|
|
I’ll let NIST reply directly to your question but I hope they state they are an accurate reflection of the CVEs placed into the CVE corpus by MITRE. I would not like it at all if NIST was picking and choosing what was available via the
NVD to the downstream users and US/global software security vendors. MITRE use to do a reasonable job of vetting reported issues before issuing new CVEs. Since we have tried to accelerate the pace of assignment of new CVEs, I sort of feel as if the pendulum
is swinging a bit too far in the other direction. There is been much discussion in the past around the quality of issued CVEs. While I understand the intent to try to accelerate the assignments, problematic researchers doing it for their own benefit and not the benefit of the community,
should not be allowed to mass request CVEs. Our focus in the past has been to try to examine new processes and new procedures to accelerate and improve the quality of assignment. In this case it appears we have only succeeded in accomplishing one of those
two goals. It is obvious we want to be able to trust researchers to some extent, trust that they have in fact discovered real issues that need to be identified. It may be that we need to figure out what the “minimum level of proof of a vulnerability”
is that security researchers should supply in order to get an assignment. We also need to be able to identify those researchers who are trying to abuse the system. We need to figure out a process as to how to deal with this type of situation. The fact that he is working with the vendor indicates he’s working with the vendor. It is not an indicator of a vulnerability. As we discussed in the past we would like the vendors who are CNAs to issue their own vulnerabilities. In this
case it might have been useful to reach out to that vendor to say we have these reported vulnerabilities reported in your products. Are you going to issue a security advisory for your products and do you wish to have CVEs assigned? Would you like to be a CVE
CNA? Maybe one approach to take with developing new CNAs could be focused around vulnerability requests received by MITRE.
Regardless of the approach we take it is obvious we need to discuss this and come up with a process to help not only improve the speed of the assignment but also the quality while at the same time reducing the number of assignments directly
made by MITRE. -- in Kent Landfield +1.817.637.8026 kent_landfield@mcafee.com From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Millar, Thomas" <Thomas.Millar@hq.dhs.gov> Question for NIST –
Would these CVEs also be catalogued in the NVD? Is there a QC step performed in the NVD analysis process that would sift these types of reports out? From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Carsten Eiram On Tue, Oct 24, 2017 at 12:12 AM, Coffin, Chris <ccoffin@mitre.org> wrote:
Please note that I’m not disputing those two CVEs as invalid. There is definitely some memory corruption occurring even if the vulnerability reporter doesn’t seem to realize that. I’m suggesting they’re quite likely duplicates and making
a point as to why treating unique crash locations as unique vulnerabilities is problematic. I also consider the descriptions quite poor and of little value w.r.t. covering the problem, since the issue would not be within ntdll.dll. As for disputing the many other duplicate, incorrect, or invalid issues reported by Lin Wang, please see my email in response to Art. Additional reasons for me not disputing those is both the volume and also the fact that you later state
in your response that MITRE plans to continue with these questionable assignments anyway. I see little point in cleaning up this mess just to have new issues introduced in a month or so. I will, however, later in this email give a few examples that you may consider as official disputes and statements of duplicate assignments.
Good. I think it is very important for us to have this discussion. For the sake of clarity, I am not proposing that all researchers should provide a PoC as a requirement to obtain a CVE. I propose it specifically for Lin Wang. It would
be a means for MITRE and third-parties to validate his reports, as they are questionable and lacking any proper information to determine what the problem really is - if there even is one. As we move forward, if vulnerability reporters seems unreliable or there
are disputes, we should flag them and as a first step require a PoC for an assignment unless there is vendor confirmation of the issue or similar.
Sure, a vulnerability reporter changing the information later is not something we can prevent. However, we can ensure CVE assignments are not given without extra vetting for questionable reports and vulnerability reporters.
While this may not be part of the process at MITRE, other parties - RBS included for our VulnDB solution - would be testing such PoCs and particularly for vulnerability reporters, who are considered unreliable. This would increase the chance
of getting those crowd-sourced disputes.
There is a balance with a federated model and ensuring data quality that needs to be recognized. We have previously seen first hand that the "community" is not willing or technically able to sufficiently "speak up" as required. As discussed in my original email, we can already expect vendor CNAs to do careful analysis. Vulnerability coordination / bug bounty CNAs would also be doing this, as they're not going to pay for an invalid report. Based on Kurt's response,
DWF has a process as well to at least question vulnerability reporters if requests look suspect or they consider the vulnerability reporter unreliable. Those bases seem covered. The researcher CNAs, who assign CVEs for their own findings, could be a problem, but I’d hope we can have some faith in their reports being accurate, since they’ve become a CNA. If it is later concluded that their reports are often wrong,
we’d should have a process to discuss their CNA status. That leaves MITRE and other/future CNAs in a similar non-vendor role. Even as this moves to more of a federated model, I do not see it preventing us from defining CVE assignment criteria for such CNAs that reduce the risk of CVE assignments
to questionable reports and vulnerability reporters.
We have at no point disputed that he is finding issues, but rather if the issues are in fact legitimate vulnerabilities, their severity, and risk of duplicates. However, just because one vendor thanked him for reporting something that may
or may not have been a vulnerability, we shouldn’t per default assume he's generally right. Even if a CVE board member in a technical role goes on the record and says his reports are highly problematic, unreliable, and in many cases wrong, MITRE would rather
disregard that and treat a vendor thank you as sufficient proof of his reports generally being correct?
Similar logic to above: Because one example shows that others could confirm his finding, he is generally right? Humoring that approach let me give two examples of where he is wrong, which should then make me doubly right that he's generally
wrong. 1) CVE-2017-15773 is a duplicate assignment of CVE-2017-15738. XnView and IrfanView use the same CADImage plugin, but while IrfanView uses the latest (12.0.0.5) 64-bit version, XnView's extended edition bundles an older 32-bit version (11.1.0.3).
He’s fuzzing two versions of the exact same product. For obvious reasons this causes the same bug to manifest in two different code locations and underlines why blindly treating each unique crash location as a unique vulnerability is problematic. Furthermore, the vulnerability reporter only claims a DoS as the impact, purely speculating that it could have some other unspecified impact too. It's an OOB read where there is no immediate indication that another impact could occur. We
can't rule it out (as we can't test it - no PoCs provided), but in such cases, we should consider it the responsibility of the vulnerability reporter to prove such claims. As all information provided only supports a crash due to an OOB read, this shouldn't
even have been assigned a CVE in the first place. Historically, crashes in client applications like these are considered stability bugs and nothing more. Other CNAs generally don't assign for them. Based on this example, could you please elaborate on MITRE's current policy w.r.t. assigning CVEs to issues in such client applications where there is no proof at all of a worse impact than a crash? This will help ensure consistency across
the board. Did you chose to assign CVEs for such issues solely because the vulnerability reporter suggested that other unspecified impacts could occur? Does MITRE in general considers such stability bugs to be within CVE assignment scope even if most vendor
CNAs and others in the industry do not? 2) CVE-2017-15777 is claimed to be a buffer overflow that allows code execution. There is no proof provided to suggest this. Instead it looks like a benign NULL pointer dereference error leading to a crash. it's even a first chance exception,
so the program could potentially handle it gracefully. Disassembling the affected library and checking the crash location supports that it's likely just a NULL pointer dereference error. While we can't rule out something bad(tm) happened prior to this that
caused memory corruption and overwrote memory with a NULL value, there is not a single shred of evidence for this. Again, I consider it the vulnerability reporter's responsibility to back his claims - especially when the crash output and code doesn't support
it. Therefore, this is an invalid claim. /Carsten |