An investigation of a new page on ClassLink's website.

Introduction

In my previous posts, I detailed vulnerabilities I discovered in ClassLink's OneClick Extension. I've already written articles about them and I'm tired of discussing them, so go read those if you want to understand the technical details. Since my last post, I found a recently published page from ClassLink which contains a list of their vulnerabilities, this frustrated me for the following reasons.

(in)Secure by Design

On August 8th, 2023, ClassLink took the Secure by Design pledge. The Secure by Design pledge is a non-binding agreement to do the things detailed on this site. One would assume that by publicly announcing that you take this pledge that you would actually follow through with it and mark it clearly on your website. The pledge states the following:

"no later than 3 months after signing the pledge, the manufacturer has published a vulnerability disclosure policy on its website"

As of me writing this article right now, I am unable to find any evidence they have done this. I cannot find a vulnerability disclosure policy on their website, and they have no /.well-known/security.txt entry either (despite me roasting them for not having one all the way back in 2022). If this vulnerability disclosure policy does exist, then I am unable to find it. This may change in the future (and I hope it does), and I may or may not update the article if that occurs.

Incorrect and Omitted Details

The vulnerabilities I discovered are listed as CL-0004 on their vulnerability list, and there are many things wrong with it. First of all, they are actually two separate vulnerabilities, so I think it's inappropriate to merge them under one name. Even if we assume that ClassLink thought they were similar enough to be categorized under one name (which I could understand the argument for, but don't necessarily think is correct), I think it is still a massive oversight not to reference either of the two CVE numbers that were assigned (CVE-2022-48612 and CVE-2023-45889). Secondly, the dates are wrong. Their site claims CL-0004 was discovered on 6-13-23, but I reported both vulnerabilities significantly earlier than this. I reported the first vulnerability on 9-15-22 and the second one on 1-14-23. So even if we assume the best case, that's still five months off from the actual date!

The CWE

The cherry on top is the CWE identifier they chose to give CL-0004. They chose CWE-840 (business logic errors). Now let me play devil's advocate for a second here: I understand why ClassLink may have decided to ignore the CWE that NIST assigned my CVEs because I think that CWE-79 (improper neutralization) is also inappropriate (although less inappropriate than CWE-840). CWE-840 is listed as PROHIBITED, which means "this CWE ID must not be used to map to real-world vulnerabilities," 'nuff said. In my humble opinion, the correct CWE should have been either CWE-185 (incorrect regular expression), CWE-187 (partial string comparison), (preferably) CWE-625 (permissive regular expression), or at the very least another CWE that's somehow related to parsing, URLs, regular expressions, or code injection.

Conclusion

In fairness to ClassLink I haven't had any recent interactions with them, so maybe their vulnerability management has improved since my initial discovery and reporting. I don't care about these specific vulnerabilities anymore, in fact, I didn't even test the latest version of their extension to verify that it's fully patched (I'll leave that as an exercise to the reader). I hope that someone at ClassLink reads what I have written and makes the necessary changes to be better moving forwards.