[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PROPOSAL: Cluster 25 - IDS (5 candidates)
- To: "Steven M. Christey" <coley@linus.mitre.org>, cve-editorial-board-list@lists.mitre.org
- Subject: Re: PROPOSAL: Cluster 25 - IDS (5 candidates)
- From: Adam Shostack <adam@netect.com>
- Date: Tue, 27 Jul 1999 08:59:57 -0400
- In-Reply-To: <199907270056.UAA07229@basie.mitre.org>; from Steven M. Christey on Mon, Jul 26, 1999 at 08:56:33PM -0400
- References: <199907270056.UAA07229@basie.mitre.org>
- Reply-To: adam@netect.com
I'm really torn by these. On the one hand, they are clearly flaws of some type. On the other hand, IP has lots of design features that lead to insecurity, and its not clear to me that we should include all of them (such as IP spoofing as a vulnerability.) So I lean towords suggesting a conservative rule. At the same time, I've been meaning to suggest that use of keys of less than 80 bits after the publication of the 7 cryptographers paper should be a CVE vulnerability, use of key escrow, ttp(s), or Clipper should have its own CVE vulnerability, RC4-40 should have its own vulnerability, but differential cryptanalysis should not. The core of my suggestion was to be that a skilled practitioner could quickly see problems with the scheme. This is not a conservative rule. I think that this demonstrates that the things that I'm a practitioner in (scanners, crypto), I want liberal rules, and those that I'm not, I tend towords the conservative. So, I'll suggest that we consider a meta-rule of "Defer to the practitioners who work with the issues most closely" for what the rule should be. This likely leads to an explosion of CVE entries, but I'm not comfortable keeping the CVE small for the sake of enabling familiarity when the practitioners wish to expand an area because it works better for them to have entries for groups of things. Adam On Mon, Jul 26, 1999 at 08:56:33PM -0400, Steven M. Christey wrote: | The following candidates deal with some implementation problems in | IDSes, as outlined in the paper by Ptacek and Newsham (see | http://www.nai.com/nai_labs/asp_set/advisory.asp). They identify | problems in IDSes that can allow an attacker to escape detection. | | Note that these candidates do not include some of the inherent | problems in the design of the IDSes themselves that are related to | ambiguities in the TCP/IP protocol specifications, e.g. needing to | know how the target's OS reassembles packets in order to accurately | reconstruct the session. Should such design limitations be included | in the CVE? | | - Steve | | | | Summary of votes to use (in ascending order of "severity"): | | ACCEPT - member accepts the candidate as proposed | NOOP - member has no opinion on the candidate | MODIFY - member wants to change some minor detail (e.g. reference/description) | REVIEWING - member is reviewing/researching the candidate | RECAST - candidate must be significantly modified, e.g. split or merged | REJECT - candidate is "not a vulnerability", or a duplicate, etc. | | Please write your vote on the line that starts with "VOTE: ". If you | want to add comments or details, add them to lines after the VOTE: line. | | | ================================= | Candidate: CAN-1999-0598 | Published: | Final-Decision: | Interim-Decision: | Modified: | Announced: 19990726 | Assigned: 19990607 | Category: CF | | A network intrusion detection system (IDS) does not properly handle | packets that are sent out of order, allowing an attacker to escape | detection. | | VOTE: | | ================================= | Candidate: CAN-1999-0599 | Published: | Final-Decision: | Interim-Decision: | Modified: | Announced: 19990726 | Assigned: 19990607 | Category: CF | | A network intrusion detection system (IDS) does not properly handle | packets with improper sequence numbers. | | VOTE: | | ================================= | Candidate: CAN-1999-0600 | Published: | Final-Decision: | Interim-Decision: | Modified: | Announced: 19990726 | Assigned: 19990607 | Category: CF | | A network intrusion detection system (IDS) does not verify the | checksum on a packet. | | VOTE: | | ================================= | Candidate: CAN-1999-0601 | Published: | Final-Decision: | Interim-Decision: | Modified: | Announced: 19990726 | Assigned: 19990607 | Category: CF | | A network intrusion detection system (IDS) does not properly handle | data within TCP handshake packets. | | VOTE: | | ================================= | Candidate: CAN-1999-0602 | Published: | Final-Decision: | Interim-Decision: | Modified: | Announced: 19990726 | Assigned: 19990607 | Category: CF | | A network intrusion detection system (IDS) does not properly | reassemble fragmented packets. | | VOTE:
- References:
- PROPOSAL: Cluster 25 - IDS (5 candidates)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- PROPOSAL: Cluster 25 - IDS (5 candidates)
- Prev by Date: RE: PROPOSAL: Cluster 25 - IDS (5 candidates)
- Next by Date: Administrivia - new Editorial Board member
- Prev by thread: PROPOSAL: Cluster 25 - IDS (5 candidates)
- Next by thread: RE: PROPOSAL: Cluster 25 - IDS (5 candidates)
- Index(es):
