[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: upcoming intel issue

To: Kurt Seifried <kseifried@redhat.com>
Subject: Re: upcoming intel issue
From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
Date: Thu, 4 Jan 2018 02:31:11 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=none action=none header.from=McAfee.com;
Cc: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>, "Coffin, Chris" <ccoffin@mitre.org>, Kurt Seifried <kurt@seifried.org>, Art Manion <amanion@cert.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Thu Jan 4 07:57:18 2018
In-reply-to: <CANO=Ty0xHap6w686JO=e-tDOAG1uEKMMnqxDvH_UoYjf4N6wdA@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CABqVa3-+RnbeTMamFGSXJ8s+7E=Q+PkMDPUYmtdjjey3DZpC0g@mail.gmail.com> <04FBEC57-6834-46C3-B010-8F1105414BF0@mcafee.com> <alpine.LNX.2.00.1801031553470.6952@forced.attrition.org> <9cdfef90-3dc7-960d-b050-9913f2c077a4@cert.org> <2d4f623e-8245-8cc1-4730-6cb1bd3a007a@cert.org> <7748E4BAEC3B964387F3535351DCBA1F011545723D@D2ASEPREA010> <CABqVa3-CVyd4kB2PpiX7YqHLFEgkV+0tSyj-2fTk9JL15SFLvw@mail.gmail.com> <BL0PR0901MB24209A333358CF3BA8CC03D3A11E0@BL0PR0901MB2420.namprd09.prod.outlook.com> <7748E4BAEC3B964387F3535351DCBA1F01154572CF@D2ASEPREA010>,<CANO=Ty0xHap6w686JO=e-tDOAG1uEKMMnqxDvH_UoYjf4N6wdA@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
Thread-index: AQHThM2pq0z1/i3t70OFG095zEiIwaNi9XaAgAAQXACAAAfPgIAAB10A//+zkNCAAFiqAIAAA0iA//+t+H6AACtVAIAAAMP5
Thread-topic: upcoming intel issue

Interesting... I seem to be getting them.

Kent Landfield
Kent_Landfield@McAfee.com
+1.817.637.8026 

> On Jan 3, 2018, at 8:28 PM, Kurt Seifried <kseifried@redhat.com> 
> wrote:
> 
> Just a note at least one of my emails got bounced by mcafee's system
> as spam. Not sure if anyone else's system ate it.
> 
>> On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas 
>> <Thomas.Millar@hq.dhs.gov> wrote:
>> Yes to all that.
>> 
>> 
>> 
>> Tom Millar, US-CERT
>> 
>> Sent from +1-202-631-1915
>> https://www.us-cert.gov
>> 
>> ________________________________
>> From: Coffin, Chris
>> Sent: Wednesday, January 03, 2018 11:46:59 PM
>> To: Kurt Seifried; Millar, Thomas
>> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
>> Subject: RE: upcoming intel issue
>> 
>> Agree that this is worthy of a discussion, special handling, and 
>> probably
>> some documented guidelines. One thought is that the CNA should 
>> identify
>> issues that affect other vendors and notify/coordinate where 
>> appropriate, or
>> at the very least contact their parent CNA so that they can share the
>> reserved CVE ID and some limited bit of detail.
>> 
>> 
>> 
>> It used to be the case that MITRE handled issue like this once 
>> public,
>> though we have moved away from that in the past few years.
>> 
>> 
>> 
>> Regards,
>> 
>> 
>> 
>> Chris
>> 
>> 
>> 
>> 
>> 
>> From: owner-cve-editorial-board-list@lists.mitre.org
>> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
>> Kurt
>> Seifried
>> Sent: Wednesday, January 3, 2018 5:35 PM
>> To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>
>> Cc: Art Manion <amanion@cert.org>; jericho <jericho@attrition.org>;
>> Landfield, Kent <Kent_Landfield@mcafee.com>; cve-editorial-board-list
>> <cve-editorial-board-list@lists.mitre.org>
>> Subject: Re: upcoming intel issue
>> 
>> 
>> 
>> So some challenges with this one:
>> 
>> 
>> 
>> 1) it is multiple issues
>> 
>> 2) it affects multiple vendors at the root cause level
>> 
>> 2) it affects multiple vendors with workaround/fix (e.g.... all the 
>> OSs,
>> sigh)
>> 
>> 
>> 
>> So yes it is correct to say that these 3 CVE's were from Intel's CNA 
>> and
>> thus "owned" by Intel, but it's clear that literally every OS vendor 
>> on the
>> planet that runs on x86 (and some others...) is going to need to 
>> deal with
>> this, so from that perspective I think one could argue for more 
>> community
>> "ownership" of the CVEs.
>> 
>> 
>> 
>> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, 
>> lots of
>> projects that are used by literally everyone), the best way I 
>> can/could
>> think of to fix this was the JSON format with per vendor/product 
>> statements
>> so everyone can have their own cake on their own table as it were.
>> 
>> 
>> 
>> I also know MITRE has poked me in past for high visibility CVEs, and 
>> I
>> generally agree with this, so perhaps some guidelines should be 
>> created,
>> e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or 
>> higher and
>> more than 10 million affected instances should be high priority, or 
>> if it
>> hits cnn.com AND the BBC AND Reuters... and if the original CNA 
>> doesn't get
>> it in quickly some other CNA is allowed to).
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas 
>> <Thomas.Millar@hq.dhs.gov>
>> wrote:
>> 
>> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>> 
>> -----Original Message-----
>> From: owner-cve-editorial-board-list@lists.mitre.org
>> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
>> Art
>> Manion
>> Sent: Wednesday, January 3, 2018 17:51
>> To: jericho <jericho@attrition.org>; Landfield, Kent
>> <Kent_Landfield@McAfee.com>
>> Cc: cve-editorial-board-list 
>> <cve-editorial-board-list@LISTS.MITRE.ORG>
>> Subject: Re: upcoming intel issue
>> 
>>> On 1/3/18 5:25 PM, Art Manion wrote:
>>> 
>>> So first, what is the vulnerability (or vulnerabilities) -- things 
>>> that
>>> warrant a CVE ID, and second who is responsible for assigning IDs?
>> 
>> https://meltdownattack.com/
>> 
>> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>> 
>> Not immediately populated, so not sure what the distinctions are.
>> 
>>  - Art
>> 
>> 
>> 
>> 
>> 
>> --
>> 
>> Kurt Seifried
>> kurt@seifried.org
> 
> 
> 
> -- 
> 
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- RE: upcoming intel issue
  - From: "Coffin, Chris" <ccoffin@mitre.org>

References:
- upcoming intel issue
  - From: Kurt Seifried <kurt@seifried.org>
- Re: upcoming intel issue
  - From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
- Re: upcoming intel issue
  - From: jericho <jericho@attrition.org>
- Re: upcoming intel issue
  - From: Art Manion <amanion@cert.org>
- Re: upcoming intel issue
  - From: Art Manion <amanion@cert.org>
- RE: upcoming intel issue
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: upcoming intel issue
  - From: Kurt Seifried <kurt@seifried.org>
- RE: upcoming intel issue
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: upcoming intel issue
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: upcoming intel issue
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: upcoming intel issue
Next by Date: RE: upcoming intel issue
Previous by thread: Re: upcoming intel issue
Next by thread: RE: upcoming intel issue
Index(es):
- Date
- Thread