Hacker News new | ask | show | jobs
by jerrythegerbil 237 days ago
Vulnerabilities can and often are chained together.

While the relevant configuration does require root to edit, that doesn’t mean that editing or inserting values to dnsmasq as an unprivileged user doesn’t exist as functionality in another application or system.

There are frivolous CVEs issued without any evidence of exploitability all the time. This particular example however, isn’t that. These are pretty clearly qualified as CVEs.

The implied risk is a different story, but if you’re familiar with the industry you’ll quickly learn that there are people with far more imagination and capacity to exploit conditions you believe aren’t practically exploitable, particularly in highly available tools such as dnsmasq. You don’t make assumptions about that. You publish the CVE.
1 comments
landr0id 237 days ago
>that doesn’t mean that editing or inserting values to dnsmasq as an unprivileged user doesn’t exist as functionality in another application or system.

The developer typically defines its threat model. My threat model would not include another application inserting garbage values into my application's config, which is expected to be configured by a root (trusted) user.

The Windows threat model does not include malicious hardware with DMA tampering with kernel memory _except_ maybe under very specific configurations.

link
BobbyTables2 237 days ago
The developer is too stupid to define the threat model — they’re too busy writing vulnerabilities as they cobble together applications and libraries they barely understand.

How many wireless routers generate a config from user data plus a template. One’s lucky if they even do server side validation that ensures CRLFs not present in IP addresses and hostnames.

And if Unicode is involved … a suitcase of four leaf clovers won’t save you.

link
rpcope1 237 days ago
Honestly after witnessing "principal" software engineers defend storing API keys plaintext in a database in the year of our Lord 2025, and ask how that someone possibly exploit that if they can't access that column directly through an application, my cynicism is strong enough that I can believe that even a majority of "developers" don't even know what a threat model is.
link
jerrythegerbil 237 days ago
> The developer typically defines its threat model.

The people running the software define the threat model.

And CNA’s issue CVEs because the developer isn’t the only one running their software, and it’s socially dangerous to allow that level of control of the narrative as it relates to security.

link
akerl_ 237 days ago
> The developer typically defines its threat model.

Is this the case? As we're seeing here, getting a CVE assigned does not require input or agreement from the developer. This isn't a bug bounty where the developer sets a scope and evaluates reports. It's a common database across all technology for assigning unique IDs to security risks.

The developer puts their software into the world, but how the software is used in the world defines what risks exist.

link