[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PROPOSAL: Cluster 25 - IDS (5 candidates)



I'm really torn by these.  On the one hand, they are clearly flaws of
some type.  On the other hand, IP has lots of design features that
lead to insecurity, and its not clear to me that we should include all 
of them (such as IP spoofing as a vulnerability.)  So I lean towords
suggesting a conservative rule.

At the same time, I've been meaning to suggest that use of keys of
less than 80 bits after the publication of the 7 cryptographers paper
should be a CVE vulnerability, use of key escrow, ttp(s), or Clipper
should have its own CVE vulnerability, RC4-40 should have its own
vulnerability, but differential cryptanalysis should not.  The core of 
my suggestion was to be that a skilled practitioner could quickly see
problems with the scheme.  This is not a conservative rule.

I think that this demonstrates that the things that I'm a practitioner 
in (scanners, crypto), I want liberal rules, and those that I'm not, I 
tend towords the conservative.

So, I'll suggest that we consider a meta-rule of "Defer to the
practitioners who work with the issues most closely" for what the rule 
should be.  This likely leads to an explosion of CVE entries, but I'm
not comfortable keeping the CVE small for the sake of enabling
familiarity when the practitioners wish to expand an area because it
works better for them to have entries for groups of things.

Adam

On Mon, Jul 26, 1999 at 08:56:33PM -0400, Steven M. Christey wrote:
| The following candidates deal with some implementation problems in
| IDSes, as outlined in the paper by Ptacek and Newsham (see
| http://www.nai.com/nai_labs/asp_set/advisory.asp).  They identify
| problems in IDSes that can allow an attacker to escape detection.
| 
| Note that these candidates do not include some of the inherent
| problems in the design of the IDSes themselves that are related to
| ambiguities in the TCP/IP protocol specifications, e.g. needing to
| know how the target's OS reassembles packets in order to accurately
| reconstruct the session.  Should such design limitations be included
| in the CVE?
| 
| - Steve
| 
| 
| 
| Summary of votes to use (in ascending order of "severity"):
| 
| ACCEPT - member accepts the candidate as proposed
| NOOP - member has no opinion on the candidate
| MODIFY - member wants to change some minor detail (e.g. reference/description)
| REVIEWING - member is reviewing/researching the candidate
| RECAST - candidate must be significantly modified, e.g. split or merged
| REJECT - candidate is "not a vulnerability", or a duplicate, etc.
| 
| Please write your vote on the line that starts with "VOTE: ".  If you
| want to add comments or details, add them to lines after the VOTE: line.
| 
| 
| =================================
| Candidate: CAN-1999-0598
| Published:
| Final-Decision:
| Interim-Decision:
| Modified:
| Announced: 19990726
| Assigned: 19990607
| Category: CF
| 
| A network intrusion detection system (IDS) does not properly handle
| packets that are sent out of order, allowing an attacker to escape
| detection.
| 
| VOTE:
| 
| =================================
| Candidate: CAN-1999-0599
| Published:
| Final-Decision:
| Interim-Decision:
| Modified:
| Announced: 19990726
| Assigned: 19990607
| Category: CF
| 
| A network intrusion detection system (IDS) does not properly handle
| packets with improper sequence numbers.
| 
| VOTE:
| 
| =================================
| Candidate: CAN-1999-0600
| Published:
| Final-Decision:
| Interim-Decision:
| Modified:
| Announced: 19990726
| Assigned: 19990607
| Category: CF
| 
| A network intrusion detection system (IDS) does not verify the
| checksum on a packet.
| 
| VOTE:
| 
| =================================
| Candidate: CAN-1999-0601
| Published:
| Final-Decision:
| Interim-Decision:
| Modified:
| Announced: 19990726
| Assigned: 19990607
| Category: CF
| 
| A network intrusion detection system (IDS) does not properly handle
| data within TCP handshake packets.
| 
| VOTE:
| 
| =================================
| Candidate: CAN-1999-0602
| Published:
| Final-Decision:
| Interim-Decision:
| Modified:
| Announced: 19990726
| Assigned: 19990607
| Category: CF
| 
| A network intrusion detection system (IDS) does not properly
| reassemble fragmented packets.
| 
| VOTE:

 
Page Last Updated: May 22, 2007