Cohesive Networks is committed to the security and integrity of the VNS3 Network Platform anchored by the VNS3 Network Controller.
Cohesive understands customers are compelled to independently validate the VNS3 Controller using 3rd party scanners like AWS Sentry, Orca Security, Wiz and more. These scanners provide naive disk scans of the files on disks attached to a virtual or physical computing device to ascertain if there are files with known issues. These scanners, as a rule, are unable to evaluate whether the file has been patched to eliminate an issue, or if the file is ever executed within the computing device.
In the case of network appliances, all of the major vendors now run a Linux or BSD variant, hardened to various levels, and in some case with operating system information obfuscated to minimize the ability of scanners to review their “proprietary OS”. To date, Cohesive does not obfuscate OS information in our hardened and minimized Ubuntu Linux variant at the base of the VNS3 Network Controller.
These scanners then provide scoring as adjudged by outside organizations as to the risks of these files on disk. Some of these are CVE, NIST, Github, and recently, EPSS.
Due to the nature of the VNS3 sealed appliance, the materiality of any known issue raised by file scanning tools has been reviewed by Cohesive’s security team taking into account the actual operations of VNS3 Network Platform devices.
Cohesive’s general policy, regardless of scoring system, is the following:
- Remote Code Execution Possible
If an RCE is found in Cohesive source code, we follow responsible disclosure standards and make patches available via Cohesive remote support and new virtual images as soon as is practical and responsible. If it is in dependency code within VNS3, we monitor and again make patching and images available as soon as practical and responsible. Note, there are instances where Cohesive’s supply chain provides patches that create similar or even increased risks. Cohesive adjudges when the component in question appears to have a sufficient patch in place. In all such cases, we send a notice to our security list and update our “Security Responses” page. - Local Privilege Escalation Possible
If there is an unauthorized user within the VNS3 device, that means Remote Code Execution has been possible, and we would be operating under our policy for RCE’s. Absent that, local privilege escalation is normally considered a “pick up patch in next release” event. Upon customer request, remote support patching might be available. However, even a small change to a network security appliance requires potentially a full re-qualification and testing of that essentially new version of VNS3. - DDoS or lesser items
An individual device, not properly configured in a cloud environment, cannot prevent denial of service from a source dedicated to such a disruption. If the denial of service attack can be triggered simply, with little effort, then patching is made available, and possibly updated images. Other scanner alerted items that may be high, medium, low – which are essentially “a bug was found in the code” are fixed via updating components in a future release to be determined.
Cohesive’s policy for customer escalation of low-risk 3rd party discoveries:
Some customers have asked Cohesive to provide a more defined SLA with respect to discoveries regarding files on disks made by 3rd-party scanning companies whose general business model is to escalate risk to the highest levels without firm definitional knowledge of any real risk. Cohesive understands the need for scanning and how this is the optimal business model from many of these vendors.
For an extra support fee, Cohesive will provide the following SLA utilizing CVE scoring, as NIST scoring is often hyperbolic and sometimes elevates non-material risks to high or even critical status.
- CVE Critical with remote code execution possible
Cohesive will provide patching support and updated images as soon as possible for its own code, and upon release of fixes by the maintainers of an otherwise offending component within 2 weeks of the fix release. - CVE Critical without remote code execution
Cohesive will provide patching support and updated images as soon as possible for its own code, and upon release of fixes by the maintainers of an otherwise offending component within 4 weeks of the fix release. - CVE High
Upon request via email or support ticket Cohesive will make new images available within 4 weeks. If in Cohesive’s judgement of materiality the update is necessary, there will be no cost. If Cohesive does not believe there is a material risk an additional charge will apply. - CVE Medium
Cohesive will pick up the fixes when available and incorporate into the next release. As can be seen in our release notes history, our approach to “software as an appliance” includes very frequent small updates available to new and existing users alike. - CVE Low
Cohesive will pick up the fixes when available and incorporate into next release. As can be seen in our release notes history, our approach to “software as an appliance” includes very frequent small updates available to new and existing users alike. - NIST Ratings – N/A
- Github Rating – N/A
- EPSS
Express exploit likelihood assessment – Under review but likely to be a triggering factor for Cohesive to make an update in future.