|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Examples for Technical Issues in the CVE
- To: cve-review@linus.mitre.org
- Subject: Examples for Technical Issues in the CVE
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Wed, 5 May 1999 20:37:46 -0400 (EDT)
All:
Below are some specific CVE examples to illustrate some of the
technical issues that I plan to discuss this Sunday. I didn't release
them earlier because I didn't want to bog down the "bigger questions"
in details, but perhaps they can provide some food for thought.
- Steve
Examples for some CVE technical issues
======================================
Inclusion
---------
Most SA category vulnerabilities may not be a "vulnerability" from
some perspectives. Consider information gathering using CVE-00612,
CVE-00629, or CVE-00626. Nonetheless, many "restrictive" security
policies would consider them vulnerabilities, at least in some
situations.
CVE-00500 - not a vulnerability by some perspectives (assuming not a
critical system directory)
CVE-00497 - if "properly" configured, not a vulnerability by some
perspectives (note specific related CF category problems
e.g. CVE-00563 or CVE-00527).
"unfixable" design flaws are not included (e.g. Digital Unix 4.0
moving to stack-based execution), but "fixable" problems related to
design limitations are (e.g. Smurf, CVE-00513).
High cardinality vulnerabilities
--------------------------------
The following entries are some of the high cardinality vulnerabilities
in CVE version 199904290013. Note they also may have level of
abstraction (LOA) problems.
CVE-00119 - should each buggy beta software get its own entry?
what about "commonly used" or "prevalent" beta software?
CVE-00660 - rolls all post-compromise installed hacker utilities into
one
CVE-00586 - *any* network service could run on an unusual port, which
may not be accounted for by network filters
CVE-00559 - there are too many "critical" files or directories to
enumerate. But then who says what is "critical"? (Partial answer:
not the CVE.)
CVE-00537, CVE-00538 - too many different-but-related "options" in web
browsers
Level of Abstraction (LOA) examples
-----------------------------------
CVE-00502, CVE-00504, CVE-00506, CVE-00508, CVE-00519 - all have to do
with default passwords, but they're separated by "functionality." So
is this too low an LOA? Note also the converse - these are high
cardinality vulnerabilities too.
CVE-00536 - LOA is too high for NT experts, but what is the
appropriate way to split this vulnerability?
CVE-00534 - configuration problem whose LOA is fixed because each
right is an option on the same menu.
CVE-00620, CVE-00621 - service "suites" that consist of component
services
CVE-00346, CVE-00068 - most tools roll these into one, but they're
split because they're different executables.
CVE-00578, CVE-00579 - other vulnerabilities like these discriminate
between "system critical" and "normal" resources, the idea being that
"system critical" may allow system compromise, while "normal" may at
worst leak information.
CVE-00025, CVE-00026, CVE-00027, ... - same as previous example
CVE-00552 - too low level? An instance of a higher cardinality
vulnerability, e.g. "TCP/IP service or surrogate available through web
interface"
CVE-00557, CVE-00558, CVE-00559 - are 557 and 558 subsumed by 559? Is
559 at the proper LOA?
CVE-00306, CVE-00030 - same application on different OS'es
Description Problems
--------------------
Some of these examples are due to incomplete information provided from
my source (e.g. an advisory that's written to obscure relevant
details).
CVE-000022, CVE-00023, CVE-00187
- 22 and 23 are distinguishable by the function name, but it
requires a glance at the references to be certain of the
difference
- 187 appears different than 22 and 23, but the associated advisory
doesn't provide additional details
CVE-00001 - not enough info in source advisory
CVE-00254 and CVE-00186 have inconsistent terminology.
Descriptions often don't need software version numbers, but consider
CVE-00478, CVE-00393, CVE-00047, CVE-00205, and CVE-00204 as examples
where version numbers are useful to a human reader who is trying to
distinguish between these vulnerabilities.
CVE-00534 - has "too much" information (listing most known
privileges), however is useful for some mapping/search tasks, so the
specific options are included.
Missing Vulnerabilities
-----------------------
Example: Note that CVE-00661 is only intended to refer to "normal"
software packages that have been replaced by Trojan Horses at their
distribution site (e.g. TCP Wrappers of a few months ago). [Note also
the desciption problems.] There isn't a specific vulnerability for
Trojan Horses that a hacker might install after a compromise (though
it would fall under GENERIC-MP), but such an entry would overlap
CVE-00660. Other MP category vulnerabilities are missing too,
e.g. hacker-modified configurations (although some configurations
would already be "spotted" under CVE-00663).
- Prev by Date: CVE meeting at SANS - a few details
- Next by Date: MEETING NOTES -- CVE TASK FORCE -- Baltimore
- Prev by thread: CVE meeting at SANS - a few details
- Next by thread: MEETING NOTES -- CVE TASK FORCE -- Baltimore
- Index(es):