Name of Your Organization:

Assuria Limited

Web Site:

www.assuria.com

Compatible Capability:

Assuria Auditor

Capability home page:

http://www.assuria.com/products.htm
General Capability Questions

1) Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

Vulnerability information, including CVE references is available within the Assuria Auditor reports, Policy Navigators and Database.
Mapping Questions

4) Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

The database held within the Assuria Auditor Console uses the latest CVE version information available. Using a number of available databases starting with Vendor security advisories these are then cross checked using CVE or CAN number against a number of databases, the ISS X-Force database, BID (Security Focus), Sentelli and BID (Security Focus).

5) Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect new CVE versions and describe your approach to keeping reasonably current with CVE versions when mapping them to your repository (recommended):

Assuria updates the database on receipt of vendor advisories and other available sources. The Assuria Auditor database is periodically updated (monthly updates) with the new information and product updates including the new content made available to users via the online product update process.

6) Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability's mappings to reflect a newly released CVE version (recommended):

Assuria updates the product database with new CVE / CVE candidates when received and updates the Assuria Auditor database as soon as possible after a list of CVE name is available via the online product update process.
Documentation Questions

7) CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

CVE information is provided within the Policy Navigator Help files. HELP .-> Policy Navigator -> "Platform" => Check / Policy. The user can search on CVE /CAN or a specific CVE number.

8) Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability's repository (required):

CVE names and brief description are included with the Reports and as Hyperlinks within the Policy Navigator. An example check output is included below:

Example Report output Check: win-user32-control-bo

Type once-only

Risk Level High

Brief Description Microsoft Windows User32.dll ListBox and ComboBox controls buffer overflow

Detailed Description Microsoft Windows is vulnerable to a buffer overflow in a function in the User32.dll file, caused by improper validation of Windows messages. This vulnerable function is called by both the ListBox and ComboBox controls. By running a program that sends a specially-crafted Windows message to an application that uses the ListBox or ComboBox control, a local attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges.

Remedy Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS03-045.

CVE Reference(s)
CAN-2003-0659 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0659> : Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long messages to the (1) ListBox (2) ComboBox controls in a privileged application.

Reference(s)
Microsoft Security Bulletin MS03-045 <http://www.microsoft.com/technet/security/bulletin/ms03-045.mspx> : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)
CERT Advisory CA-2003-27 <http://www.cert.org/advisories/CA-2003-27.html> : Multiple Vulnerabilities in Microsoft Windows and Exchange
CERT Vulnerability Note VU#967668 <http://www.kb.cert.org/vuls/id/967668> : Microsoft Windows ListBox and ComboBox controls vulnerable to buffer overflow when supplied crafted Windows message
BugTraq Mailing List, Wed Oct 15 2003 - 19:47:06 CDT <http://archives.neohapsis.com/archives/bugtraq/2003-10/0175.html> : Listbox And Combobox Control Buffer Overflow
SecuriTeam Mailing List, Windows NT focus 19 Oct 2003 <http://www.securiteam.com/windowsntfocus/6L00I2K8KY.html> : ListBox and ComboBox Control Buffer Overflow (Technical Details)
SecuriTeam Mailing List, Security Holes & Exploits 16 Nov 2003 <http://www.securiteam.com/exploits/6W00E1P8VA.html> : ListBox and ComboBox Control Buffer Overflow (Exploit)
CIAC Information Bulletin O-009 <http://www.ciac.org/ciac/bulletins/o-009.shtml> : Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities
Packet Storm Web site <http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=boomerang.tgz&type=archives&%5Bsearch%5D.x=32&%5Bsearch%5D.y=8> : boomerang.tgz

 

9) Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability's repository (required):

CVE names with links to the CVE website are displayed in the Reports and Policy Navigators. Reports can be ordered (sorted) by CVE number.
Candidate Support Questions

11) Candidates Versus Entries Indication <CR_6.1>

If CVE candidates are supported or used, explain how you indicate that candidates are not accepted CVE entries (required):

The Assuria Console database uses CVE candidate (CAN) names. The CAN- prefix is used for all candidates to differentiate them from CVE entries that use the CVE- prefix. Is this now relevant?

