|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [TECH] High-level candidates for recent SNMP problems
All, The recently announced SNMP problems pose a special challenge for using CVE candidates. The basic problem is that the CVE content decisions dictate that we should provide different candidates for each implementation that is affected by the PROTOS suite (Jim Magdych, this probably isn't a good time to bring up old arguments please ;-) Despite the number and complexity of the issues, the CVE content decisions are pretty clear on how candidates should be assigned: - separate candidates for each affected codebase (CD:SF-CODEBASE) - separate candidates for each type of problem within the same codebase (CD:SF-LOC) and version However, there is insufficient information at this time to assign the proper number of candidates. So, we currently only have a few candidates, and they are at a level of abstraction that is higher than they "should" be (relative to content decisions). The codebase issue is a difficult one, but the general approach will probably be to distinguish by vendor, unless there is clear proof that multiple vendors use the same codebase. Below is the current list of candidates that CERT/CC has assigned and publicized. They will be on the CVE web site within an hour. They will likely change rapidly and without notice. As we better understand the specifics, I will be assigning separate candidates to the more explicitly identified issues. If other general "classes" of vulnerabilities are also discovered, it is likely that other high-level candidates will be created for that, too. This is a prime example of how CVE content decisions are dependent on the amount of available information. I've been able to remove the dependencies of content decisions on certain types of information, but there is still a reliance on problem types, affected codebases, and affected versions. I alluded to this difficulty in a post to Bugtraq a week or two ago. - Steve ====================================================== Candidate: CAN-2002-0012 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20020110 Category: SF Reference: ISS:20020212 PROTOS Remote SNMP Attack Tool Reference: URL:http://www.iss.net/security_center/alerts/advise110.php Reference: CERT:CA-2002-03 Reference: URL:http://www.cert.org/advisories/CA-2002-03.html Reference: CERT-VN:VU#107186 Reference: URL:http://www.kb.cert.org/vuls/id/107186 Vulnerabilities in a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via SNMPv1 trap handling, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available. ====================================================== Candidate: CAN-2002-0013 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20020110 Category: SF/CF/MP/SA/AN/unknown Reference: ISS:20020212 PROTOS Remote SNMP Attack Tool Reference: URL:http://www.iss.net/security_center/alerts/advise110.php Reference: CERT:CA-2002-03 Reference: URL:http://www.cert.org/advisories/CA-2002-03.html Reference: CERT-VN:VU#854306 Reference: URL:http://www.kb.cert.org/vuls/id/854306 Vulnerabilities in the SNMPv1 request handling of a large number of SNMP implementations allow remote attackers to cause a denial of service or gain privileges via (1) GetRequest, (2) GetNextRequest, and (3) SetRequest messages, as demonstrated by the PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that this candidate will be SPLIT into multiple candidates, one or more for each vendor. This and other SNMP-related candidates will be updated when more accurate information is available.
|
||||
