Re: So some blindspots that came up as a result of CVE for service discussion

To: Lisa Olson <elolson@microsoft.com>, Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@mitre.org>
Subject: Re: So some blindspots that came up as a result of CVE for service discussion
From: Art Manion <amanion@cert.org>
Date: Tue, 11 Dec 2018 19:35:56 -0500
Authentication-results: spf=neutral (sender IP is 198.49.146.235) smtp.mailfrom=cert.org; imc.mitre.org; dkim=test (signature was verified) header.d=cert.org;imc.mitre.org; dmarc=pass action=none header.from=cert.org;
Autocrypt: addr=amanion@cert.org; keydata= xsFNBFoV8GMBEACXd7zH23Gx/W77Gr3Hs+n+BTtEt7IP0jU26vM9i4ASGewrIFZaRIOgL964 xX7Qk1wvxLl8HvUomLNHsJIZYG4EKcNkEfREO7lTx/3nYhG3wjF0DcHYuLwUkwAS3N6p9PQ7 bvEsXZMbfG0L8ASgRy0h4dWg+XGV4xT64REsIlzSsclVaHKTvP7FAMCDG70L/2wc+w24RAzs TYhfxLp4w8TBaVj/pONm+EDGVtK5u4LPLpLS0xmlGxgKP9mYSYAF3j44msAsbsuFPfWTa8JU s9yASol4pMECH24Cp3snHlSNHMl1APfVz3Xsfw5x/mekgCAPcGCARhA9ltRHLYgVMr1JCYZW JdyUB0UEiY0xvlb5JYfCFJm4fL8E2xoW/ATmDIxkU0qguL55AD2VYEwbWEsiP725YMSKBDaC cGH9fa2iuSxnflui6wR4K+FOjXfB2nF561q+HjlRb6bahdkYzWccX4fx3dSlZ6w62qRFNKAE 5zUfe2ZHwis9Bx9iqIp7Ini/sZ3ESJgMr7qlSSkYl10Esdl5CyFyxQ5g/LgzOlywdHazju13 /ckVBPo5vz9ZPOmafiUDSz6R/kbC0+nCrJSjIBvDfBWG7Gl2gon4HqB4Ji6r3+gFEFFJl+O/ PwID6Wh0jAjTQWvD+5L/vFTZ3/875Q2OcoxL9Hh4ls5ptg+7uwARAQABzR1BcnQgTWFuaW9u IDxhbWFuaW9uQGNlcnQub3JnPsLBkQQTAQgAOwIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMB ABYhBBHNrv2hhwlGumhcAVNt4uTRu2rfBQJaFmXUAhkBAAoJEFNt4uTRu2rfY1IP/j8cjh38 B0mnEo0Lk27r/mYRQhj2Yk/ClsAuPWea56BGAswtW2Q6g6DswcinjvTxrycSqAfpj2ZQP9Rx Ib/FsfozF5bC7Ja5/W4amH1NcTr/cE+sgKX3XZcRlOIrw2d0jmS1SAtDWPWn4zTYKoR7cbDz BAAABLb8/xQn7YFgf8nKQ4ZM0yOTUOnF7wG42UU0Y0ww3b+x2/ZMys0ntpz4ZSOgVJlun2xP WgFzkHu/fEJkVTPkZQweRULIGeFJBzuJP46+FMy6PJFZ/ZudzLy/VBMVAxA/yOszLbRvsl6z 3prRMgI+fJF/11ohRVQ5DWzS4AmfnI9RP6aOlUgEi4MYMcbYKrYGwguhGOpdg5iaO6ir4mhd OMcKLeV0ZqSef0ZpXTLQiTzWuFg9ECof5OCK/Y2VQ2EXyWIi7q4OPTFFoZBl2keoF6j0k272 PCYfJZIzq/ER9mfoH1+7nmIxvZ+XXQ6EoCCPv6le8VKQyZOFVgjD5rPvCeGZgAs9CRbfqYNm bF3jqeMk4kZbJ/+GsKv66M4R0VI2DijOLNF1kGXeU6s45lUBZmcT0Fb2MQ78rNItpeUP+XYj fpB0g/woOIstbSoOqpVZf++HIjnmMHj9jJrbFcMVIPac89EDcjbab3zPTMb5LHdk6AxMsWRM QqxofqoqqzNI7RiKisaDQhINXRwAzsBNBFoV8roBCADZKC4LLl6XhVvHCZZIwa9t2e+swdln YRtxwG1TDRxM1PaV7VDzB9K1FMRDC9CQQmiwI+Vl2j0Kn3BUvkCp3zmP+S7CRgK2vfP1GBAs CURE6j6M7S47qOhQvAvJK0qlF14tCBSX16CceGFV0XzfOUnQGt6m8AnVTr7WODilYsJPWUrj xLe3cKQJs7zk3iMLH1lJ7jNXlAQUgrTurVD7sl6PbKgbmDw3tIgXwep7tMOUzpiN4vCPALA+ WYL+0VxE03TZj/FqNzNrjoKXw+X3za675QnLsXww2cgLBV0Zjg3HZVDT5/0LlQjYqPnaWh3s ZG8uRJ104Thx1JVFLN4+8aDrABEBAAHCwXwEGAEIACYWIQQRza79oYcJRrpoXAFTbeLk0btq 3wUCWhXyugIbDAUJBaOagAAKCRBTbeLk0btq3zHYD/4vvS0lul3UKWGeRsVb33Y3eJ1yv4O3 EpBtmkVgCyxdG3zj8YrI15DCzhn6LSN3FqjV+wovE3SsxIrRjn7eoBA6SH54KlFRrW7pAARc NQaHFU+nX6ST6X3pOoNYzhXPZjkxoUpxyC+ehNARx+3tlQ0LScEr0L5Ttvr8W7nopWaXeuCt VI+8tjDnsCtWLaI2bYi3TYWDJdgWzNFSGYioqIxvQHIpokFZAx6fTKtEYaAqqg2cefRDgNoU bMcHmNtVMAXThLdNAx23F/sv2gV9a612ktCwl6hjKu1vuK4KGnhQu1T/oRk5EUA8jy5yBB6/ S5jwYbZR01EriZXSTXwT/gJcThBIXH8i9/4lUwdhV8+iBP/Pomhs8D7dPU7q1fUYlvVxn8iN K7IFoWdptGv+bhdNsf/qWGxVxOHwTAipr73Fl3eC5RovVM2aAK2Bx6xQFXlh4uPcI/S0gIPG tytClYZxtbXKM3qVhUTZgg1Ge6MgtgJkKWttzRciW0N9t5pZ/IbH7ax0NUv2hjHovGBXhuQb cVAEgmx90iyx9iRizCpgr3JyDNtKX+bc26aGI+mFOdiawp2HihhSazqiEpuNrxlQVWgMgmXa RduAg8L9z2CshZ6Zkcmwea79r8yDsBbwfJEZ71T0WWyfm1UcRVflPFAYb9xE8Ulgh8BQzw// z7Y5Lw==
Delivery-date: Wed Dec 12 07:40:28 2018
Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu wBC0a2Pk047076
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1544574962; bh=RKPZ5KjCSClSwIDh6LWywEOOQiJU0W/mo+iol28U/Nk=; h=Subject:To:References:From:Date:In-Reply-To:From; b=bhkROk+zFFCz9a8tuf8zqpDMJPUzA7I0+17EZCocsn1jOwEmQIZz6SEQrTWMXlq0S F2XNRACqHTho2N0nZTvCxXdEyESAB4rl0h6SdCFPsk5qzz4D8b/KSbnO1g823HC3Fe 1+p2I15VRbwfW9MxgLDBHQNFf5RhfQtoM5dq/9/U=
In-reply-to: <MWHPR21MB086477D7DF851DAF614C0B93B9CD0@MWHPR21MB0864.namprd21.prod.outlook.com>
Openpgp: preference=signencrypt
References: <CABqVa3_GT0qr2Y2Svn3J8_s0rJGELSrXTOnDL0PaO1GoRdd5=Q@mail.gmail.com> <MWHPR21MB086477D7DF851DAF614C0B93B9CD0@MWHPR21MB0864.namprd21.prod.outlook.com>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticoutput: 1:99
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.2.1

