[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [TECH] High-level candidates for recent SNMP problems



You didn't say I couldn't bring up old arguments, so... >8-)

Unless you're willing to type up CANs for each and every little variant
that gets discovered, then (IMVHO - opposite of IMNSHO) I would try not
to establish a low level of abstraction. It's going to get really,
really ugly. I well understand the academic arguments, but there's a
pragmatic concern - I don't think we want to double the size of the CVE
database (oops, list pretending not to be a database, sorry) just to
cover a bazillion variants of this particular bug. Even getting it down
to codebase is going to be very, very difficult.

IMHO, I'd put the 2 CANs you've got through and call it a day. You've
got better things to do with your time than try and sort all this out.

My $0.02, YMMV, do what you like from here.

> -----Original Message-----
> From: Steven M. Christey [mailto:coley@linus.mitre.org] 
> Sent: Tuesday, February 12, 2002 2:00 PM
> To: cve-editorial-board-list@lists.mitre.org
> Subject: [TECH] High-level candidates for recent SNMP problems
> 
> 
> All,
> 
> The recently announced SNMP problems pose a special challenge 
> for using CVE candidates.  The basic problem is that the CVE 
> content decisions dictate that we should provide different 
> candidates for each implementation that is affected by the 
> PROTOS suite (Jim Magdych, this probably isn't a good time to 
> bring up old arguments please ;-)
> 
> Despite the number and complexity of the issues, the CVE 
> content decisions are pretty clear on how candidates should 
> be assigned:
> 
> - separate candidates for each affected codebase (CD:SF-CODEBASE)
> 
> - separate candidates for each type of problem within the same
>   codebase (CD:SF-LOC) and version
> 
> However, there is insufficient information at this time to 
> assign the proper number of candidates.  So, we currently 
> only have a few candidates, and they are at a level of 
> abstraction that is higher than they "should" be (relative to 
> content decisions).
> 
> The codebase issue is a difficult one, but the general 
> approach will probably be to distinguish by vendor, unless 
> there is clear proof that multiple vendors use the same codebase.
> 
> Below is the current list of candidates that CERT/CC has 
> assigned and publicized.  They will be on the CVE web site 
> within an hour.  They will likely change rapidly and without notice.
> 
> As we better understand the specifics, I will be assigning 
> separate candidates to the more explicitly identified issues. 
>  If other general "classes" of vulnerabilities are also 
> discovered, it is likely that other high-level candidates 
> will be created for that, too.
> 
> This is a prime example of how CVE content decisions are 
> dependent on the amount of available information.  I've been 
> able to remove the dependencies of content decisions on 
> certain types of information, but there is still a reliance 
> on problem types, affected codebases, and affected versions.  
> I alluded to this difficulty in a post to Bugtraq a week or two ago.
> 
> - Steve
> 
> 
> ======================================================
> Candidate: CAN-2002-0012
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed:
> Assigned: 20020110
> Category: SF
> Reference: ISS:20020212 PROTOS Remote SNMP Attack Tool
> Reference: URL:http://www.iss.net/security_center/alerts/advise110.php
> Reference: CERT:CA-2002-03
> Reference: URL:http://www.cert.org/advisories/CA-2002-03.html
> Reference: CERT-VN:VU#107186
> Reference: URL:http://www.kb.cert.org/vuls/id/107186
> 
> Vulnerabilities in a large number of SNMP implementations 
> allow remote attackers to cause a denial of service or gain 
> privileges via SNMPv1 trap handling, as demonstrated by the 
> PROTOS c06-SNMPv1 test suite.  NOTE: It is highly likely that 
> this candidate will be SPLIT into multiple candidates, one or 
> more for each vendor.  This and other SNMP-related candidates 
> will be updated when more accurate information is available.
> 
> 
> 
> ======================================================
> Candidate: CAN-2002-0013
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013
> Final-Decision:
> Interim-Decision:
> Modified:
> Proposed:
> Assigned: 20020110
> Category: SF/CF/MP/SA/AN/unknown
> Reference: ISS:20020212 PROTOS Remote SNMP Attack Tool
> Reference: URL:http://www.iss.net/security_center/alerts/advise110.php
> Reference: CERT:CA-2002-03
> Reference: URL:http://www.cert.org/advisories/CA-2002-03.html
> Reference: CERT-VN:VU#854306
> Reference: URL:http://www.kb.cert.org/vuls/id/854306
> 
> Vulnerabilities in the SNMPv1 request handling of a large 
> number of SNMP implementations allow remote attackers to 
> cause a denial of service or gain privileges via (1) 
> GetRequest, (2) GetNextRequest, and
> (3) SetRequest messages, as demonstrated by the PROTOS 
> c06-SNMPv1 test suite.  NOTE: It is highly likely that this 
> candidate will be SPLIT into multiple candidates, one or more 
> for each vendor.  This and other SNMP-related candidates will 
> be updated when more accurate information is available.
> 

Page Last Updated or Reviewed: May 22, 2007