[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about CVE to vendor mappings

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have to agree with Russ on this...I would consider SP4 to be a
"safeguard" or "fix" albeit not always a "sure" fix {8>).  SP4 would
be the safeguard rollup, if you will, for the CVEs that affected MS NT
prior to SP4. SP4 would subsume the hotfixes issued to fix the
individual vulnerabilities.  So in this case multiple CVEs would still
exist but would hopefully be patched by applying SP4.  
The additional in-house discovered "vulnerabilities" that MS slips
fixes for into the SPs would have to be addressed as CVEs as we see
em.

It is early, last night was late....hope this makes sense
- -mike

- -----Original Message-----
From: Russ [mailto:Russ.Cooper@rc.on.ca]
Sent: Tuesday, June 29, 1999 5:07 PM
To: 'afrech@iss.net'; CVE Review List
Subject: RE: Question about CVE to vendor mappings


I wouldn't be thinking of, e.g., SP4 as a CVE. If you read the readme
files that come with each SP, they list out the individual entries in
the MS Knowledgebase that were addressed by the SP. These are not
duplicated (unless further issues arose with something previously
fixed,
like TCPIP.sys), and would be the closest thing to an individual
vulnerability. So SP4 would incorporate a list of all previous CVE
numbers that previous service packs address, plus, any new ones.
 
Of course a bigger issue, in the case of MS SPs, is the fact that
there
are quite a few fixes in an SP which are not documented in
public...;-[
 
Cheers,
Russ - NTBugtraq Editor
 
FYI...I have not been actively discussing these issues due to a lack
of
time right now. My conference starts tomorrow and, well, I'm still
trying to locate my underwear.
 
- -----Original Message-----
From: Andre Frech (ISS) [mailto:afrech@iss.net]
Sent: Tuesday, June 29, 1999 5:57 PM
To: CVE Review List
Subject: Question about CVE to vendor mappings


All,
 
During a recent debate on how we're going to fit the CVE into our
database structure, one of the DBAs commented on how a specific
vulnerability might not just have one CVE index, but several. Up to
now,
this group has discussed the potential of one CVE mapping to zero or
more records of a VDB, but the opposite has not been discussed before;
namely, a many-to-many relationship.
 
For example, "Windows NT 4.0 prior to Service Pack 4" involves many
potential CVEs, possibly subsuming the CVEs in SP3, 2, and 1. How
would
a vendor handle these, considering that it is probably out of the
scope
of the CVE to reconcile these entries?
 
I envision this question raising several points:
- - Can a vendor go about assigning multiple CVEs to a vulnerability or
check outside of the framework of the CVE?
- - Who verifies that the vendor is doing correct assignments?
- - Do CVE indices get subsumed in later patches (for example NT SP3 is
subsumed in SP4)? (My opinion on this one is 'no, they do not,' but
YMMV.
- - Can almost everything in a VDB get a CVE? I know there are rules on
what a 'vulnerability' is, but the draft CVE is a lot less stringent
about the definition than, say, the Common Criteria (CC).
 
I would appreciate your thoughts on this matter.
=====================================
Andre Frech
X-Force Security Research

afrech@iss.net
<?color><?param 0000,0000,ffff>
<?/color>Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
www.iss.net

Adaptive Network Security for the Enterprise
===================================== 
 

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN3oQaRIUaHPadf5hEQJ7bgCfQlI80JaXf2dT7GdMSsTVXL/QanAAoPkZ
cm/od1cgVf8mnrdNIUdsuJPD
=A/CW
-----END PGP SIGNATURE-----
Page Last Updated or Reviewed: May 22, 2007