back to article So nice of China to put all of its network zero-day vulns in one giant database no one will think to break into

Chinese makers of network software and hardware must alert Beijing within two days of learning of a security vulnerability in their products under rules coming into force in China this year. Details of holes cannot be publicized until the bugs are fixed. Malicious or weaponized exploit code cannot be released. There are …

  1. sanmigueelbeer Silver badge

    Malicious exploit code cannot be released

    Is China's famed "security services" included in this guidance?

    Details of holes cannot be publicized until the bugs are fixed

    And if the bugs/exploits are not fixed, what then? Wait for the "proof-of-concept" to be made public?

    It's also a dangerous place to be for an unpatched-vulnerabilities database, which would be an incredibly attractive target for adversaries"

    A honeypot, no question about it.

    Now if someone is going to insert a booby trap in those files and Boob's-your-uncle!

    1. teknopaul Silver badge

      The DB kept privately is no worse than the public cve dB shirly? I guess stuff responsibly disclosed but without a cve is at risk. however...

      Generally I trust the intention. Google's Project Zero does not disclose anything until Google itself has a patch, so they get an advantage out of the bugs they find. Even if that patch takes them months to develop they sit on it until they have a fix. A staunch capitalist will says that's OK and that is what drives Google to find bugs and we should be grateful when they drop the bug and the exploit on the rest of the world.

      Not everyone is a staunch capitalist. I believe Google is above the size of a government and should behave accordingly.

      I'd also be surprised if Project Zero does not interact directly with the Nsa in the same manner, and the nsa let them keep the wraps on bugs. We know NSA keeps a DB of vulns. Not sure the Nsa as they stand are trustworthy enough. But I think the same idea in other countries makes just as much sense.

      Defo can we have this one in the west please...

      Folks are not allowed to "deliberately exaggerate the hazards and risks" of a bug.

      1. Corporate Scum

        Won't Google post when their self enfored time limit pops?

        So as to force more prompt action from vendors that drag their heels. Not really the same thing as keep quiet and wait for the patch.

        And the CVE- database doesn't have the same information the Chinese seem to be mandating.

        The blurb here also doesn't mention how far back a vendor is expected to ship patches for, which is a big question as well.

      2. Anonymous Coward
        Anonymous Coward

        false

        Cisco, unless their techs discovered it, don't know the details of any juniper bugs, and vice versa. So the difference is that in China, you'll only have to hack a 'single' system in order to find and download the details on all of the (reported) bugs in Chinese gear.

    2. Arthur 1

      Missing the Point

      Anyone talking about China hoarding foreign vendor exploits is missing the point. This is about picking and choosing which bugs are publicly reported and patched by Chinese vendors, and which ones the government sits on. Even if it's not the intent, it's how it will shortly be used because it's the perfect tool for it.

      A year ago China was saying it's racist paranoia to not trust them with all of our telecom infrastructure and that they would never do anything sketchy to exploit that. Today we discover that anyone who did so has China holding a veto on their network security along with the heist blueprints to exploit the hole they're vetoing a patch for. That's what you should be worried about.

  2. This post has been deleted by its author

  3. sanmigueelbeer Silver badge
  4. DS999 Silver badge

    Why would it be a target for breakins?

    If vendor X reports a "memory allocation error in software product A that results in administrator level privileges" that's not exactly a roadmap for hackers to develop an exploit. If the Chinese government was requiring proof of concept exploit code be provided while the vendor works on a fix that would be a problem (in more ways than one) but I don't see anything like that here.

    1. Blazde Silver badge

      Re: Why would it be a target for breakins?

      According to a more complete translation: "the submission [to the central database(*)] should include the product name, model, version, and the technical characteristics, harm, and scope of the vulnerability that have security loopholes in network products."

      So - depending precisely what 'technical characteristics' comes to mean - possibly quite vague, but if you have a bunch of these reports a good fraction will still signpost a skilled researcher to a vulnerability very quickly. Searching for a needle in a haystack is the most tedious part of this work, and if you know there's a needle near the bottom of this particular haystack it gets a whole lot easier.

      (*) 'Ministry of Industry and Information Technology’s cyber security threat and vulnerability information sharing platform'

      Also: "The network security threat and vulnerability information sharing platform of the Ministry of Industry and Information Technology simultaneously reports relevant vulnerability information to the National Network and Information Security Information Notification Center and the National Computer Network Emergency Technology Coordination Center."

      So there'll be at least three copies of 0-day database. It sounds semi-public already to be honest.

      1. teknopaul Silver badge

        Re: Why would it be a target for breakins?

        Sounds like it's essentially it's China specific CVE plus a release date, minus exploit code.

        Requiring exploit code is a dubious practice IMHO, reading up an exploit on HN today and the bug was relatively simple but the exploit was mad science.

        The reward required the exploit but the bug fix was the same exploit or no exploit. It might not be a bad idea to treat certain types of bug as equal with or without an exploit and fix them any way. To get his 10000 reward this researcher sat on the bug and communicated about it with other folk until he had his exploit. That's taking a risk with a bug you suspect is exploitable in the same way creating a DB of known bugs is.