12) Candidates Versus Entries Explanation <CR_6.2>

If CVE candidates are supported or used, explain where and how the difference between candidates and entries is explained to your customers (recommended):

The CVE name links directly to the CVE online database and the candidate information is shown at the top of the page.

13) Candidate to Entry Promotion <CR_6.3>

If CVE candidates are supported or used, explain your policy for changing candidates into entries within your capability and describe where and how this is communicated to your customers (recommended):

Assuria subscribes to the CVE mailing lists. Our policy is to update the product database as new information and updates are received. Customers are not specifically informed of each change as this is automatically included into the product via the automatic update process.

14) Candidate and Entry Search Support <CR_6.4>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

Within the Policy Navigators the user can use the search feature to locate information relating to any or specific CVE or CAN entries.

15) Search Support for Promoted Candidates <CR_6.5>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's support for retrieving the CVE entry for a candidate that is no longer a candidate (recommended):

Our database maintains the latest mapping of CVE and CAN information and can be searched, by Platform, using the Policy Navigators.

16) Candidate Mapping Currency Indication <CR_6.6>

If CVE candidates are supported or used, explain where and how a customer can find the explanation of your search function's ability to look for candidates and entries by using just the YYYY-NNNN portion of the CVE names (recommended):

At Assuria we strive to keep the database up to date. Before product updates are made available to customers a reconciliation of the product database and CVE data is undertaken.

Type-Specific Capability Questions

Tool Questions

17) Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

The Assuria Auditor console supports full-text searches for vulnerability information, including CVE references. Each vulnerability, with a corresponding CVE ,has an associated "help" page, which contains remediation information for that vulnerability.

18) Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

CVE names are included in the 'CVE references' section in the standard Assuria Auditor report. As shown below.

Example output for an Assuria Auditor Check

Check Risk level Brief description

MS02-064 Medium Windows 2000 weak system partition permissions

Description

Microsoft Windows 2000 systems have weak default permissions on the system partition. The system partition is assigned Everyone/Full Control permissions by default. This could allow a POSIX compatible local attacker with Full Control NTFS permissions to delete any file from the system partition and replace it with a Trojan Horse. Once another user logs onto the system, the Trojan Horse could be made to execute with the same privileges as the logged on user.

CVE references

BID-5415 - Microsoft Windows 2000 Insecure Default File Permissions Vulnerability CAN-2002-1184 - The system root folder of Microsoft Windows 2000 has default permissions of Everyone group with Full access (Everyone:F) and is in the search path when locating programs during login or application launch from the desktop, which could allow attackers to gain privileges as other users via Trojan horse programs.

Vulnerability detail

19) Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool's tasks (recommended):

Vulnerability reports can be ordered by CVE number
Media Questions

31) Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

Vulnerability information is presented in HTML form and can be searched using the full-text search mechanism in the GUI.

32) Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability's standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

From vulnerability check 'win-hsc-hcp-bo'

CVE Reference(s)
CAN-2003-0605 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0605> : The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function.
CAN-2003-0528 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0528> : Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0715.
CAN-2003-0715 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0715> : Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CAN-2003-0352 (Blaster/Nachi) and CAN-2003-0528.

Graphical User Interface (GUI)

34) Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability's elements by looking for their associated CVE name(s) (required):

The built-in HTML Help viewer allows for full-text searches. The user may search for an element using the CVE name.

35) GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability's elements, also describe the format of the mapping (required):

CVE names are listed under the "CVE Reference(s)" section in the check help.
Questions for Signature

37) Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Nick Connor

Title: Managing Director

38) Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability's Repository and the CVE entries our capability identifies."

Name: Chris Wood

Title: Engineering Manager

39) Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Chris Wood

Title: Engineering Manager

Page Last Updated or Reviewed: September 08, 2017