Re: Issues for configuration problems in the CVE
At 1:13 PM -0400 7/16/99, Steven M. Christey wrote:
>Gene Spafford wrote:
> >When I first had a student (Taimur Aslam) look at classifications of
> >problems, configuration errors fell out as one category. However, we
> >found there were some ambiguities with user interface error, and
> >incorrect documentation. If something is misconfigured because the
> >documentation is unclear (or wrong), is that a bug? If so, where? In
> >the software that doesn't match the documentation, or in the
> >documentation that doesn't match the software?
>I see why the questions needs to be asked from a perspective of
>classification and explanation; however, I don't think this particular
>issue has much of an impact on the CVE. The configuration problem
>exists because of something a user did, regardless of how the user did
>it or why they did it. I believe that's sufficient for the CVE.
The documentation and online help message says "-s" is the security
mode switch. The user builds a config file to run with "-s".
However, it turns out that either the programmer got the logic
backwards, or the documentation is wrong, and "-s" turns the security
OFF. The result is a vulnerability.
Is that a bug or an operator error?
The system comes with default accounts with well-known passwords.
The operator does not notice these, and installs the system with the
accounts intact. This results in a vulnerability.
Is that an operator error?
The system comes with a program that installs patches. The vendor
releases a patch to a problem. The operator runs the program, and
in addition to installing the patch, it sets some directory
permissions and ownerships to new values that result in a
Is that a bug or operator error?
In each case, " The configuration problem exists because of something
a user did, regardless of how the user did it or why they did it," so
I would assume you would classify them all as operator errors.
However, all three are also vulnerabilities that are in some sense
"built in" by the vendor.
I would argue that #2 is the only one that is directly a user error.
Problems that occur because the operator should have know better if
he/she had read documentation and security literature fall in this
category. Vulnerabilities that result from hidden features, bugs,
bad documentation of features, etc are not.