  5. thames

    It sounds like a combination of US CERT, the US computer access laws, and additional items from the wish list of what people want the US to make mandatory instead of just "suggest". A lot of US regulation operates on the principle of companies being told to "voluntarily" do something "or else". This allows the government to create defacto regulations without having to go through the time and bother of passing legislation to enable them and perhaps not passing legal review.

    The bit forbidding people from selling vulnerabilities to exploit brokers is potentially the most significant item in the list. It's also however going to be difficult to actually enforce as these exploit brokers tend to be located in places such as Italy or Israel, with companies in the latter country being suspected by many of being fronts for the national intelligence agencies.

    Unless this new legislation is replacing existing laws then I'm surprised that China don't have something like this in place already.

  6. Sitaram Chamarty

    ETERNALBLUE jealousy

    someone in China is jealous of the NSA and how they found and hoarded ETERNALBLUE!

  7. x 7

    Easy way to

    create a database of weaponised bugs for free.

    This is a database of exploits to be used, not ones to prevent

    1. teknopaul Silver badge

      Re: Easy way to

      explicitly not weaponized. bugs minus exploits.

      It's exploitable bugs but, let's be honest, you are going to have to weaponize it yourself.

      Shellshock was a corker, not because it was any more or less of a remote exec than other bugs but because it was trivial to exploit.

  8. vtcodger Silver badge

    Database vulnerability

    "Another part of the order that worries Moussouris is the central Chinese vulnerability database that will be created to house all of these reported bugs: "

    Just because we live in a connected world, doesn't mean China's network vulnerability database has to be on-line. It could be stashed on properly backed up USB sticks on computers never attached to a network. My guess is that the database will be tiny -- a few thousand items. It could probably have been handled nicely by a 1980s 8086 PC with 5.25 inch floppies.

    In fact, it likely doesn't even have to be computerized. A physical file of 3x5 (OK, OK in China, possibly A7) index cards written in Chinese and kept in a safe in a secure facility could probably do the job -- whatever it is -- just fine.

    1. The Mole

      Re: Database vulnerability

      The requirement to submit the bugs within 2 days implies that it is either FAX or more likely electronic. Even if the machine receiving the submissions on is airgapped from the real database, the receiving machine will still contain the recent data that was submitted and have visibility of the requests coming in. Now you may be able to mitigate that by using public key encryption, but even just knowing the source of the message would help an attacker target investigations on that particular companies haystack.

      1. vtcodger Silver badge

        Re: Database vulnerability

        "The requirement to submit the bugs within 2 days implies that it is either FAX or more likely electronic."

        Or, if security is really important and time isn't of the essence, postal mail. Most people aren't aware of it, but here in the US, quite highly classified information used to be -- and probably still is -- routinely moved around by registered mail. Given the current state of network security perhaps we should be thinking in terms of alternatives to adding additional complex layers of digital "Security" on top of a sort of wobbly foundation. Making things more complex doesn't necessarily make them more secure.

  9. BOFH in Training

    Interesting Article 7

    Article 7 tells product makers to ensure patches are developed "in a timely manner and reasonably released," and that customers are kept in the loop with regards to mitigations, updates and repairs, and support. Crucially, vendors are told that all "relevant vulnerability information should be reported to the Ministry of Industry and Information Technology's cyber security threat and vulnerability information sharing platform within two days" of them learning of security holes in their products.

    It potentially gives Beijing from that 2 days until a patch is released to do exploits.

    1. vtcodger Silver badge

      Re: Interesting Article 7

      "It potentially gives Beijing from that 2 days until a patch is released to do exploits."

      My first thought was that that's a pretty reasonable point. Followed by -- but 2 days doesn't seem like a lot of time for a government to isolate a defect, code, debug, test, and use an exploit. Why not give themselves a week or two weeks?

      Then, about an hour later the light dawned. There doesn't seem to be any indication I can see that this government data base will be accessible outside the government. Two days possibly is important but for exactly the opposite reason. It looks to maximize the amount of time Chinese intelligence has to isolate and exploit weaknesses before they are patched.

      1. JWLong Bronze badge

        Re: Interesting Article 7

        I better that they will keep the data in a AWS S3 bucket.

        /sarcasm

  10. amanfromMars 1 Silver badge

    In an Exotic Erotic Eastern JOINT AIdVenture, there be Boundless Opportunities ....

    ..... to Furnish Exceptional Reward.

    Though the rules are a little ambiguous in places, judging from the spirit of them, they throw a spanner in the works for Chinese researchers who work with, or hope to work with, zero-day vulnerability brokers.

    Not necessarily, should zero-day vulnerability brokers have the blessing of and be remote agents for the Chinese government.

    I wonder if the above accurately enough translates into Chinese with the help of Google Translate or whether it is failed at that basic hurdle ......

