[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[TECH] Vulnerability types seen in CVE

To: cve-editorial-board-list@lists.mitre.org
Subject: [TECH] Vulnerability types seen in CVE
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Thu, 17 Oct 2002 18:34:18 -0400 (EDT)
Delivery-Date: Thu Oct 17 18:34:31 2002
Sender: owner-cve-editorial-board-list@lists.mitre.org
All,

During today's teleconference, I told Editorial Board members that in
the past few years, we have been tracking vulnerability types at a
lower level of detail than is usually recorded (buffer overflows,
directory traversal, symlinks, etc.).  We are unaware of other data
sources that have information at this level, and on this large scale
(about 3000 issues).

As I told the Board today, it seems that it would be highly useful to
the security community for MITRE to publish the actual data that links
each candidate to its vulnerability type.  However, this could run
into concerns about CVE "competing" with other vulnerability
information sources.  If we were to publish this information, we would
make sure that it is NOT part of the CVE or candidates lists, proper;
the data would be provided separately, like reference maps.

If anybody knows of other efforts that capture vulnerability type
information at this level of detail and on this scale, please let me
know.

Below is a first example of the types of summary information that we
can now provide (interpretation is left to the reader, but the "CSS,"
"dos-malform," and "relpath" types are a good starting point.)  I will
be using this information in various briefings and have shared it with
some people as part of an information exchange.  Note, however, that I
have been working on improving the taxonomy being used below (or
clasification, gotta re-read the Krsul thesis to be sure ;-)) and the
data is currently incomplete.  Therefore the summary is not
authoritative, merely indicative.

As usual, Board members are welcome to offer comments, questions, or
concerns regarding the summary below, or the possibility of MITRE
sharing the detailed data that links each CVE/CAN to its vulnerability
type.  I have already had to delay sharing detailed portions of this
data with one party due to the potential concerns that Board members
may have.

- Steve



***********************************************************************
Summary of Flaw Types in CVE
***********************************************************************
Author: Steve Christey
Date: October 7, 2002

----------- DISCLAIMER ----------------------- DISCLAIMER ------------
----------- DISCLAIMER ----------------------- DISCLAIMER ------------

The data that was used to generate these stats is incomplete.  Also,
the flaw taxonomy needs to be modified.  However, I believe that this
is a good indication of how frequently various types of issues appear.

This uses CVE entries and candidates that had been proposed to the CVE
Editorial Board on or before 2002/10/01.

----------- DISCLAIMER ----------------------- DISCLAIMER ------------
----------- DISCLAIMER ----------------------- DISCLAIMER ------------


