Hello and welcome to the Wednesday, April 26, 2020, 23 edition of the Sands and its Storms Center's Stormcast. My name is Johannes Ulrich and today I'm recording from San Francisco, California.

The quick diary that I wrote today is about an experiment that I ran with chat GPT. It's a quick defensive experiment.

The goal here is for vendors, like for example Apple, that have these very brief vulnerability

descriptions. Apple usually has one sentence for an impact and then a one sentence description,

but doesn't have anything like

CBSS scores or any rating of the vulnerability being patched here. So I basically asked

chat GPT to come up with a CBSS score for these Apple vulnerabilities. And it actually did a pretty

good job. I posted one of the examples here.

I think it probably rated a little bit to high the network impact that it saw in the description.

I didn't really see. But again, it was very limited information and I think good enough that

next time Apple will release some patches. I may give

it a spin and have it at CVSS scores to these vulnerabilities to see if that helps us a little bit

better. Then what do we have now is sort of when we are trying to rank these vulnerabilities.

The challenge of course always that there is a good number of vulnerabilities being patched.

So going through them rather quickly, rating them is usually really not all that reliable and consistent when I'm doing it.

And then we have, well, yet another UDP-based denial of service amplification vector.

This time it's the service location protocol.

If you haven't heard of the service location protocol, you're probably not alone.

It's an older service that shouldn't really be used anymore and definitely should

not be exposed to the internet. Well, according to BitSight, who found out about this vulnerability

and discovered it, there are actually 54,000 SLP-speaking devices connected to the public

internet.

...