[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- To: CVE Review <cve-review@linus.mitre.org>
- Subject: RE: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- From: Russ <Russ.Cooper@rc.on.ca>
- Date: Wed, 7 Jul 1999 22:38:45 -0400
>would be basing our decisions on observable characteristics. With "same >codebase", we have as you note some similar problems, plus too often we will >not have access to the actual code and therefore will have to base feed our >fuzzy (or whatever) decision process with guesses, thus compounding our >problem. > >Bill If we take the existing definition; CVE-00344 NT users can gain debug-level access on a system process using the Sechole exploit. and apply the "same attack" approach to it, then anything that can allow an NT user to gain debug-level access on a system process would be considered the same as SecHole. Doesn't matter how they got it, where they got it, or what process they got it from. If we don't do some level of scrutiny, either on the codebase for the attack, or the codebase of the vulnerable system, this is all we're left with. Unless of course you decide we're only going to enumerate network-based attacks and we're using the packet signature to define the attack (for the purposes of comparing to other attacks). That would be, however, a Common Attack Enumeration, not vulnerability enumeration. Even then, we should not preclude the observation of available details simply because they may not be widely available. The evolution of the enumeration of species has been based on observable details, and as more details became available, definitions were revised accordingly (sometimes correctly, sometimes incorrectly). While we may not be at the stage of Socrates, we're nowhere near DNA testing or even the Dewie Decimal System. If you want something that's simple, has fewer entries, and is less subject to criticism, I'll shut up. If instead you want to actually enumerate unique vulnerabilities, then to make the decision in the beginning to preclude some verifiable data (not conjecture or opinion) from the determination process is simply flawed. Its just as flawed to presume there is a network signature to see. Out of curiosity, what does the group see as being an "average" Candidate announcement? I can see us having to "guess" within the first few days, but after that (and likely before we reach CVE status), details of "most" vulnerabilities are going to include codebase details. Cheers, Russ - NTBugtraq Editor
- Follow-Ups:
- Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- From: Bill Hill <bill@mitre.org>
- Expediency or Correctness WAS: Level of Abstraction
- From: Dave Mann <damann@mitre.org>
- Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- Prev by Date: Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- Next by Date: Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- Prev by thread: Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- Next by thread: Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
- Index(es):
