Re: INTERIM DECISION: ACCEPT 5 SA category candidates (Final 9/28)
The "valid" and "any" parts of that description are problems; if one (a
person, an IDS, a scanner, etc.) wants to report something about finger (I
saw the use of finger, finger is running on that host, etc.) using CVE one
should not be burdened with a requirement to determine if the service
returns _valid_ data. Further, a service need not be offered to every
(i.e. "any") host on the network to constitute a problem. Both of these
are components of determining if an exposure is a problem, but should not
be part of defining the exposure.
A bit more on that. There are many other cases where we could make the
argument that because the data is not valid, the filters or wrappers will
help, or something else, well then that vulnerability or exposure you
think system X has really does not exist. For example, my particular web
server is in a fool proof chroot environment running on a virtual machine
inside (insert as many protections as you like) and so that PHF attack
which your scanners say I'm vulnerable to, or your IDS saw used, or your
SysAdmin noticed is possible, well it is not a vulnerability for me. But
of course we still need a CVE entry for PHF. So when we or our tools
report the presence of CVE #X, it really means that (whether X is a
vulnerability or an exposure) X _potentially_ is a problem. To know for
sure one must assess the situation in light of policy, network
configuration, the existence of special countermeasures, etc. So, lets
not refer to the validity of the data, or similar such things, in the CVE!
If I understand Spaf's reasoning, the heart of the exposure is that user
information is returned. The vehicle (in this case) is finger. So I
suggest the following:
- The exposure is: "User information is disseminated" (or some such thing)
- A particular instance of this would be finger. Also, rusers, rwho, ...
I suggest using the
dot notation here to make each different service a separate entry.
Gene Spafford wrote:
> At 12:00 PM -0400 9/28/99, Steven M. Christey wrote:
> > >Note that the entry says "the finger service is running" . It does
> > >not say that the original, unmodified service is running.
> >How about this:
> >"A version of finger is running that releases valid user information
> >to any entity on the network."
> I would be happier with this and similarly modified descriptions for
> the other services.
org:The MITRE Corporation
adr:;;1820 Dolley Madison Blvd;McLean;VA;22102;
S/MIME Cryptographic Signature