RE: CVE-2017-7269 and abandonware

["Coffin, Chris" <ccoffin@mitre.org>]

> Yes, cases like this should get CVE IDs.  My question was who assigns 
> them, so CNA rules/guidance.

Page 5 of the current CNA rules state:
"In cases where requests or issues cannot be resolved by a given CNA, 
the issues are escalated to the next higher level CNA."

We may want to provide examples of the kinds of issues that might cause 
escalations, but I think this would cover it.


> So the vendor CNA did not issue an ID, then the MITRE CNA did?

Yes.


> Requestor explicitly asks vendor CNA for an ID, vendor explicitly 
> says no or does not respond in a reasonable period of time, requestor 
> has email evidence to support this exchange?

This sounds reasonable to me, though I figured others might want to 
discuss this a bit further.


> And like G.I. Joe says "knowing is half the battle".

Still bummed I never got the aircraft carrier toy as a kid. :-)
http://www.yojoe.com/vehicles/85/ussflagg/


Chris


-----Original Message-----
From: Art Manion [mailto:amanion@cert.org] 
Sent: Thursday, March 30, 2017 11:01 AM
To: Kurt Seifried <kseifried@redhat.com>; Coffin, Chris 
<ccoffin@mitre.org>
Cc: Landfield, Kent B <kent.b.landfield@intel.com>; 
cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE-2017-7269 and abandonware

On 2017-03-30 11:55, Kurt Seifried wrote:

> I know for a fact we have Linux that is 10 years out of support (EoL) 
> and still in use, and if there was a flaw specific to that (and not 
> newer versions) I would still CVE it so at least people are aware of 
> the flaws existence. And like G.I. Joe says "knowing is half the 
> battle".

Yes, cases like this should get CVE IDs.  My question was who assigns 
them, so CNA rules/guidance.

> On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <ccoffin@mitre.org 
> <mailto:ccoffin@mitre.org>> wrote:
> 
>     I agree with Kent's perspective on this.

Me too.

>     In this specific case, the discoverer contacted the CNA and 
> received
>     a case number. However, they were told that the 
> unsupported/obsolete
>     product was outside the scope of the CNA.

So the vendor CNA did not issue an ID, then the MITRE CNA did?

>     > Is the vendor CNA primarily responsible, if one exists?
> 
>     Yes. We should always give them the opportunity and redirect to 
> them
>     first if they exist. If they refuse, then a next available CNA 
> could
>     be contacted. One item for the Board discussion, as the backup CNA
>     how would we verify that this conversation took place.

Requestor explicitly asks vendor CNA for an ID, vendor explicitly says 
no or does not respond in a reasonable period of time, requestor has 
email evidence to support this exchange?

 - Art