[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
on the topic of CNA assignments... (was Re: Please welcome Kurt Seifried to the CVE Editorial Board)
On Wed, 4 Nov 2015, Art Manion wrote:
: On 2015-11-04 09:26, Kurt Seifried wrote:
:
: > One thing I do know is some of the external issues facing CVE (e.g.
: > people asking for CVE's on oss-sec that then take a while), I was
: > wondering if there are specific internal issues/challenges, e.g. are the
: > requests taking a long time/eating up resources because the requests are
: > poor? I often bounce private CVE requests back with "I need more info,
: > specifically X/Y/Z", and have been very firm with fuzzing reports (I
: > need minimized test cases and root cause analysis, not a pile of 100
: > text files that crash a command line app, and as it turns out that's all
: > the do).
:
: We (at CERT/CC) face similar issues in our CNA role. We get researchers
: asking for a CVE ID for legitimate, but low severity/impact
: vulnerabilities that we otherwise would not handle or publish. One
: option is to redirect the researcher to cve-assign, which sometimes
: comes back as "I already asked them and didn't get an answer so I'm
: asking CERT."
OK, so board... if the above is kind of foreign to you? Go read the
comics, ignore this.
For the 2% of you following board traffic, and my kind-of-subtle jabs in
this direction, grab your popcorn.
Kurt's mail, and Art's reply, are PERFECT. While MITRE can figure that out
for 'today', and moving forward, I will use this as an opportunity to
bring up the past. And the best part? I will pick on Art!
I alluded to this in less-than-subtle ways in the last year. MITRE ignored
the comments on the editorial board list. No one else on the board picked
up on it either, which is beyond discouraging. Because it means they are
likely oblivious to the real world of vuln disclosure.
So, OFFICIALLY.... MITRE... SPEAK TO THIS PLEASE.
Last year, Will Dormann at CERT developed a tool to discover MitM issues
in Android applications. He called it 'TAPIOCA', not to be confused with
the recent 'TAPIOCA' tool name. Because researchers are largely ignorant
and can't Google for shit.
CERT, being a registered CNA, started issuing IDs for these vulns. About
three to four weeks in, CVE/MITRE arbitrarily decided that Will should
STOP assigning IDs for these vulns.
Yep, process that for a minute or eight.
MITRE, decided on their own, without consulting the board, that a
CNA should *STOP* issuing IDs to valid vulnerabilities. No valid reason
was given, not to the public, and I bet a dollar not to Will himself. Just
"oh god no stop it".
Anyone on the board should be concerned right here. Why does MITRE have
this absolute authority to stop issuing IDs on valid vulnerabilities? You
can't argue they are valid or not, because MITRE actually spent the time
to write scripts to import Will's first run of vulnerabilities! CVE
auto-imported the data into the official CVE database, that feeds into
NVD, that is a cornerstone of our industry. In doing so, they missed the
many dozens of entries that had bad data due to the original import
scripting. To this day, we have CVE entries saying software is vulnerable,
with gibberish for the affected version number. Then, MITRE decided, no
more IDs... told Will, at CERT, which is a CNA, to stop assigning.
A year later, after alluding to it on the board, and MITRE ignoring
those comments... here we are. Still no explanation as to why that
decision was made, no hiring an extra intern at ~ 20k a year to import the
rest (on a budget of 1mil+)... basically, nothing holding them
accountable. Given MITRE/CVE's mission statement, that doesn't work for
me.
If you are wondering what all this means, please ask yourself why. Why
didn't you notice this last year? It was center-stage of the vuln
disclosure world, in many ways. No offense, but if you didn't notice me
bringing it up on list, and didn't notice it happening, are you really
suited to be on the board? 2014 represented a near 8x increase in vuln
disclosures. Yet, that isn't reflected in CVE at all, and it wasn't
brought to our attention, or our vote. Are you really comfortable with a
tax-payer funded VDB hiding ~ 80% of the disclosed vulnerabilities any
given year?
: I believe that CVE looks for a reasonably trusted public source of
: information (this might get to the sources and products lists) on which
: to base a CVE ID assignment and entry. So a researcher publish
Yet, CERT is not trusted. See above. If we can't trust CERT to be a CNA...
who can we trust?
Certainly not Apple, who refuses to answer mails clarifying dupe CVE
assignments (Oct 2015).
Certainly not Microsoft or Adobe, who keep assigning 2015 IDs to issues
found and disclosed to them in 2014.
Certainly not IBM, who has released several hundred advisories using the
wrong CVE ID, that clearly states it is vendor-specific, and who has
been told by me and MITRE to stop...
Certainly not Cisco, who is cherry-picking which vulns get CVE
assignments, and when asked about public vuln information (that they
published) opt to redact information instead of clarifying it per
request...
Is there any wonder I have been asking for, and waiting for CNA guidelines
to be officially published?
The entire system is broken from the ground up. No one is policing it. The
rare times some asshole polices it externally, they get ignored over and
over.
: themselves or drop mail on full-disclosure might not be enough to
: support CVE ID assignment and writeup (in the case that neither CERT nor
: the vendor publish).
Oh god, stop there. F-D or Bugtraq are your 1999 or 2001 examples. This is
2015, you can't use either as an example to disclosure challenges. Look to
oss-sec first, and you will see why I am shocked I had to fight for three
years to get Kurt on board. Then consider the slightly easier sources like
EDB or PS... then for pure nostalgia, look to Bugtraq or FD, which are
front-and-center on the official sources MITRE monitors.
: While I support the idea that every vulnerability should have an
: identifier -- ideally a CVE ID -- there are tradeoffs with quality,
: quantity/scope/coverage, assignment speed, and resources. It may be
: that working policy is that certain vulnerabilities just don't get CVE
: IDs? Should a CNA (CERT) shunt requests to cve-assign or just say "no?"
If a CNA says "no" to requests in their own software, for ANY reason, they
should not be a CNA.
End of story.
A volunteer effort, run by 3 people in their spare time, doubled CVE's
output for half a decade. Each year, MITRE got 1mil+ from the
government, while these volunteers did it in their spare time.
You simply cannot argue about CVE and effectiveness, without addressing
that point. If MITRE's beauracracy is so convoluted and hindering to
the process, we need to consider alternatives.
.b