[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability



Well, let me weigh in again.  I think Pascal covered most of my thoughts here.

If I send a huge flood of Christmas Tree packets to your network, and 
machines of all kinds crash because the underlying code didn't handle 
unusual combinations of option flags, would that be one CVE entry? 
Even if it crashed Windows, Unix, Mac, VMS and Cisco boxes alike?

Suppose I send a carefully crafted set of packets to your Linux box. 
Version 93.7 crashes, and version 93.8 lets me on as root.  The only 
difference between the two is that some code in the disk driver was 
changed.   Is this two CVE entries or one?

How would the IDS vendors count these?   If the CVE only has entries 
for attacks, and not for code base, will vendor XYZ advertise "We 
catch all 987 attacks in the CVE, plus another 100 that aren't 
listed!"

If you can answer all three questions, plus variants, with a set of 
well-defined rules, then you have the basis for abstraction decisions 
in the CVE.   Until you can, any decisions will be ad hoc.

Cheers,
--spaf

Page Last Updated or Reviewed: May 22, 2007