Issues for configuration problems in the CVE
Some upcoming candidate clusters will start getting into the
Configuration problem (CF) category vulnerabilities of the draft CVE.
I believe that there is a fundamental difference between software
flaws and configuration problems that the security community hasn't
really discussed. Much of the academic work for security is
specifically focused on software flaws; there is no taxonomy work for
configuration problems that I'm aware of. The explosion in the number
of checks by security tools (at least network-based) is primarily due
to configuration, according to the tool mappings I've done.
There is likely to be strong debate as to how many of these
configuration problems really fit the definition of "vulnerability" in
the first place, instead of "policy violation." Those debates
(including whether "policy violation" is also a vulnerability) are
delayed until later, when we move to High controversy clusters.
Initially, I'm going to focus on configuration problems that we should
all be able to agree are definitely vulnerabilities, such as
downloading the password file through TFTP, exporting / through NFS,
NT admin or root without a password, or having a boot script be
writable by anyone.
Software flaws are much more concrete. You can point to a particular
line of code and say, "there's the problem." If there's another line
of code that's somewhere else, you can say "that's a different
problem." It's not so clear with configuration problems. Windows NT
poses unique challenges in this arena due to its many privileges,
access rights, user and group roles, etc.
In the Same Attack/Same Codebase discussion, we were debating whether
something was 1 vulnerability or 5. In some cases, the content
decisions we make with respect to configuration problems will
determine whether we have 1 vulnerability or 50. There are 3
particular configuration problems in the CVE that could easily turn
into a total of 90.
So, we have a much more serious scalability problem here than we do
with software flaws. Combined with our relative lack of understanding
of these types of problems, I believe we should strongly consider the
implications of these content decisions. While I don't believe we
should artificially restrict the cardinality of configuration problems
to that of software flaws within the CVE, we should be extremely
careful of allowing a poorly understood class of vulnerabilities to
dominate the CVE, which should reflect mature information formed by
The next week or two will focus on candidate clusters for
configuration problems. I look forward to the discussions.