[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Which "Codebases" do these candidates really split into?

Hash: SHA1

I agree with Pascal,
This is sort of along the lines of "same attack/same vulnerability"
and it fits well in that category (if you round the edges off a bit
and use a big hammer).  If we split the CVEs too much, we wind up with
multiple CVEs relating to a singularly known vulnerablity, as in
Pascal's Ping O'Death example.  There aren't multiple Ping O'Deaths
vulnerabilities, there is one affecting multiple components (os,
firmware, etc).  Now , it may affect each of them slightly differently
depending on the codebase, but the overall affect is a Denial of
I realize that the decision was made to use the "same codebase/same
vulnerability" method in assigning CVEs but it doesn't always make the
most sense in every instance.  My opinion!

- -mike
- -----Original Message-----
From: Pascal Meunier [mailto:pascalm@CUP.HP.COM]
Sent: Sunday, July 18, 1999 6:41 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: Re: Which "Codebases" do these candidates really split into?

This discussion is exactly what I was afraid of when we were
codebases, and I think it will happen again and again.  Codebases are
abstract, ambiguous notions, and the result could be an ambiguous CVE.

Let me throw something in the air and see if it will fly.  We have
thinking along the lines of "one CVE entry = one vulnerability".
could we represent more than one vulnerability instance by a CVE
entry?  We
already have done so with the password CVE entries (Cluster 18 -
think of those as "Exploding" CVE entries.  That is, think of each CVE
entry as a compact notation for unambiguously signifying the existence
several vulnerabilities, specified with a list of *different
instances* of
the same problem.  Could we not use this over all the database?  It
may be
understood that each OS, distribution (with version numbers, please!)
has a
different vulnerability that fits the observables in the description.

Hence, the  Ping o' Death entry could look like:
Candidate: CAN-1999-0128
Reference: XF:ping-death
Reference: CERT:CA-96.26.ping

Oversized ICMP ping packets can result in a denial of service,
aka Ping o' Death.

- -Digital Unix 3.0x, 3.2x, 4.0, 4.0a and products based on these
- -FreeBSD v prior to 2.1.6
- -HPUX 9.x, 10.00-10.20,
- -AIX 3.2, 4.1, 4.2
- -Linux kernels prior to 2.0.27
- -OSF/1 prior to R1.3.3
- -SCO OpenServer 5.0.0, 5.0.2
	SCO Internet FastStart 1.0.0, 1.1.0
	SCO Open Desktop 3.0
	SCO TCP/IP 1.2.1 on SCO Unix System V/386 Release 3.2 Version 4.2
- -Solaris, unpatched versions prior to 5.51

I think it would be a waste of bits to have a dozen different CVE
for this, while the sub-enumeration unambiguously specifies that the
underlying code may be different.

>On Mon, Jul 12, 1999 at 09:52:28PM -0500, Gene Spafford wrote:
>| >Candidate: CAN-1999-0128
>| >Reference: XF:ping-death
>| >Reference: CERT:CA-96.26.ping
>| >
>| >Oversized ICMP ping packets can result in a denial of service,
>| >aka Ping o' Death.
>| >
>| >
>| > Digital Unix, FreeBSD, HPUX, AIX, IRIX, Linux, OSF/1, SCO,
>| >
>| >QUESTION: is the appropriate codebase "Unix"?  Or do we separate
>| >into BSD and System V?  Or each individual OS?
>| Systems that used the old BSD IP stack have this problem.   The
>| stack was developed independently, as was (I believe) AIX.   All of
>| the others derived from the same underlying IP code.   However,
>| one has undergone quite a bit of change.
>| MacOS is also vulnerable in some versions.   I believe VMS and
>| NextStep were too.
>| So here we have the problem of defining "same."
>| Me feeling would be to split out each independent OS unless we know
>| they use the same underlying code.
>It seems clear to me that the relevant logic that leads to the system
>crashing while processing ICMP have not changed.  My definition of
>codebase change and Spaf's seem to be different.
>We agree on expresserve, which I've elided, and disagree on rlogin:
>| >  With rlogin being an old program and so many Unices being
>| >  do we say this is just one codebase?  What does it tell us (if
>| >  anything) to see that the problem had already been fixed in
>| >  and NetBSD before the CERT advisory was released?
>| rlogin is the codebase.  It was the same on almost all these
>| The Linux and NetBSD versions were fixed before the advisory
>| they had groups doing proactive security screening.   It doesn't
>| change that the code base for rlogin was basically the same.
>Here is the core of our disagreement.  That linux and NetBSD code was
>audited and changed to prevent the bug from working is the essense of
>a codebase change thats relevant to the CVE.  Code changes that don't
>affect the vulnerability don't matter, because from the CVE
>they're not code changes.

Version: PGP 6.0.2


Page Last Updated or Reviewed: May 22, 2007