[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

on the topic of CNA assignments... (was Re: Please welcome Kurt Seifried to the CVE Editorial Board)



On Wed, 4 Nov 2015, Art Manion wrote:

: On 2015-11-04 09:26, Kurt Seifried wrote:
: 
: > One thing I do know is some of the external issues facing CVE (e.g.
: > people asking for CVE's on oss-sec that then take a while), I was
: > wondering if there are specific internal issues/challenges, e.g. are the
: > requests taking a long time/eating up resources because the requests are
: > poor? I often bounce private CVE requests back with "I need more info,
: > specifically X/Y/Z", and have been very firm with fuzzing reports (I
: > need minimized test cases and root cause analysis, not a pile of 100
: > text files that crash a command line app, and as it turns out that's all
: > the do). 
: 
: We (at CERT/CC) face similar issues in our CNA role.  We get researchers
: asking for a CVE ID for legitimate, but low severity/impact
: vulnerabilities that we otherwise would not handle or publish.  One
: option is to redirect the researcher to cve-assign, which sometimes
: comes back as "I already asked them and didn't get an answer so I'm
: asking CERT."

OK, so board... if the above is kind of foreign to you? Go read the 
comics, ignore this.

For the 2% of you following board traffic, and my kind-of-subtle jabs in 
this direction, grab your popcorn.

Kurt's mail, and Art's reply, are PERFECT. While MITRE can figure that out 
for 'today', and moving forward, I will use this as an opportunity to 
bring up the past. And the best part? I will pick on Art!

I alluded to this in less-than-subtle ways in the last year. MITRE ignored 
the comments on the editorial board list. No one else on the board picked 
up on it either, which is beyond discouraging. Because it means they are 
likely oblivious to the real world of vuln disclosure.

So, OFFICIALLY.... MITRE... SPEAK TO THIS PLEASE.

Last year, Will Dormann at CERT developed a tool to discover MitM issues 
in Android applications. He called it 'TAPIOCA', not to be confused with 
the recent 'TAPIOCA' tool name. Because researchers are largely ignorant 
and can't Google for shit.

CERT, being a registered CNA, started issuing IDs for these vulns. About 
three to four weeks in, CVE/MITRE arbitrarily decided that Will should 
STOP assigning IDs for these vulns.

Yep, process that for a minute or eight.

MITRE, decided on their own, without consulting the board, that a 
CNA should *STOP* issuing IDs to valid vulnerabilities. No valid reason 
was given, not to the public, and I bet a dollar not to Will himself. Just 
"oh god no stop it".

Anyone on the board should be concerned right here. Why does MITRE have 
this absolute authority to stop issuing IDs on valid vulnerabilities? You 
can't argue they are valid or not, because MITRE actually spent the time 
to write scripts to import Will's first run of vulnerabilities! CVE 
auto-imported the data into the official CVE database, that feeds into 
NVD, that is a cornerstone of our industry. In doing so, they missed the 
many dozens of entries that had bad data due to the original import 
scripting. To this day, we have CVE entries saying software is vulnerable, 
with gibberish for the affected version number. Then, MITRE decided, no 
more IDs... told Will, at CERT, which is a CNA, to stop assigning.

A year later, after alluding to it on the board, and MITRE ignoring 
those comments... here we are. Still no explanation as to why that 
decision was made, no hiring an extra intern at ~ 20k a year to import the 
rest (on a budget of 1mil+)... basically, nothing holding them 
accountable. Given MITRE/CVE's mission statement, that doesn't work for 
me.

If you are wondering what all this means, please ask yourself why. Why 
didn't you notice this last year? It was center-stage of the vuln 
disclosure world, in many ways. No offense, but if you didn't notice me 
bringing it up on list, and didn't notice it happening, are you really 
suited to be on the board? 2014 represented a near 8x increase in vuln 
disclosures. Yet, that isn't reflected in CVE at all, and it wasn't 
brought to our attention, or our vote. Are you really comfortable with a 
tax-payer funded VDB hiding ~ 80% of the disclosed vulnerabilities any 
given year?

: I believe that CVE looks for a reasonably trusted public source of
: information (this might get to the sources and products lists) on which
: to base a CVE ID assignment and entry.  So a researcher publish

Yet, CERT is not trusted. See above. If we can't trust CERT to be a CNA... 
who can we trust?

Certainly not Apple, who refuses to answer mails clarifying dupe CVE 
assignments (Oct 2015).

Certainly not Microsoft or Adobe, who keep assigning 2015 IDs to issues 
found and disclosed to them in 2014.

Certainly not IBM, who has released several hundred advisories using the 
wrong CVE ID, that clearly states it is vendor-specific, and who has 
been told by me and MITRE to stop...

Certainly not Cisco, who is cherry-picking which vulns get CVE 
assignments, and when asked about public vuln information (that they 
published) opt to redact information instead of clarifying it per 
request...

Is there any wonder I have been asking for, and waiting for CNA guidelines 
to be officially published?

The entire system is broken from the ground up. No one is policing it. The 
rare times some asshole polices it externally, they get ignored over and 
over.

: themselves or drop mail on full-disclosure might not be enough to 
: support CVE ID assignment and writeup (in the case that neither CERT nor 
: the vendor publish).

Oh god, stop there. F-D or Bugtraq are your 1999 or 2001 examples. This is 
2015, you can't use either as an example to disclosure challenges. Look to 
oss-sec first, and you will see why I am shocked I had to fight for three 
years to get Kurt on board. Then consider the slightly easier sources like 
EDB or PS... then for pure nostalgia, look to Bugtraq or FD, which are 
front-and-center on the official sources MITRE monitors.

: While I support the idea that every vulnerability should have an 
: identifier -- ideally a CVE ID -- there are tradeoffs with quality, 
: quantity/scope/coverage, assignment speed, and resources.  It may be 
: that working policy is that certain vulnerabilities just don't get CVE 
: IDs?  Should a CNA (CERT) shunt requests to cve-assign or just say "no?"

If a CNA says "no" to requests in their own software, for ANY reason, they 
should not be a CNA.

End of story.

A volunteer effort, run by 3 people in their spare time, doubled CVE's 
output for half a decade. Each year, MITRE got 1mil+ from the 
government, while these volunteers did it in their spare time.

You simply cannot argue about CVE and effectiveness, without addressing 
that point. If MITRE's beauracracy is so convoluted and hindering to 
the process, we need to consider alternatives.

.b


Page Last Updated or Reviewed: November 13, 2015