[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE Validation Plan: Candidate Clusters
All: Sorry for the continued delays with respect to getting some candidate vulnerabilities out there for discussion. I spent an extra day or two trying to refine everything, and I think I've got a better handle on the most effective approach for verifying these initial 650 vulnerabilities. It's difficult to schedule for when all these vulnerabilities should be reviewed. I will attempt to do so over the next week or so, partially based on how things go for the first few groups of vulnerabilities. I am placing the current CVE Vulnerabilities into 3 categories, based on how much discussion I think they will generate: 1) LOW controversy - vulnerability reflects all vulnerability databases I've seen; may need to make some minor changes to a description, add a reference, etc. Vulnerability is well-known and often has a reference to an advisory posted by a reputable organization. Vendors probably don't need to have seen their tool mappings to decide whether they "like" these or not. 2) MEDIUM controversy - reflects a content design decision that may conflict with some vulnerability databases, but which I believe are "reasonable"; some may not be vulnerabilities according to some definitions, although they are CVE vulnerabilities and I believe they would be generally accepted; some vulnerabilities may look very similar (and may be duplicates, or require significant description rewrites); or the vulnerabilities may be more obscure, without much supporting information (e.g. references). Vendors may need to have seen their tool mappings in order to decide on these. 3) HIGH controversy - may have a significant difference with some/most vulnerability databases; may not be considered vulnerabilities by many Editorial Board members, although they are CVE vulnerabilities (thus, the CVE vulnerability definition itself may be debated); most likely to be split, merged, or deprecated. 4) UNKNOWN - generally, newly discovered vulnerabilities (Jan-April 1999) whose only discussion was on the Bugtraqs, thus may not be confirmed. Note that if you agree with the content decisions as described in the tech paper I included when I provided you with the CVE data, there shouldn't be too many problems with vulnerabilities I've called medium/high controversy. The vulnerabilities in the current version of the CVE break down as follows: Low controversy - 287 Medium controversy - 175 High controversy - 156 Unknown - 67 As discussed previously, I will present each vulnerability as a candidate, in order to begin to flesh out the candidate discussion process (see another document on that). The candidate number will be equivalent to the CVE number (in version 199904290013), i.e. CAN-1999-00345 will be the same as CVE-00345 in your CVE distribution. I will first propose the Low candidates, then the Medium, then the High, then finally the Unknown. Once we get to the Unknown candidates, we will have settled on most content decisions, but we will have to start learning how to deal with "uncertain" information. We can use our experience with Unknown vulnerabilities to start bringing in new, up-to-date vulnerabilities. I have grouped vulnerabilities into "candidate clusters" so that each cluster reflects a particular CVE content decision, or some other unifying characteristic. That way, we can all debate the higher level content decisions and adapt (or adopt) the candidates accordingly. Below are the candidate clusters. While there is overlap between these clusters, they do follow a certain logic that I can't necessarily translate easily into text. To those of you who want to scream bloody taxonomy, the purpose of these clusters is ONLY to facilitate discussion of the initial CVE. These candidate clusters will be proposed in roughly the order they are presented below, according to a schedule that hasn't been fleshed out yet. ====================== Name: CERT Controversy: Low Number of candidates: 61 Some (not all) of the vulnerabilities reported in CERT advisories of the past few years. ====================== Name: NT-LOW Controversy: Low Number of candidates: 19 Some (not all) NT vulnerabilities. ====================== Name: VEN Controversy: Low Number of candidates: 65 Some (not all) vulnerabilities with advisories by the OS vendor ====================== Name: BUF Controversy: Low Number of candidates: 33 Some (not all) buffer overflows in single applications ====================== Name: CGI Controversy: Low Number of candidates: 32 Some (not all) CGI/web programs ====================== Name: DENY Controversy: Low Number of candidates: 19 Some (not all) denial of service ====================== Name: REST-LOW Controversy: Low Number of candidates: 53 The rest of the Low controversy vulnerabilities. Some may have limited or no references but appear in multiple vulnerability databases or come from advisories from well-known vulnerability analysts. ====================== Name: REFS Controversy: Medium Number of candidates: 68 Vulnerability has limited references (most likely just to the X-Force database); are we certain these are vulnerabilities? ====================== Name: DESC Controversy: Medium Number of candidates: 9 Need improved descriptions; either the source(s) were too vague, or my sources were private databases (e.g. tools) so I couldn't use them as references ====================== Name: MULT Controversy: Medium Number of candidates: 35 Multiple executables split into multiple vulnerabilities, but some might want to roll them up; *or*, multiple programs with same function; *or*, same application but multiple operating systems ====================== Name: PASS Controversy: Medium Number of candidates: 15 Configuration problems related to passwords. ====================== Name: NT-CONFIG Controversy: Medium Number of candidates: 15 Configuration problems related to Windows NT. ====================== Name: SERVICE-DESIGN Controversy: Medium Number of candidates: 12 A service is running that has inherent security flaws or is useful for information gathering. ====================== Name: REST-MED Controversy: Medium Number of candidates: 21 The rest of the Medium controversy vulnerabilities. ====================== Name: LOA Controversy: High Number of candidates: 16 Potentially controversial level of abstraction decisions. ====================== Name: PROT-FLAW Controversy: High Number of candidates: 17 Protocol flaws that don't necessarily have solutions. ====================== Name: NOVULN Controversy: High Number of candidates: 46 May not be regarded as a vulnerability by many people. ====================== Name: NETCONF Controversy: High Number of candidates: 13 Network/router configuration problems. ====================== Name: DATA Controversy: High Number of candidates: 21 Data access/permissions problems. ====================== Name: IDS Controversy: High Number of candidates: 6 Limitations (implementation or design) of IDSes. ====================== Name: SRUN Controversy: High Number of candidates: 37 A well-known service with a history of problems is running ====================== Name: Unknown Controversy: Unknown Number of candidates: 66 "Unknown" or unverified vulnerabilities. Possibly gleaned from Bugtraq postings, but without any (or much) external confirmation from other sources.