|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issues for configuration problems in the CVE
- To: "Steven M. Christey" <coley@linus.mitre.org>
- Subject: Re: Issues for configuration problems in the CVE
- From: Gene Spafford <spaf@cs.purdue.edu>
- Date: Sat, 17 Jul 1999 11:19:43 -0500
- Cc: cve-editorial-board-list@lists.mitre.org
- In-Reply-To: <199907161713.NAA14486@basie.mitre.org>
- References: <199907161713.NAA14486@basie.mitre.org>
- Reply-To: spaf@cs.purdue.edu
- Sender: owner-cve-editorial-board-list@lists.mitre.org
At 1:13 PM -0400 7/16/99, Steven M. Christey wrote: >Gene Spafford wrote: > > >When I first had a student (Taimur Aslam) look at classifications of > >problems, configuration errors fell out as one category. However, we > >found there were some ambiguities with user interface error, and > >incorrect documentation. If something is misconfigured because the > >documentation is unclear (or wrong), is that a bug? If so, where? In > >the software that doesn't match the documentation, or in the > >documentation that doesn't match the software? > >I see why the questions needs to be asked from a perspective of >classification and explanation; however, I don't think this particular >issue has much of an impact on the CVE. The configuration problem >exists because of something a user did, regardless of how the user did >it or why they did it. I believe that's sufficient for the CVE. > >- Steve The documentation and online help message says "-s" is the security mode switch. The user builds a config file to run with "-s". However, it turns out that either the programmer got the logic backwards, or the documentation is wrong, and "-s" turns the security OFF. The result is a vulnerability. Is that a bug or an operator error? The system comes with default accounts with well-known passwords. The operator does not notice these, and installs the system with the accounts intact. This results in a vulnerability. Is that an operator error? The system comes with a program that installs patches. The vendor releases a patch to a problem. The operator runs the program, and in addition to installing the patch, it sets some directory permissions and ownerships to new values that result in a vulnerability. Is that a bug or operator error? In each case, " The configuration problem exists because of something a user did, regardless of how the user did it or why they did it," so I would assume you would classify them all as operator errors. However, all three are also vulnerabilities that are in some sense "built in" by the vendor. I would argue that #2 is the only one that is directly a user error. Problems that occur because the operator should have know better if he/she had read documentation and security literature fall in this category. Vulnerabilities that result from hidden features, bugs, bad documentation of features, etc are not. Comments? --spaf
- References:
- Re: Issues for configuration problems in the CVE
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Re: Issues for configuration problems in the CVE
- Prev by Date: Administrivia
- Next by Date: Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
- Prev by thread: Re: Issues for configuration problems in the CVE
- Next by thread: Re: Issues for configuration problems in the CVE
- Index(es):