|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
- To: spaf@cs.purdue.edu
- Subject: Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
- From: Bill Hill <bill@mitre.org>
- Date: Tue, 28 Sep 1999 23:20:24 -0400
- CC: "Steven M. Christey" <coley@linus.mitre.org>, cve-editorial-board-list@lists.mitre.org
- Delivery-Date: Tue Sep 28 23:25:00 1999
- Organization: The MITRE Corporation
- References: <199909281600.MAA19616@basie.mitre.org> <v04205554b416a391d9ad@[128.10.104.66]>
The "valid" and "any" parts of that description are problems; if one (a person, an IDS, a scanner, etc.) wants to report something about finger (I saw the use of finger, finger is running on that host, etc.) using CVE one should not be burdened with a requirement to determine if the service returns _valid_ data. Further, a service need not be offered to every (i.e. "any") host on the network to constitute a problem. Both of these are components of determining if an exposure is a problem, but should not be part of defining the exposure. A bit more on that. There are many other cases where we could make the argument that because the data is not valid, the filters or wrappers will help, or something else, well then that vulnerability or exposure you think system X has really does not exist. For example, my particular web server is in a fool proof chroot environment running on a virtual machine inside (insert as many protections as you like) and so that PHF attack which your scanners say I'm vulnerable to, or your IDS saw used, or your SysAdmin noticed is possible, well it is not a vulnerability for me. But of course we still need a CVE entry for PHF. So when we or our tools report the presence of CVE #X, it really means that (whether X is a vulnerability or an exposure) X _potentially_ is a problem. To know for sure one must assess the situation in light of policy, network configuration, the existence of special countermeasures, etc. So, lets not refer to the validity of the data, or similar such things, in the CVE! If I understand Spaf's reasoning, the heart of the exposure is that user information is returned. The vehicle (in this case) is finger. So I suggest the following: - The exposure is: "User information is disseminated" (or some such thing) - A particular instance of this would be finger. Also, rusers, rwho, ... I suggest using the dot notation here to make each different service a separate entry. Bill Gene Spafford wrote: > At 12:00 PM -0400 9/28/99, Steven M. Christey wrote: > > >Note that the entry says "the finger service is running" . It does > > >not say that the original, unmodified service is running. > > > >How about this: > > > >"A version of finger is running that releases valid user information > >to any entity on the network." > > I would be happier with this and similarly modified descriptions for > the other services. > > --spaf
begin:vcard n:Hill;William tel;work:703-883-6416 x-mozilla-html:TRUE org:The MITRE Corporation adr:;;1820 Dolley Madison Blvd;McLean;VA;22102; version:2.1 email;internet:bill@mitre.org title:INFOSEC Engineer fn:Bill Hill end:vcard
S/MIME Cryptographic Signature
- References:
- Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
- From: Gene Spafford <spaf@cs.purdue.edu>
- Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
- Prev by Date: Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
- Next by Date: Clarification - Mapping Comparisons are using *old* CVE names
- Prev by thread: Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
- Next by thread: FINAL DECISION: ACCEPT 37 various candidates
- Index(es):