|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CNA Rules Announcement
- To: "Monroe, Bruce" <bruce.monroe@intel.com>
- Subject: RE: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Date: Mon, 10 Oct 2016 12:07:52 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: cve-cna-list <cve-cna-list@lists.mitre.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Mon Oct 10 15:57:07 2016
- Importance: high
- In-reply-to: <C3D94D29887442488296AD0EE95626B356745FD7@FMSMSX113.amr.corp.intel.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1610071348180.22653@forced.attrition.org> <21d6a5ec-f1ab-cc13-d159-4fef3991bbca@juniper.net> <alpine.LNX.2.00.1610071921490.22653@forced.attrition.org> <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net> <CY4PR01MB22301017E8B70A8071ADB5E7F1D90@CY4PR01MB2230.prod.exchangelabs.com> <3FDA0275-3555-49D6-B940-90A07DDDF085@LP3.com> <alpine.LNX.2.00.1610091505350.22653@forced.attrition.org> <e8cbc4d2-62b3-c492-1c7e-f1fd1a626ccb@juniper.net> <alpine.LNX.2.00.1610092105040.22653@forced.attrition.org> <d489c4fd-fb9b-1e65-1095-b98049a4eace@juniper.net> <alpine.LNX.2.00.1610092307520.22653@forced.attrition.org> <C3D94D29887442488296AD0EE95626B356745FD7@FMSMSX113.amr.corp.intel.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Mon, 10 Oct 2016, Monroe, Bruce wrote: : Here's a good example and one that we just encountered internally. How : about unquoted service path? : : https://web.nvd.nist.gov/view/vuln/search-results?query=unquoted+search+path&search_type=all&cves=on : : As you can see from the search results every vendor is assigning their : own. We recently saw that and made an internal decision to do the same : but it's effectively the same vulnerability repeated over lots of : software. More so because a majority of 'unquoted search path' privilege escalation issues are NOT a vulnerability. Often times they require some form of administrative access to carry out the 'attack', and they aren't really crossing privilege boundaries at that point. : Challenges: : : - People assigning CVE's would have to look before assigning another CVE. Not sure that would always happen... MITRE is generally good about doing this, but they are restricted because they can't see assignments made by CNAs that aren't public yet. Further, if they are behind in monitoring a CNA's disclosure point, they may dupe assign due to that race condition of sorts. : - Listing would eventually grow to be enormous and I expect it would be : a bit of a pain to dig through...this one currently has 3 pages of CVEs : ;) VulnDB has 61 entries with 'unquoted search path' in the title, 34 that do not have a CVE. Based on the CVSS scores, only 1 of them was considered valid. : Agree we should be consistent in our approach, if we could come up with : a simple, solid, easily repeatable way to reference a master CVE and : pile on with "like" issues I'd be in favor of that approach, as long as : it could be done without losing visibility of each sub-entry. The 'easiest' way (said externally, knowing it is a lot more work for MITRE) is to reference the other CVEs in the entry as someone previous mentioned. They already do it for duplicate assignments (e.g. REJECTED see CVE-1234-5678". They could carry this on as "MASTER see IDs 1,2,3,4,5 for similar issues" in better language. Brian
- References:
- CNA Rules Announcement
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- RE: CNA Rules Announcement
- From: "Williams, Ken" <Ken.Williams@ca.com>
- Re: CNA Rules Announcement
- From: Scott Lawler <scott.lawler@lp3.com>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- CNA Rules Announcement
- Prev by Date: Re: CNA Rules Announcement
- Next by Date: Re: CNA Rules Announcement
- Previous by thread: Re: CNA Rules Announcement
- Next by thread: Re: CNA Rules Announcement
- Index(es):