[TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

["Steven M. Christey" <coley@linus.mitre.org>]

This CD, while newly created, identifies and attempts to address an
old problem.  Voting Editorial Board members will see references to
CD:VAGUE in the "analysis" section of candidates that are affected by
this CD.

- Steve


************************************************************************
CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
************************************************************************
Type: ABSTRACTION, INCLUSION
Last updated: February 17, 2002

CD:VAGUE is a CVE content decision that deals with cases in which
vendors release security advisories or other types of alerts, but the
descriptions contain fewer details than are needed by other CVE
content decisions.

CD:VAGUE is the only CVE content decision that can affect both
inclusion (should an issue be included in CVE?) and abstraction (how
do we distinguish between closely related issues?).

Vague advisories or vulnerability reports have the following
high-level impacts on CVE:

- INCLUSION CDs: Some Editorial Board members believe that if a
  problem is stated vaguely, it doesn't have enough information to
  provide a useful description, so it doesn't "deserve" to be in CVE.

- ABSTRACTION CDs: When a vulnerability description is vague, it can
  be difficult to apply other CVE content decisions to determine (a)
  whether the problem is a duplicate of an existing CVE candidate or
  entry, and (b) what the proper level of abstraction is.

In addition, the vague descriptions of the candidates increases the
risk of mapping errors in CVE-compatible products, i.e. a
CVE-compatible vendor may accidentally map an issue in their database
to a CVE entry because the issue completely matches the entry's vague
description.

There are also occasional implications for vendor acknowledgement, and
its impact on voting.  For example, a candidate for a detailed Bugtraq
post may not get sufficient ACCEPT votes because Board members cannot
replicate the problem, but there may be a different candidate with a
vague advisory that addresses the reported problem.

There is evidence that different vulnerability information sources
(databases, alert summaries, etc.) use different approaches for
deciding whether a vague advisory is addressing the same issue as an
issue that was been reported in more detail elsewhere.

CD:VAGUE, as with other content decisions, effectively provides a name
for this difference across vulnerability data sources.


DESCRIPTION
-----------

Following is the description for CD:VAGUE.

1) If a vendor releases a vague report of a security problem, then
   even though there is insufficient detail, the problem should be
   included in CVE since (1) it is related to security (since the
   vendor claims it is related to security), and (2) it is known to be
   real (since the vendor reported it).

2) Unless there is sufficient evidence that the vague advisory is
   addressing the same issue as identified by another CVE item, it
   should be distinguished from that item.


RATIONALES
----------

INCLUSION:

In several cases in the past, one or more Editorial Board members have
voted to REJECT or at least REVIEW a candidate because its description
was too vague, even when there was a vendor security advisory
associated with it.

However, the vendor is reporting on a problem that it believes has
security implications, and that system administrators should take care
of.  Also, someone malicious may discover it in the future, or already
know about it.

There is sufficient evidence that the problem is real, and the vendor
believes that it has security implications.  Therefore it should be
included in CVE.


ABSTRACTION:

It can be difficult to determine whether the vague advisory is a
duplicate of an existing CVE candidate or entry, which may have more
details.  Sometimes, the vague advisory is released months or
sometimes years after more detailed reports have been reported.  If
the advisory doesn't include information that (such as
cross-references) that clearly links the issue to other CVE items,
then it should be kept separated from the other CVE items, and the
possible relationship should be noted.

Also, when several closely related issues have been discovered before
the vague advisory has been released, it is not clear whether the
advisory addresses one, some, all, or none of the reported issues



INCLUSION EXAMPLES
------------------

CAN-2001-1061 shows that a vendor has fixed a problem that the vendor
claims is security-related, but there is insufficient information for
understanding why the issue is related to security.

  Candidate: CAN-2001-1061
  URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-1061
  Proposed: 20020131
  Assigned: 20020131
  Category: SF
  Reference: AIXAPAR:IY22255
  Reference: URL:http://archives.neohapsis.com/archives/aix/2001-q3/0003.html

  Vulnerability in lsmcode in unknown versions of AIX, possibly
  related to a usage error.

  Analysis
  ----------------
  Vendor Acknowledgement: yes
  Content Decisions: VAGUE

  CD:VAGUE states that if a vendor releases a vague report of a security
  problem, that even though there is insufficient detail, the problem
  should be included in CVE.


The full text for AIXAPAR:IY22255 says:

  ABSTRACT: SECURITY: VULNERABILITY IN LSMCODE

  PROBLEM DESCRIPTION:
    The customer will not receive a usage error when
    specifying an invalid type command line option for
    lsmcode.

  PROBLEM CONCLUSION:
    Check the type provided from the command line. If the
    type is not supported, then display a usage error.

It's not clear from this description how the lack of a usage error
implies a vulnerability.  However, IBM is saying that there's some
sort of security problem.


Here's another example candidate.

======================================================
Candidate: CAN-2000-0173
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-0173
Final-Decision:
Interim-Decision:
Modified:
Proposed: 20000322
Assigned: 20000322
Category: SF
Reference: SCO:SB-00.08a
Reference: URL:ftp://ftp.sco.com/SSE/security_bulletins/SB-00.08a

Vulnerability in the EELS system in SCO UnixWare 7.1.x allows remote
attackers to cause a denial of service.

