[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Should be a CVE?



Chad/Art,

Given the anti-rollback issue, I agree and believe that this would 
qualify for a CVE. I did a quick search and also found a similar 
situation in Windows XP/Internet Explorer (see 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1670). The 
updated description looks fine by me.

One question, could this problem allow rolling back to other vulnerable 
firmware versions with additional vulnerabilities beyond CVE-2017-5689? 

Regards,

Chris

-----Original Message-----
From: Skinner, Chad [mailto:chad.skinner@intel.com] 
Sent: Monday, September 25, 2017 5:02 PM
To: Art Manion <amanion@cert.org>; Coffin, Chris <ccoffin@mitre.org>; 
Waltermire, David A. (Fed) <david.waltermire@nist.gov>; Millar, Thomas 
<Thomas.Millar@hq.dhs.gov>; Kurt Seifried <kurt@seifried.org>; Kent 
Landfield <bitwatcher@gmail.com>
Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; Latif, Magid 
<magid.latif@intel.com>; Landfield, Kent B 
<kent.b.landfield@intel.com>; Kidby, Brian <brian.kidby@intel.com>
Subject: RE: Should be a CVE?

Art,
        Should I assume silence as consent and re-submit with the 
changed wording?
Thanks,
Chad


-----Original Message-----
From: Art Manion [mailto:amanion@cert.org]
Sent: Monday, September 18, 2017 3:07 PM
To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed) 
<david.waltermire@nist.gov>; Millar, Thomas <Thomas.Millar@hq.dhs.gov>; 
Kurt Seifried <kurt@seifried.org>; Kent Landfield <bitwatcher@gmail.com>
Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; Skinner, Chad 
<chad.skinner@intel.com>; Latif, Magid <magid.latif@intel.com>; 
Landfield, Kent B <kent.b.landfield@intel.com>; Kidby, Brian 
<brian.kidby@intel.com>
Subject: Re: Should be a CVE?

I had an offline conversation with Intel, posting the following on 
their behalf.


There seem to have been some conversations regarding this CVE that look 
to be tied to my lack of mentioning "anti-rollback" bypass.  I've 
updated the description to better add this, thoughts?

[CVEID]: CVE-2017-5698
[PRODUCT]:Intel® Active Management Technology, Intel® Standard 
Manageability, and Intel® Small Business Technology [VERSION]:version 
11.0.25.3001 and 11.0.26.3000 [PROBLEMTYPE]:Escalation of Privilege 
[REFERENCES]:https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00082&languageid=en-fr
[DESCRIPTION]: Intel® Active Management Technology, Intel® Standard 
Manageability, and Intel® Small Business Technology firmware versions 
11.0.25.3001 and 11.0.26.3000 anti-rollback will not prevent upgrading 
to firmware version 11.6.x.1xxx which is vulnerable to CVE-2017-5689 
and can be performed by a local user with administrative privileges.

BTW - I used "escalation of privilege" due to the second CVE, can't 
figure out what to call it otherwise.


My (Art's) take is that the anti-rollback feature has the vulnerability 
-- it fails at it's stated security purpose.

I don't know what the constraints on [PROBLEMTYPE] are at the moment, 
any valid CWE?

Maybe CWE-837: Improper Enforcement of a Single, Unique Action?

http://cwe.mitre.org/data/definitions/837.html

Or leave blank if no good match?

