Tech Titans Tangle with Transparency: Juniper & Ivanti Accused of CVE Confusion

In the wild west of tech vulnerabilities, Juniper Networks and Ivanti play fast and loose with the rules, causing an uproar in the infosec saloon. Yee-haw for security rodeos! 🤠 #VPNvexations

Hot Take:

When tech titans play hide and seek with vulnerabilities, the only winners are the cyber gremlins rubbing their hands in the dark corners of the internet. Juniper Networks and Ivanti, it seems, have been caught playing this risky game, tucking away security boo-boos under the rug or bundling them like a questionable 2-for-1 sale. Let’s unpack their cyber laundry and see if it just needs airing out or a full-on bleach treatment.

Key Points:

  • Juniper Networks was accused of fixing vulnerabilities without assigning standalone CVE IDs, playing peek-a-boo with the infosec community.
  • Ivanti seemingly took the “bundle and save” approach by lumping multiple vulnerabilities under one CVE ID, which some infosec folks find a bit iffy.
  • Aliz Hammond, a researcher from watchTowr, found Juniper’s vulnerability management as transparent as a brick wall, with serious issues not getting their own CVE IDs.
  • Despite being a CNA itself, Juniper might be delaying CVE IDs to give customers a heads-up, or maybe they’re just procrastinating – only their calendar knows.
  • Ivanti argues that their one-size-fits-all patch warrants a single CVE, but the infosec fashion police are debating if it’s a faux pas.

Need to know more?

Playing the Patching Game

Aliz Hammond spotted some naughty bugs in Juniper's system late last year, but when the music stopped, not all of them had a CVE chair to sit on. Juniper asked for a dance extension beyond the usual 90-day boogie, and while they did patch things up, they did so on their own cryptic terms. The dance floor is now open for debate on whether Juniper's patching promenade was a graceful waltz or a clumsy shuffle.

Bundle of (In)Joy

Over at Ivanti's camp, things are looking like a yard sale - multiple vulnerabilities thrown under one big CVE tent. Kevin Beaumont, an infosec expert, raised an eyebrow at this "naughty" practice, while Rich Warren, another researcher, insists each bug needs its own fixer-upper. Ivanti's retort? One mega-fix is on the way, so why bother with a CVE for each when you can save on ink?

Caught in the Act?

The tech world's "Most Wanted" list now features Juniper and Ivanti, with their mugshots pinned to the bulletin board for not playing by the CVE rules. Juniper's yet to comment on their stealth patching strategy, and as a CNA itself, this silence is as awkward as forgetting your lines in a play. Meanwhile, Ivanti insists their CVE economizing is like a concise tweet - short and sweet, yet fully informative.

Tick Tock, CVE Clock

The plot thickens with Juniper potentially holding back CVE IDs, maybe to give their customers a head start on patching, or maybe they just lost track of time. It's like throwing a surprise party but forgetting to tell the guests when to shout "Surprise!" As for Ivanti's one-patch-to-rule-them-all theory, it could be within the rules, but it's as controversial as pineapple on pizza.

The Verdict

While both companies did fix the vulnerabilities and offered patches, they might have played a little fast and loose with the CVE guidelines. According to Adam Pilton, a cybersecurity consultant, while there's no stopwatch on issuing CVEs, speed is the name of the game for security's sake. It's like running a marathon; sure, you can walk, but the crowd's waiting at the finish line. Juniper and Ivanti may need to pick up the pace to stay ahead of the cyber nasties.
Tags: Common Vulnerabilities and Exposures, CVE program, Ivanti, Juniper Networks, Security Flaws, Software Patching, Vulnerability Disclosure