INFERRED ACTION: CAN-2000-0173 SMC_REVIEW (3 accept, 2 review)

Current Votes:
   ACCEPT(2) Blake, Cole
   MODIFY(1) Frech
   NOOP(4) Ozancin, LeBlanc, Prosser, Wall
   REVIEWING(2) Levy, Christey

Voter Comments:
 Prosser> Although SCO is reporting the problem, there is too little info
   available to make an informed decision.  Unable to find anything
   anywhere on this.  It is an events logging system, so one would assume
   that there is a way to fill up the log and cause a system halt, but no
   way of confirming this with limited information.
 Christey> Perhaps we should create a content decision, say
   CD:VAGUE-ACK, which says whether it's reasonable to
   ACCEPT vendor-acknowledged problems that do not provide any
   salient details, as in this candidate as well as several
   others.
 Cole> I researched this a little more and you can change my NOOP to an
   ACCEPT
 Frech> XF:sco-eels-dos



ABSTRACTION EXAMPLES
--------------------

CAN-2001-0935 is a vague Linux advisory related to a problem in
wu-ftpd.  See the Analysis section.

  ======================================================
  Candidate: CAN-2001-0935
  Proposed: 20020131
  Assigned: 20020131
  Reference: SUSE:SuSE-SA:2001:043
  Reference: URL:http://www.suse.de/de/support/security/2001_043_wuftpd_txt.html

  Vulnerability in wu-ftpd 2.6.0, and possibly earlier versions, which
  is unrelated to the ftpglob bug described in CAN-2001-0550.

  Analysis
  ----------------
  Vendor Acknowledgement:
  Content Decisions: SF-LOC, VAGUE

  ABSTRACTION: The SUSE advisory describes the ftpglob buffer overflow
  (CAN-2001-0550), then states "Some weeks ago, an internal source code
  audit of wu-ftpd 2.6.0 performed by Thomas Biege, SuSE Security,
  revealed some other security related bugs that are fixed."  It
  provides no other details, so this problem should be distinguished.
  There are no other details, so the CVE description is vague.

  INCLUSION: CD:VAGUE suggests that when a vaguely worded advisory is
  posted by a vendor, that it should still be included in CVE because
  there is sufficient evidence that the problem is real (since it came
  from the vendor).



The following candidate is an example of a vague description that
could apply to a number of potential products or vulnerabilities, some
of which may already have CVE names.  In addition, other CVE content
decisions cannot be properly applied.


  ======================================================
  Candidate: CAN-2001-0772
  URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2001-0772
  Proposed: 20011012
  Assigned: 20011012
  Category: SF
  Reference: HP:HPSBUX0105-151
  Reference: URL:http://archives.neohapsis.com/archives/hp/2001-q2/0044.html
  Reference: XF:hpux-cde-bo(6585)
  Reference: URL:http://xforce.iss.net/static/6585.php

  Buffer overflows and other vulnerabilities in multiple Common Desktop
  Environment (CDE) modules in HP-UX 10.10 through 11.11 allow attackers
  to cause a denial of service and possibly gain additional privileges.

  Analysis
  ----------------
  Vendor Acknowledgement: yes advisory
  Content Decisions: SF-EXEC, SF-LOC, VAGUE

  ABSTRACTION/INCLUSION:
  There has been a variety of vulnerabilities in CDE modules over the
  years.  The HP advisory does not provide enough details to know if HP
  is addressing known vulnerabilities or new ones.  Thus it is possible
  that this item overlaps other CVE entries or candidates.
  The advisory also implies that there are other types of problems
  besides buffer overflows.  CD:SF-LOC would recommend creating separate
  candidates for each problem, but since the advisory does not provide
  details, it cannot be determined how many candidates should be
  created.  Thus this candidate is clearly at a higher level of
  abstraction than usual.


  Current Votes:
     ACCEPT(4) Baker, Foat, Cole, Frech
     NOOP(2) Wall, Armstrong
     REVIEWING(1) Christey

  Voter Comments:
   Christey> There is some overlap between CAN-2001-0551 and CAN-2001-0772.
     CAN-2001-0551 describes a specific vulnerability in
     dtprintinfo.  HP acknowledges CAN-2001-0551 by stating
     that the problem is fixed in HP:HPSBUX0105-151, which
     is CAN-2001-0772.  But CAN-2001-0772 is a vague advisory
     that identifies other vulnerabilities (and vulnerability
     types) besides CAN-2001-0551.  Perhaps CAN-2001-0772 should
     be RECAST to "remove" the reference to dtprintinfo and
     leave the other vague descriptions.  CAN-2001-0772 and
     CAN-2001-0551 are very good examples of the problems that
     CVE faces in being consistent with respect to the level of
     abstraction, as documented in the CD:SF-CODEBASE, CD:SF-LOC,
     and CD:VAGUE content decisions.