Re: Regarding CVE assignments on oss-sec mailing list

[jericho <jericho@attrition.org>]

On Wed, 25 Nov 2015, Kurt Seifried wrote:

: so just over a day after it was requested. The reason I assigned one is
: that the request explicitly stated they needed it within 24 hours, and had
: previously asked MITRE (9 days ago). Additionally the CVE request was well

: Having said that it was pointed out to me that I should not have 
: assigned one as
: 
: "Just as a reminder, there's currently no agreement in place between the 
: MITRE CVE team and Red Hat that would let Red Hat assign a CVE ID for a 
: public report in this way."
: 
: I don't actually know who sent that email as it came from the generic 
: cve-assign@ address and was simply signed "CVE assignment team, MITRE 
: CVE Numbering Authority" but I assume it's legitimate (in the sense that 
: it's the official MITRE view).

This is a very important topic right now, and this reply is disturbing.

I have pointed out at least once, maybe a few times, on this list that the 
CVE assignment process is very behind. Today, I received a BCC on mail 
from a security company to CVE asking why assignments were so far behind. 
Others have pointed out on Twitter that there are significant delays in 
CVE requests; this is a very publicly known issue.

I can personally attest to this, as a request for a CVE ID I made to 
cve-assign@mitre.org on 8/20/2015 has *not been answered*. This is very 
concerning, as a request I made on 11/20/2015 not only received a response 
one day later, but contained what I half-jokingly referred to as "CVE 
assignment masturbation" off-list to CVE staff in the past months.

More importantly? My request on 8/20 was about the most simple, 
straight-forward request one can make. "One 2015 ID for a reflected XSS" 
from a trusted organization, made by someone intimately familiar with the 
CVE process. The request on 11/20 was about the most convoluted request 
CVE could received, except that same person prefaced it with their 
understanding of CVE assignment/abstraction, in addition to being involved 
in the disclosure. That one received an outstanding breakdown of the 
decision to assign a new ID (as I figured), and extensive explanation as 
to why they agreed.

Consider that. Why is the same person waiting 3 months for an assignment 
given those two radically different requests, where the assignments seem 
backwards.

This should be a critical issue to the board, as this is alienating 
companies that have declared themselves "CVE compatible". Why should any 
company strive to obtain a CVE when they are waiting months for an 
assignment, while the super-CNA (RedHat) can dish them out to meet short 
deadlines? Worse, why is RedHat called out and told NOT to assign, when 
CVE is clearly not prepared to meet those deadlines and offer assignments 
as needed?

If CVE fails to provide IDs on a few issues, after three months, I will 
personally lobby my company to publish advisories without an assignment, 
and make it very clear that it was done because CVE chose not to assign. 
It isn't fair that CVE holds up the coordinated disclosure process in 
cases where the requesting party and vendor are not CNAs themselves. Given 
that I suggested CVE expand the CNA body a while back, and that appears to 
have fell on deaf ears, there is no excuse for MITRE at this point.

: from MITRE, nothing happens, they then ask publicly, nothing happens). I'm
: willing to back fill CVE assignments on oss-security, but that would leave

Why? Unless it is in the purview of your current assignments, given CVE's 
reply today, you should not look to backfill. That is on MITRE to do so, 
unless they specifically task you to. If they task you to, that should be 
done in a public forum (OSS-sec, or the board list), with an explanation 
of why they are relying on RedHat to provide assignments.

.b