises TeamCity servers.
The following day, JetBrains and Rapid7, credited for discovering and reporting the flaws, confirmed that exploitation activity had begun against vulnerable servers.
A disagreement over the disclosure process came to light.
In a blog post on March 4, Rapid7 accused JetBrains of breaking the coordinated vulnerability disclosure process and attempting to silently patch the vulnerabilities with the release of TeamCity 2023.11.4.
Rapid7 also explained in the post that in disclosure communications with JetBrains during February, the company had proposed releasing the patches for CVE-2024-27199 and CVE-2024-27198 privately before publicly disclosing the flaws.
Daniel Gallo, TeamCity solutions engineer, addressed the dispute in a follow-up post on March 5 in which he admitted that JetBrains broke off communication with Rapid7 following the rejection of that proposal.
Tenable researchers had recently reported Azure flaws and expressed frustration with the disclosure process, which Yoran said lacked transparency.
The ongoing feud between JetBrains and Rapid7 shows that researchers and vendors remain divided on how best to disclose vulnerabilities without giving attackers an advantage.
Bob Huber, chief security officer and head of research at Tenable, told TechTarget Editorial that he believes JetBrains was naive to think the flaws were unknown prior to disclosure, or that no actor had been exploiting them previously.
Regarding the JetBrains and Rapid7 case, Childs highlighted Gallo's March 5 blog post in which he said JetBrains opted not to make a coordinated disclosure with Rapid7.
Childs said that statement negates JetBrains' claims about it practicing ethical vulnerability disclosure.
While it appeared that those remarks were meant to strengthen JetBrains' argument, Childs said referencing those companies shows JetBrains might be focused more on brand reputation than customer protection.
Childs attributed perpetual discussions on the subject to an industrywide shift away from the term responsible disclosure to coordinated disclosure.
He also said JetBrains' decision to patch silently and leave Rapid7 out of the disclosure process would be considered unethical by many infosec professionals.
Jake Williams, a faculty member at IANS Research, also criticized JetBrains for blaming Rapid7 for the attacks against its customers.
Second, Williams said JetBrains might have been deflecting the fact that its servers contained trivially exploitable authentication bypass vulnerabilities.
Nate Warfield, director of threat research and intelligence at security platform provider Eclypsium, said the definitions of ethical and responsible disclosure can differ depending on the vendor and researcher.
Regarding the disclosure argument between JetBrains and Rapid7, Warfield believes the software developer appeared to take the reported vulnerabilities seriously and understood how the PoC fallout posed a potential risk to customers.
Though the silent patching accusations are murky, Warfield said it's obvious that JetBrains did not follow a coordinated disclosure process, which prompted Rapid7 to disclose the full details.
This Cyber News was published on www.techtarget.com. Publication date: Thu, 14 Mar 2024 21:43:08 +0000