|
|
That brings up a conflict for potentially a number of us. The NIST Cybersecurity Framework Development Workshop is being held at NIST on the 16th and 17th. I will
not be available to participate in the CVE Board call since I will be attending and on a panel. There may be others as well. Any chance we can either push the call next week a day or two or push it a week to the following Wednesday?
If we are going to be discussing the current thread, I definitely want to be there. -- Kent Landfield 817-637-8026 kent_landfield@mcafee.com From:
<owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Levendis, Chris" <clevendis@mitre.org> We're making it an agenda item for the next Board call. Chris Levendis
From: Millar, Thomas <Thomas.Millar@hq.dhs.gov> Date: Thursday, May 11, 2017, 4:45 PM To: Carsten Eiram <che@riskbasedsecurity.com>, Adinolfi, Daniel R <dadinolfi@mitre.org> Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org> Subject: RE: Current standards/criteria for 'Undefined Behavior' I tend to agree with Carsten here but I assume a response further explaining the CVE Team’s reasoning is being drafted already. From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Carsten Eiram I hope the new MITRE CVE team realizes they are in a minority of people in this industry, who actually consider such issues as being CVE worthy by default or even security-relevant without some proof of there
being a (realistic) security impact. Referencing Hanno Böck and Agostino Sarubbo of all people does not lend a lot of "street cred" or underline the point. These guys are fairly inexperienced when it comes to vulnerability research and focus on
fuzzing with AFL. One of them (Hanno) until recently didn't even really understand the output; the other still struggles. We do not disagree that issues leading to undefined behaviour _theoretically_ have a security impact. Rarely is it ever proven, though. In fact, I don't think Agostino Sarubbo (or Hanno for that matter) has
proven a single of the UBSan issues, which he has reported many of, actually did have a real-world impact. Most experienced people in this industry have historically expected some reasonable indication of a security impact that was not too theoretical. There is a reason for us not seeing these types of reports from
experienced researchers, who are also fuzzing using AFL. Even the OSS-Fuzz project flags UBSan issues as "Bug" and not "Bug-Security" by default. Sure, they should be fixed for good measure and are bad coding practice, but even developers generally don't treat
the fixes as security-relevant. And rightly so. MITRE is humoring beginners, who are fuzzing and just dumping their UBSan output without doing minimal due diligence; it would be better to educate them to higher standards i.e. the standards of most vulnerability
researchers as well as the old MITRE CVE team. Otherwise, I hope the new MITRE CVE team is wearing their track pants and are on top of their cardio. You'll need some excellent stamina when taking on the CVE assignments for the metric ton of UBSan issues you'll
be dealing with, if that is your default position. /Carsten On Wed, May 10, 2017 at 4:04 PM, Adinolfi, Daniel R <dadinolfi@mitre.org> wrote:
|