Re: CVE's for private/"Secret" issues

[jericho <jericho@attrition.org>]

On Thu, 19 Nov 2015, Kurt Seifried wrote:

: http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hacker-techniques/#slide-2
: 
: TL;DR: another firm that acquires 0 day vulns, the news being they 
: published their price chart.
: 
: There are now several firms like this (TIppingPoint, ImmunityInc, etc.) 
: and I was wondering what, if any, process there is with respect to CVE 
: assignments, my experience is that the sooner a CVE is assigned the 
: better, ideally prior to public release if possible. Has Mitre reached 
: out to these companies at all to help them understand the value of 
: getting CVE's in advance and so on?

I have reached out to a handful of shops on behalf of OSVDB asking the 
same question, and also suggesting that failing a CVE assignment, they use 
their own unique ID like many companies do. My argument was that by 
having it in databases, in a way we can track and avoid duplicates, it 
helps get them exposure. Especially in databases that track exploit 
availability (e.g. OSVDB / VulnDB track 'exploit commercial' and link to 
the company with it). Some VulnDB customers specifically use that service 
because of the exploit metadata carried in the feed.

I don't recall a single company I talked to that said it was such a good 
idea they would start. A few of the exploit dev shops will sometimes 
answer my mails asking for clarity if $disclosureA is a duplicate to 
$disclosureB, and sometimes not. After a series of mails I also positively 
verified that we can rely on specific wording in their announcements to 
indicate it is truly a new issue, versus an exploit for an existing issue. 
Which leads into the confusing part...

I understand that such a company does not want to give any information 
away about their 0day, as that is a huge part of their reputation (and 
thus sales). What I don't understand is that when they release a dozen 
exploits for already disclosed issue, they don't match them up with a CVE 
if one exists. Why tell people "we can exploit a remote WordPress flaw" 
that we know is public, but not which one? As a customer I would certainly 
want to know that. But, it may be a case where the actual exploit 
references it, and the public list of exploits released in that version / 
pack do not. Makes sense for existing customers, but seems like missing 
out on potential sales as vague descriptions like that are not very 
helpful.

HP's TippingPoint ZDI does use CVE for a majority of their issues, and 
they are also very good about answering questions if there is confusion 
over assignments or which issue it tracks to in relation to a vendor 
advisory. I routinely email them and appreciate their help when it comes 
up.

In general, most that I have spoken to consider CVE assignment as either 
no benefit, or possibly hurting them competitively. Further, from their 
eyes, what is the value if they have no plans to ever release details, and 
never verify it is a duplicate to another disclosure?