  - Art







On 9/13/17 9:15 AM, Coffin, Chris wrote:
>   * My ability to install/upgrade/downgrade to any software versions 
> does not get a CVE ID, even if what I'm moving to has known CVD IDs.
> 
> Completely agree with Art on this. Based on the current information, 
> the "install/upgrade/downgrade to any software" issue is not a 
> vulnerability on its own and should not have a CVE ID assigned.
> 
>   * Intel/MITRE should reject the new CVE and update the original. Is 
> this correct?
> 
> Yes. I believe that this is the most appropriate way to handle the 
> situation. We will be reaching out to our Intel CNA contact for 
> additional information, unless Kent chimes in sooner. J
> 
> Chris C
> 
> *From:*owner-cve-editorial-board-list@lists.mitre.org
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] *On Behalf Of 
> *Waltermire, David A. (Fed)
> *Sent:* Tuesday, September 12, 2017 5:32 PM
> *To:* Millar, Thomas <Thomas.Millar@hq.dhs.gov>; Kurt Seifried 
> <kurt@seifried.org>; Art Manion <amanion@cert.org>
> *Cc:* cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>
> *Subject:* RE: Should be a CVE?
> 
> This makes sense. So if this is the case, Intel/MITRE should reject 
> the new CVE and update the original. Is this correct?
> 
> Dave
> 
> -------- Original Message --------
> From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov 
> <mailto:Thomas.Millar@hq.dhs.gov>>
> Date: Tue, September 12, 2017 5:49 PM -0400
> To: Kurt Seifried <kurt@seifried.org <mailto:kurt@seifried.org>>, Art 
> Manion <amanion@cert.org <mailto:amanion@cert.org>>
> CC: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov 
> <mailto:david.waltermire@nist.gov>>,
> cve-editorial-board-list@lists.mitre.org
> <mailto:cve-editorial-board-list@lists.mitre.org>
> Subject: RE: Should be a CVE?
> 
> It should probably be an update to the previous SA & CVE by Intel. 
> The two particular 3XXX firmware versions are not safe, despite what 
> the original advisory stated.
> 
> 
> 
> Tom Millar, US-CERT
> 
> Sent from +1-202-631-1915
> https://www.us-cert.gov **
> 
> **
> 
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> ----------
> 
> *From:*owner-cve-editorial-board-list@lists.mitre.org
> <mailto:owner-cve-editorial-board-list@lists.mitre.org> on behalf of 
> Kurt Seifried
> *Sent:* Tuesday, September 12, 2017 10:44:52 PM
> *To:* Art Manion
> *Cc:* Waltermire, David A. (Fed);
> cve-editorial-board-list@lists.mitre.org
> <mailto:cve-editorial-board-list@lists.mitre.org>
> *Subject:* Re: Should be a CVE?
> 
> I'm not clear, the CVE ID, was it assigned because people are NOT 
> supposed to be able to upgrade or something?
> 
> By this logic every vendor would need a CVE ID for every software 
> package that can be updated to a version that has a flaw introduced 
> in a later version (so like uhh.. all of them basically).
> 
> On Tue, Sep 12, 2017 at 2:01 PM, Art Manion <amanion@cert.org 
> <mailto:amanion@cert.org>> wrote:
> 
>     On 2017-09-12 15:19, Waltermire, David A. (Fed) wrote:
>      > Looking at the following, it appears that a CVE was issued for 
> the potential that someone might upgrade software to a vulnerable 
> version, which has another CVE. I don't think this should qualify as 
> a CVE, given the actual vulnerability already has one.
>      >
>      > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5698
>      >
>      > Should this CVE be rejected?
> 
>     I think it should be rejected.
> 
>     Version A1 has vulnerability V1, version B1 has vulnerability V2, 
> V1 and V2 are documented (have CVE IDs), the ability to change from 
> V1 to V2 does not warrant a CVE ID.
> 
>     My ability to install/upgrade/downgrade to any software versions 
> does not get a CVE ID, even if what I'm moving to has known CVD IDs.
> 
>     Intel is welcome to release an advisory, upgrading and being 
> newly/differently vulnerable is unexpected, which goes to the core of 
> many vulnerability/security issues.  But no CVE ID.
> 
>       - Art
> 
> 
> 
> --
> 
> Kurt Seifried
> kurt@seifried.org <mailto:kurt@seifried.org>
> 


Page Last Updated or Reviewed: September 26, 2017