Re: Sources: Full and Partial Coverage (CNA increase)

To: security curmudgeon <jericho@attrition.org>
Subject: Re: Sources: Full and Partial Coverage (CNA increase)
From: Art Manion <amanion@cert.org>
Date: Tue, 26 Jun 2012 02:17:20 -0400
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Tue Jun 26 02:20:47 2012
In-Reply-To: <alpine.LNX.2.00.1206251348170.16752@forced.attrition.org>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
OpenPGP: id=36C268A3
References: <4FE8B14C.30708@cert.org> <alpine.LNX.2.00.1206251348170.16752@forced.attrition.org>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1

On 2012-06-25 14:59 , security curmudgeon wrote:

> : What should CVE cover?  CVE should cover vulnerabilities.  I'd like CVE 
> : to cover, if not all, then the most important vulnerabilities.  "Most 
> : important" gets a bit tricky, but one aspect should be the scope of the 
> : vulnerability -- the number of people affected, possibly within a 
> : constituency.  A vulnerability affects one or more products, and we care 
> : about products because they are used by or affect (service) many (or 
> : few) people.
> 
> You are entirely right. And, you are using sketchy wording =)
> 
> : phpGolf?  Affects few, don't include. (*)
> : 
> : Microsoft XML Core Services?  Affects many, include.
> 
> Siemens SIMATIC? Affects very few customers, don't include.
> 
> Siemens SIMATIC? Affects hundreds of millions of THEIR customers, include.
> 
> There are dozens of software packages that many haven't heard of, even in 
> the VDB world. Yet, they are embedded in hundreds or thousands of other 
> packages. Jetty, SPAW, and FckEditor just to name a few. There are more 
> that I can't think of right off, but I routinely see in changelogs of 
> bigger / more visible products.

It's not sketchy, it's precise :)  "...used by or affect..." is meant to
include SIMATIC, and Facebok, and others.  I mean that the product could
also affect many, not only that the many each have a copy of the product.

> : Other "importance" factors are the usual things like impact, ease of 
> : exploitation, related incident activity, ease of access, etc.  
> : CVSS-like stuff.  I don't necessarily recommend this, but CVE should 
> : include all vulnerabilities with a CVSS environmental score of X or 
> : higher (with environment == the internet).
> 
> I don't think that is a valid criteria really, as XSS / LFI / RFI / SQLi 
> are all 5+. I use 5 as the example because of PCI; any of those will fail 
> a PCI certification test. I'd love to see someone do some quick stats on 
> the number of vulns broken out by CVSS score, but I'd wager 75%+ are CVSS 
> 4+ (I think the actual PCI certification cutoff now?).

I said I didn't necessarily recommend it (CVSS), but assuming some
severity metric or definition, I'd like CVE to come up with a level of
importance/criteria that results in the vulnerability getting into CVE.

Also, and off-topic, sites with those web app vuls should probably fail PCI.


 - Art

References:
- Re: Sources: Full and Partial Coverage (CNA increase)
  - From: Art Manion <amanion@cert.org>
- Re: Sources: Full and Partial Coverage (CNA increase)
  - From: security curmudgeon <jericho@attrition.org>

Prev by Date: Re: Board meeting? Blackhat?
Next by Date: RE: Sources: Full and Partial Coverage (CNA increase)
Prev by thread: Re: Sources: Full and Partial Coverage (CNA increase)
Next by thread: Board meeting? Blackhat?
Index(es):
- Date
- Thread