[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Issues for configuration problems in the CVE



At 1:13 PM -0400 7/16/99, Steven M. Christey wrote:
>Gene Spafford wrote:
>
> >When I first had a student (Taimur Aslam) look at classifications of
> >problems, configuration errors fell out as one category.  However, we
> >found there were some ambiguities with user interface error, and
> >incorrect documentation.  If something is misconfigured because the
> >documentation is unclear (or wrong), is that a bug?  If so, where?  In
> >the software that doesn't match the documentation, or in the
> >documentation that doesn't match the software?
>
>I see why the questions needs to be asked from a perspective of
>classification and explanation; however, I don't think this particular
>issue has much of an impact on the CVE.  The configuration problem
>exists because of something a user did, regardless of how the user did
>it or why they did it.  I believe that's sufficient for the CVE.
>
>- Steve

The documentation and online help message says "-s" is the security
mode switch.   The user builds a config file to run with "-s".
However, it turns out that either the programmer got the logic
backwards, or the documentation is wrong, and "-s" turns the security
OFF.   The result is a vulnerability.

Is that a bug or an operator error?

The system comes with default accounts with well-known passwords.
The operator does not notice these, and installs the system with the
accounts intact.   This results in a vulnerability.

Is that an operator error?

The system comes with a program that installs patches.   The vendor
releases a patch to a problem.   The operator runs the program, and
in addition to installing the patch, it sets some directory
permissions and ownerships to new values that result in a
vulnerability.

Is that a bug or operator error?


In each case, " The configuration problem exists because of something
a user did, regardless of how the user did it or why they did it," so
I would assume you would classify them all as operator errors.
However,  all three are also vulnerabilities that are in some sense
"built in" by the vendor.

I would argue that #2 is the only one that is directly a user error.
Problems that occur because the operator should have know better if
he/she had read documentation and security literature fall in this
category.  Vulnerabilities that result from hidden features, bugs,
bad documentation of features, etc are not.

Comments?

--spaf

Page Last Updated or Reviewed: May 22, 2007