On 10/31/18 1:20 PM, Lisa Olson wrote:

I’ve been brainstorming with colleagues here are Microsoft.  The 
attached document distills our thoughts and provides some examples.


I'm generally in favor of at least allowing CVEs to be issues for 
service vulnerabilities.  My stance is:

CVE is about vulnerability identification (naming, enumeration) -- 
everything else is extra.

I'm OK with a fairly loose definition of "vulnerability" and basically 
no restrictions on product, service, IoT, safety critical thing -- any software 
system is in scope.

If it's close enough to being a vulnerability and more than two people 
want to talk about it, an ID is a good idea.  Remember that other 
Facebook vulnerability, no not the one Kurt was talking about, the 
second of the three used in the big compromise?

OTOH, I'm not immediately OK with assigning a CVE to a cloud breach.  
While I'll accept a loose definition of vulnerability, having no 
evidence of a vulnerability is, well, not enough to assign a CVE.  We 
rarely know the root causes of most large/public breaches.

I'm OK with users/customers needing to take action, users/customers being able to 
do better forensic/incident investigations, and even "someone wanted to 
assign a CVE for a service vulnerability and followed the CVE practices 
correctly."

There was some discussion about a "service" flag, which I'm OK with, 
but it does open the door to classifying vulnerabilities, which gets messy very 
quickly.

 - Art

Follow-Ups:
- Re: So some blindspots that came up as a result of CVE for service discussion
  - From: Kurt Seifried <kurt@seifried.org>

Prev by Date: CVE Board Meeting summary – 28 November 2018
Next by Date: assignment question
Previous by thread: CVE Board Meeting summary – 28 November 2018
Next by thread: Re: So some blindspots that came up as a result of CVE for service discussion
Index(es):
- Date
- Thread