    不一定,零日漏洞經紀人應該得到中國政府的祝福並成為中國政府的遠程代理人。

  11. Eclectic Man Silver badge

    Do they have

    An equivalent law regarding the disclosure of biological viruses like the one that causes Covid-19? I mean instead of persecuting the doctor who first raised the concern about a new respiratory disease in Wuhan and was forced to recant and apologise before he died of the disease himself?

    "Thousands paid tribute to Li Wenliang ahead of the first anniversary of his death on 7 February 2020.

    He died after contracting Covid-19 while treating patients in Wuhan.

    Dr Li had tried to warn fellow medics of a disease that looked like Sars - another deadly coronavirus.

    But he was told by police to "stop making false comments" and was investigated for "spreading rumours"."

    From: https://www.bbc.co.uk/news/world-asia-55963896

    (Awaiting the inevitable downvote due to any posting that criticises the PRC in any way whatsoever.)

    1. Claptrap314 Silver badge

      Re: Do they have

      Oh, bother!

    2. teknopaul Silver badge

      Re: Do they have

      If I remember correctly, he was investigated by local plod. The situation changed when the government got involved.

      You wouldn't would blame Obama for white cops killing black youth on his watch.

      PRC is a wide term that involves the poor lad himself. Implying the government of the PRC is disengenious, in this case, and you get your downvote for dishonesty.

      1. Eclectic Man Silver badge

        Re: Do they have

        @teknopaul, Thanks for your explanation.

        You are correct that I wouldn't blame Obama for a white cop killing a black youth on his watch. But I would consider that the general approach of having police investigate a doctor for raising concerns about a novel respiratory infection to be worth criticism, and not appropriate. The hospital management should have checked his concerns medically, rather than legally. And that is, in the PRC a more general concern - that people who raise concerns about problems may be scared to as instead of their legitimate concerns being investigated, they themselves come under suspicion while the actual problem goes uninvestigated and untreated. Or do you think that the possibility of a new and potentially fatal disease should in the first instance be investigated by the local police rather than the medical profession?

  12. sanmigueelbeer Silver badge
    1. amanfromMars 1 Silver badge

      Re: Challenge accepted!

      The U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service, is offering a reward of up to $10 million for information leading to the identification or location of any person who, while acting at the direction or under the control of a foreign government, participates in malicious cyber activities against U.S. critical infrastructure in violation of the Computer Fraud and Abuse Act (CFAA). .... https://www.state.gov/rewards-for-justice-reward-offer-for-information-on-foreign-malicious-cyber-activity-against-u-s-critical-infrastructure/

      That is blatantly discriminatory, excluding as it so clearly does from bounty, all free acting spirits/renegade rogue private pirate agents outside of the command and control of foreign governments ..... and quite why the U.S. Department of State’s Rewards for Justice (RFJ) program, which is administered by the Diplomatic Security Service would hogtie themselves to do battle in malicious cyber activities against U.S. critical infrastructure with the caveat ....... in violation of the Computer Fraud and Abuse Act (CFAA) ....... is something to ponder is totally unnecessary and very unAmerican.

      It has one thinking that Uncle Sam [although he is definitely not alone in his current particular situation on the field] really doesn't yet get the truly extremely disruptive nature of the virtual activities which abound to astound all around ...... and that is one massive serial blackhole of a catastrophic vulnerability to ruthlessly and relentlessly exploit and export and expand upon/further develop and improve upon/increasingly reinforce with failsafe security measures ..... to effortlessly guarantee and provide future sovereign like immunity and impunity for Novel Worthy ACTivities in the Highly Contested and Immensely Valuable Fields of Proprietary Intellectual Property Endeavour and COSMIC [Control Of Secret Materiel in an Internetional Command] Discovery, to name but one beneficiary of the status quo position.

      1. amanfromMars 1 Silver badge

        Re: Challenge accepted! UKGBNI Offered First Refusal before Open Global Market Launch

        And just to be sure there is no possible ambiguity for current serving UKGBNI MoD chiefs to be able/enabled to claim ignorance of a highly disruptive programming project which they would need to traditionally feed with slush funding in order to seed and fast breed for overwhelming success in applied fields, rather than suffer serial defeat in attempts to pervert and subvert and convert to less than worthy employment, is all of the above posited as worthy of AWEsome consideration and acceptance to the benefit of at least two AWEsome projects [Atomic Weapons Establishment/Army Warfighting Experiment.

        However, it is as well to understand and fully accept from the outset though, for it is the convivial nature of such a novel beast of a fundamentally creative program, to imagine it a unique exclusively applied application rather than universally available facility and communal utility, will cause one much grief and considerable dismay.

        cc ... UKGBNI Defence Forces.

      2. Eclectic Man Silver badge

        Re: Challenge accepted!

        Just checking, this means all of those people suspected of being in Russia, attacking the USA ICT infrastructure who are not actually provably employed or directed by the Russian state are not covered by this reward scheme?

    2. arachnoid2 Bronze badge

      Re: Challenge accepted!

      You would want to spend that dosh very quickly after being put on the hit list of certain departments you just dobbed in.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021