Collaboration helps solve real-life tech bug
April 15, 2019
When an unexpected technology issue cropped up in a cybersecurity class at Dakota State University this semester, four people at the university worked together to help identify it, report it, and get it fixed.
Students in The Beacom College of Computer and Cyber Sciences work on cybersecurity projects through the Information Assurance Lab (IA lab), which uses a variety of vendor programs to host virtual infrastructures. In March, a few students began having issues with one of those vendor-based programs.
“It was something that happened with a very specific set of circumstances, and was kind of a rare issue,” said instructor Tyler Flaagan.
Eric Holm, DSU’s systems administrator, had contacted Flaagan and fellow instructor Andrew Kramer, for help pinpointing the issue. Senior Logan Stratton was able to share details about the exact screen location where the vulnerability, or bug, cropped up.
With that information, Kramer said, “we wrote a script to reproduce the behavior, and found we could reproduce it reliably.” This is called weaponizing proof of concept, explained Dr. Kyle Cronin, assistant professor of information assurance, and developer of the IA Lab.
The four reported the issue to the vendor, VMware Security, and a few days later the company released a patch on what they deemed a “critical” vulnerability. Kramer said the company representatives were helpful and easy to work with, and “the time to resolution was quick.” In notices the company posted about the vulnerability, they thanked the DSU team for reporting the issue.
Vendor companies sometimes host a bug bounty program, a contest in which they request users to try to find vulnerabilities, but in this case, “we weren’t out looking for it, it fell into our lap,” Kramer said, “and that’s quite often how it happens.”
When it does happen, it is important to investigate the issue instead of ignoring a bug, Cronin said, and to collaborate with individuals who have the necessary skills, then weaponize proof of concept and report the issue.
This incident is an important example for students, because “this is something they will stumble across in real life,” Kramer stated.