[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: upcoming intel issue



Yes to all that.



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov
 

From: Coffin, Chris
Sent: Wednesday, January 03, 2018 11:46:59 PM
To: Kurt Seifried; Millar, Thomas
Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
Subject: RE: upcoming intel issue

Agree that this is worthy of a discussion, special handling, and probably some documented guidelines. One thought is that the CNA should identify issues that affect other vendors and notify/coordinate where appropriate, or at the very least contact their parent CNA so that they can share the reserved CVE ID and some limited bit of detail.

 

It used to be the case that MITRE handled issue like this once public, though we have moved away from that in the past few years.

 

Regards,

 

Chris

 

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Wednesday, January 3, 2018 5:35 PM
To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>
Cc: Art Manion <amanion@cert.org>; jericho <jericho@attrition.org>; Landfield, Kent <Kent_Landfield@mcafee.com>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: upcoming intel issue

 

So some challenges with this one:

 

1) it is multiple issues

2) it affects multiple vendors at the root cause level

2) it affects multiple vendors with workaround/fix (e.g.... all the OSs, sigh)

 

So yes it is correct to say that these 3 CVE's were from Intel's CNA and thus "owned" by Intel, but it's clear that literally every OS vendor on the planet that runs on x86 (and some others...) is going to need to deal with this, so from that perspective I think one could argue for more community "ownership" of the CVEs. 

 

I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of projects that are used by literally everyone), the best way I can/could think of to fix this was the JSON format with per vendor/product statements so everyone can have their own cake on their own table as it were. 

 

I also know MITRE has poked me in past for high visibility CVEs, and I generally agree with this, so perhaps some guidelines should be created, e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and more than 10 million affected instances should be high priority, or if it hits cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get it in quickly some other CNA is allowed to). 

 

 

 

 

 

On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <Thomas.Millar@hq.dhs.gov> wrote:

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Art Manion
Sent: Wednesday, January 3, 2018 17:51
To: jericho <jericho@attrition.org>; Landfield, Kent <Kent_Landfield@McAfee.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: upcoming intel issue

On 1/3/18 5:25 PM, Art Manion wrote:

> So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?

https://meltdownattack.com/

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

Not immediately populated, so not sure what the distinctions are.

  - Art



 

--

Kurt Seifried
kurt@seifried.org


Page Last Updated or Reviewed: January 04, 2018