                         2000        2001        2002        TOTAL
                        (1203)      (1266)      (1011)      (3480)
                      ----------  ----------  ----------  ----------
[ 1] buf              24.4% ( 1)  18.5% ( 1)  22.5% ( 1)  21.7% ( 1)
[ 2] dot              06.1% ( 3)  08.8% ( 2)  05.7% ( 3)  07.0% ( 2)
[ 3] dos-malform      07.1% ( 2)  04.6% ( 3)  05.7% ( 4)  05.8% ( 3)
[ 4] metachar         04.4% ( 5)  04.3% ( 4)  04.7% ( 5)  04.5% ( 4)
[ 5] link             03.9% ( 6)  04.3% ( 5)  02.4% ( 8)  03.6% ( 5)
[ 6] priv             05.1% ( 4)  02.5% ( 9)  02.8% ( 6)  03.5% ( 6)
[ 7] CSS              00.2% (26)  01.7% (11)  08.3% ( 2)  03.1% ( 7)
[ 8] format-string    02.8% ( 9)  03.4% ( 6)  02.5% ( 7)  02.9% ( 8)
[ 9] crypt            03.0% ( 7)  03.3% ( 7)  02.2% ( 9)  02.9% ( 9)
[10] perm             02.8% ( 8)  02.8% ( 8)  01.6% (12)  02.4% (10)
[11] dos-flood        01.4% (14)  02.1% (10)  01.8% (10)  01.8% (11)
[12] infoleak         01.7% (11)  01.2% (14)  01.8% (11)  01.5% (12)
[13] form-field       02.6% (10)  00.6% (23)  00.8% (15)  01.4% (13)
[14] auth             01.2% (15)  01.3% (13)  01.3% (13)  01.2% (14)
[15] sandbox          01.5% (12)  00.8% (21)  00.8% (14)  01.0% (15)
[16] relpath          01.5% (13)  00.9% (18)  00.2% (27)  00.9% (16)
[17] design           00.2% (25)  01.5% (12)  00.5% (20)  00.7% (17)
[18] default          00.6% (19)  01.1% (16)  00.3% (23)  00.7% (18)
[19] msdos-device     00.2% (23)  01.2% (15)  00.6% (17)  00.7% (19)
[20] pass             00.8% (16)  00.6% (24)  00.5% (19)  00.6% (20)
[21] spoof            00.3% (20)  00.9% (17)  00.6% (16)  00.6% (21)
[22] CF               00.7% (17)  00.7% (22)  00.4% (22)  00.6% (22)
[23] race             00.7% (18)  00.6% (26)  00.5% (18)  00.6% (23)
[24] memleak          00.3% (21)  00.8% (19)  00.3% (25)  00.5% (24)
[25] rand             00.2% (22)  00.6% (25)  00.5% (21)  00.4% (25)
[26] dos-release      00.2% (24)  00.8% (20)  00.1% (29)  00.4% (26)
[27] type-check       00.1% (27)  00.0%  N/A  00.3% (26)  00.1% (27)
[28] int-overflow     00.0%  N/A  00.0%  N/A  00.3% (24)  00.1% (28)
[29] signedness       00.0%  N/A  00.0%  N/A  00.2% (28)  00.1% (29)


UNKNOWN/UNSPECIFIED ITEMS
------------------------
unk              04.2%  N/A  06.8%  N/A  05.4%  N/A  05.5%  N/A
other            02.2%  N/A  06.2%  N/A  08.2%  N/A  05.4%  N/A
not-specified    19.6%  N/A  17.4%  N/A  16.3%  N/A  17.8%  N/A






Flaw Terminology
-------------------
Type: buf
Rank: [1]
Total vulns: 755
Desc:

buffer overflow

-------------------------------------
Type: not-specified
Rank: [N/A]
Total vulns: 621
Desc:

The analyst has not assigned a flaw type to the issue.

-------------------------------------
Type: dot
Rank: [2]
Total vulns: 242
Desc:

directory traversal (file access via ".." or variants)

-------------------------------------
Type: dos-malform
Rank: [3]
Total vulns: 202
Desc:

DoS caused by malformed input

-------------------------------------
Type: unk
Rank: [N/A]
Total vulns: 192
Desc:

Unknown vulnerability; report is too vague, or issue could not be
described in version of taxonomy that was available at the time the
flaw type was determined.

-------------------------------------
Type: other
Rank: [N/A]
Total vulns: 189
Desc:

Other vulnerability; issue could not be described in version of
taxonomy that was available at the time the flaw type was determined.

-------------------------------------
Type: metachar
Rank: [4]
Total vulns: 155
Desc:

unescaped shell metacharacters or other unquoted "special" char's;
currently includes SQL injection but not XSS.

-------------------------------------
Type: link
Rank: [5]
Total vulns: 125
Desc:

symbolic link following

-------------------------------------
Type: priv
Rank: [6]
Total vulns: 121
Desc:

Bad privilege assignment, or privileged process/action is
unprotected/unauthenticated.

-------------------------------------
Type: CSS
Rank: [7]
Total vulns: 107
Desc:

Cross-site scripting (aka XSS or CSS)

-------------------------------------
Type: format-string
Rank: [8]
Total vulns: 102
Desc:

Format string vulnerability; user can inject format specifiers during
string processing.

