[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: upcoming intel issue
I also received an undeliverable for Kent's McAfee address yesterday.
The Intel CNA provided the details and the CVEs were added to the
master list this morning.
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754
Chris
-----Original Message-----
From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com]
Sent: Wednesday, January 3, 2018 8:31 PM
To: Kurt Seifried <kseifried@redhat.com>
Cc: Millar, Thomas <Thomas.Millar@hq.dhs.gov>; Coffin, Chris
<ccoffin@mitre.org>; Kurt Seifried <kurt@seifried.org>; Art Manion
<amanion@cert.org>; cve-editorial-board-list
<cve-editorial-board-list@lists.mitre.org>
Subject: Re: upcoming intel issue
Interesting... I seem to be getting them.
Kent Landfield
Kent_Landfield@McAfee.com
+1.817.637.8026
> On Jan 3, 2018, at 8:28 PM, Kurt Seifried <kseifried@redhat.com>
> wrote:
>
> Just a note at least one of my emails got bounced by mcafee's system
> as spam. Not sure if anyone else's system ate it.
>
>> On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas
>> <Thomas.Millar@hq.dhs.gov> wrote:
>> Yes to all that.
>>
>>
>>
>> Tom Millar, US-CERT
>>
>> Sent from +1-202-631-1915
>> https://www.us-cert.gov
>>
>> ________________________________
>> From: Coffin, Chris
>> Sent: Wednesday, January 03, 2018 11:46:59 PM
>> To: Kurt Seifried; Millar, Thomas
>> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
>> Subject: RE: upcoming intel issue
>>
>> Agree that this is worthy of a discussion, special handling, and
>> probably some documented guidelines. One thought is that the CNA
>> should identify issues that affect other vendors and
>> notify/coordinate where appropriate, or at the very least contact
>> their parent CNA so that they can share the reserved CVE ID and some
>> limited bit of detail.
>>
>>
>>
>> It used to be the case that MITRE handled issue like this once
>> public, though we have moved away from that in the past few years.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Chris
>>
>>
>>
>>
>>
>> From: owner-cve-editorial-board-list@lists.mitre.org
>> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of
>> Kurt Seifried
>> Sent: Wednesday, January 3, 2018 5:35 PM
>> To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>
>> Cc: Art Manion <amanion@cert.org>; jericho <jericho@attrition.org>;
>> Landfield, Kent <Kent_Landfield@mcafee.com>;
>> cve-editorial-board-list
>> <cve-editorial-board-list@lists.mitre.org>
>> Subject: Re: upcoming intel issue
>>
>>
>>
>> So some challenges with this one:
>>
>>
>>
>> 1) it is multiple issues
>>
>> 2) it affects multiple vendors at the root cause level
>>
>> 2) it affects multiple vendors with workaround/fix (e.g.... all the
>> OSs,
>> sigh)
>>
>>
>>
>> So yes it is correct to say that these 3 CVE's were from Intel's CNA
>> and thus "owned" by Intel, but it's clear that literally every OS
>> vendor on the planet that runs on x86 (and some others...) is going
>> to need to deal with this, so from that perspective I think one
>> could
>> argue for more community "ownership" of the CVEs.
>>
>>
>>
>> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc,
>> lots of projects that are used by literally everyone), the best way
>> I
>> can/could think of to fix this was the JSON format with per
>> vendor/product statements so everyone can have their own cake on
>> their own table as it were.
>>
>>
>>
>> I also know MITRE has poked me in past for high visibility CVEs, and
>> I generally agree with this, so perhaps some guidelines should be
>> created, e.g. around severity/popularity/impact (e.g. CVSS score of
>> 9.0 or higher and more than 10 million affected instances should be
>> high priority, or if it hits cnn.com AND the BBC AND Reuters... and
>> if the original CNA doesn't get it in quickly some other CNA is
>> allowed to).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas
>> <Thomas.Millar@hq.dhs.gov>
>> wrote:
>>
>> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-mem
>> ory-with-side.html
>>
>> -----Original Message-----
>> From: owner-cve-editorial-board-list@lists.mitre.org
>> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of
>> Art Manion
>> Sent: Wednesday, January 3, 2018 17:51
>> To: jericho <jericho@attrition.org>; Landfield, Kent
>> <Kent_Landfield@McAfee.com>
>> Cc: cve-editorial-board-list
>> <cve-editorial-board-list@LISTS.MITRE.ORG>
>> Subject: Re: upcoming intel issue
>>
>>> On 1/3/18 5:25 PM, Art Manion wrote:
>>>
>>> So first, what is the vulnerability (or vulnerabilities) -- things
>>> that warrant a CVE ID, and second who is responsible for assigning
>>> IDs?
>>
>> https://meltdownattack.com/
>>
>> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>>
>> Not immediately populated, so not sure what the distinctions are.
>>
>> - Art
>>
>>
>>
>>
>>
>> --
>>
>> Kurt Seifried
>> kurt@seifried.org
>
>
>
> --
>
> Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995
> 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security
> contact: secalert@redhat.com