|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Issues for configuration problems in the CVE
Some upcoming candidate clusters will start getting into the Configuration problem (CF) category vulnerabilities of the draft CVE. I believe that there is a fundamental difference between software flaws and configuration problems that the security community hasn't really discussed. Much of the academic work for security is specifically focused on software flaws; there is no taxonomy work for configuration problems that I'm aware of. The explosion in the number of checks by security tools (at least network-based) is primarily due to configuration, according to the tool mappings I've done. There is likely to be strong debate as to how many of these configuration problems really fit the definition of "vulnerability" in the first place, instead of "policy violation." Those debates (including whether "policy violation" is also a vulnerability) are delayed until later, when we move to High controversy clusters. Initially, I'm going to focus on configuration problems that we should all be able to agree are definitely vulnerabilities, such as downloading the password file through TFTP, exporting / through NFS, NT admin or root without a password, or having a boot script be writable by anyone. Software flaws are much more concrete. You can point to a particular line of code and say, "there's the problem." If there's another line of code that's somewhere else, you can say "that's a different problem." It's not so clear with configuration problems. Windows NT poses unique challenges in this arena due to its many privileges, access rights, user and group roles, etc. In the Same Attack/Same Codebase discussion, we were debating whether something was 1 vulnerability or 5. In some cases, the content decisions we make with respect to configuration problems will determine whether we have 1 vulnerability or 50. There are 3 particular configuration problems in the CVE that could easily turn into a total of 90. So, we have a much more serious scalability problem here than we do with software flaws. Combined with our relative lack of understanding of these types of problems, I believe we should strongly consider the implications of these content decisions. While I don't believe we should artificially restrict the cardinality of configuration problems to that of software flaws within the CVE, we should be extremely careful of allowing a poorly understood class of vulnerabilities to dominate the CVE, which should reflect mature information formed by consensus. The next week or two will focus on candidate clusters for configuration problems. I look forward to the discussions. - Steve
|
||||