-------------------------------------
Type: crypt
Rank: [9]
Total vulns: 100
Desc:

Cryptographic error (poor design or implementation)

-------------------------------------
Type: perm
Rank: [10]
Total vulns: 85
Desc:

assigns bad permissions, improperly calculates permissions, or
improperly checks permissions

-------------------------------------
Type: dos-flood
Rank: [11]
Total vulns: 61
Desc:

DoS caused by flooding with a large number of *legitimately formatted*
requests/etc.; normally DoS is a crash, or spending a lot more time on
a task than it "should"

-------------------------------------
Type: infoleak
Rank: [12]
Total vulns: 53
Desc:

"intentional" information leak by product, i.e. not as the result of
another vulnerability; typically by design or by producing different
"answers" that suggest the state; often related to configuration /
permissions or error reporting/handling.

-------------------------------------
Type: form-field
Rank: [13]
Total vulns: 47
Desc:

CGI program inherently trusts form field that should not be modified
(i.e. stored locally)

-------------------------------------
Type: auth
Rank: [14]
Total vulns: 43
Desc:

Weak/bad authentication problem

-------------------------------------
Type: sandbox
Rank: [15]
Total vulns: 36
Desc:

Java/etc. sandbox escape - NOT BY DOT-DOT!

-------------------------------------
Type: relpath
Rank: [16]
Total vulns: 32
Desc:

relies on relative paths to find other executable programs or files,
opening up to Trojan horse attacks.

-------------------------------------
Type: design
Rank: [17]
Total vulns: 26
Desc:

design problem, generally in protocols or programming languages

-------------------------------------
Type: default
Rank: [18]
Total vulns: 24
Desc:

Insecure default configuration, e.g. passwords or permissions

-------------------------------------
Type: msdos-device
Rank: [19]
Total vulns: 23
Desc:

Problem due to file names with MS-DOS device names.

-------------------------------------
Type: pass
Rank: [20]
Total vulns: 22
Desc:

Default password

-------------------------------------
Type: spoof
Rank: [21]
Total vulns: 22
Desc:

Product is vulnerable to spoofing attacks, generally by not properly
verifying authenticity.

-------------------------------------
Type: CF
Rank: [22]
Total vulns: 21
Desc:

General configuration problem

-------------------------------------
Type: race
Rank: [23]
Total vulns: 20
Desc:

general race condition (NOT SYMBOLIC LINK FOLLOWING (link)!)

-------------------------------------
Type: memleak
Rank: [24]
Total vulns: 17
Desc:

memory leak (doesn't free memory when it should); use this instead of
dos-release

-------------------------------------
Type: rand
Rank: [25]
Total vulns: 15
Desc:

Generation of insufficiently random numbers, typically by using easily
guessable sources of "random" data

-------------------------------------
Type: dos-release
Rank: [26]
Total vulns: 13
Desc:

DoS because system does not properly release resources

-------------------------------------
Type: type-check
Rank: [27]
Total vulns: 4
Desc:

Product incorrectly identifies the type of an input parameter or file,
then dispatches the wrong "executable" (possibly itself) to process
the input.

-------------------------------------
Type: int-overflow
Rank: [28]
Total vulns: 3
Desc:

a numeric value can be incremented to the point where it overflows and
begins at the minimum value, with security implications.  Overlaps
signedness errors.

-------------------------------------
Type: signedness
Rank: [29]
Total vulns: 2
Desc:

Signedness error; a numeric value in one format/representation is
improperly handled when it is used as if it were another
format/representation.  Overlaps integer overflows and array index
errors.

-------------------------------------
Prev by Date: Re: [CVEPRI] Editorial Board Teleconference, Thursday October 17
Next by Date: [CVEPRI] Editorial Board Teleconference Summary - October 17, 2002
Prev by thread: Re: [CVEPRI] Editorial Board teleconference, 1-3 PM EST Oct 16
Next by thread: [CVEPRI] Editorial Board Teleconference Summary - October 17, 2002
Index(es):
- Date
- Thread