I don’t wish to trivialize this CVE, CVE-2023-42846, but it is fascinating that it received a High severity and a base score of 7.5.
Devices reporting their MAC is standard practice. All these apple devices did it as standard practice as well before iOS 14. Yet, they added the buggy feature in iOS 14, and get a high severity CVE in return. Just fascinating. How does this work? Does it imply other devices that report their true MAC address are deserving of a high CVE as well?
I don't understand this. By that logic you could go from HTTP to a new but buggy and flawed HTTPS (when that was in its infancy) and rather than that being considered a vulnerability, you could say "Well, everyone else is just using HTTP so they deserve a CVE too..."
No, because the advertised additional security may cause people to do things that they would not otherwise have done had they not falsely believed the security claims on the newer protocol.
I would argue you’re almost right, the two considerations are intent (if you say something is true and it is not true, that is a vulnerability) and real world use (if the site accepts usernames and passwords, and is unencrypted, and there is some impact to a breach or credential theft, there is a vulnerability).
Just strange to use HTTP for comparison when the actual problem works just fine.
If I'm connecting to WiFi normally, and expecting that I can be tracked, there isn't a vulnerability.
If I'm connecting to WiFi using this privacy feature, and expecting NOT to be trackable, yet someone is still able to track me, there is a serious vulnerability!
This question and many more can be applied on using CVSSv3. So a pentester doesn't have to use CVE scores as holy bible in their report. A risk assessment can be worked upon by those who are going to consider the recommendations in the report.
Security people always use this crazy risk matrix where if it’s easy to reproduce and affects a lot of people, it becomes high severity even if there is essentially no real world risk. I guess it makes them look better when they can show all the “high” severity issues they found.
It implies that other devices that are not supposed to report their MAC, but do, deserve a high CVE as well.
This has to do with a bug seriously compromising a feature. It does not reflect the overall security rating of the entire device. If I have a one-way data diode sending telemetry from the flight controller to a passenger's entertainment console, it works as intended - which is why they put in a layer1 one-way diode. When you have a feature, you use that feature for a scenario where it is useful.
If the flight controller data diode has a second fiber and allows it to be hacked from a passenger seat entertainment center, that is a high severity. It does not mean every network switch has a high severity security issue, because we don't put those into flight controllers that hook up to entertainment centers.
Let's do a car example. If I rent a Uhaul to move my piano, and it splits in half from the weight, this is a serious malfunction. It does not mean the mini-coop croaking from a piano loaded on it's hood is also a serious malfunction.
Let's do a food example. If I put an empty metal frying pan on a stove and it bursts my house into flames, this is a serious problem with the frying pan. If I put it in the microwave and it does that, that's not a problem with the frying pan.
Devices reporting their MAC is standard practice. All these apple devices did it as standard practice as well before iOS 14. Yet, they added the buggy feature in iOS 14, and get a high severity CVE in return. Just fascinating. How does this work? Does it imply other devices that report their true MAC address are deserving of a high CVE as well?