[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

What is sufficient detail for a CVE vulnerability?



Adam Shostack said:

>| Candidate: CAN-1999-0248
>| Published:
>| Final-Decision:
>| Interim-Decision:
>| Modified:
>| Announced: 19990728
>| Assigned: 19990607
>| Category: SF
>|
>| sshd 1.2.17 can be compromised through the SSH protocol.
>|
>
>| VOTE: modify http://oliver.efri.hr/~crv/security/bugs/mUNIXes/ssh2.html
>looks to me to be about the correct message that came from Tatu.
>There are comments in changelog: * Improved the security of
>auth_input_request_forwarding().
>
>I'm not in favor of moving this forward without additional detail, but
>thought I'd add a confirming URL and comment.  We have insufficient
>detail to accept it as a CVE.

There are a number of other candidates like this, where there is very
little detail available.  But in this case, I believe it's
sufficiently verified that there is *some* sort of vulnerability, we
just don't know what.  I will be proposing CAN-1999-0001 shortly,
which has a similar problem.  When I get a chance, I'll try to find
some other examples.

Some software vendors are quite secretive about the nature of
vulnerabilities that they discover on their own, especially if there
isn't evidence that it's known to anyone else.  But they will confirm
that there's a vulnerability.

There is a tension here between the sysadmin perspective (i.e. wanting
to know about what vulnerabilities may be on their system) versus the
perspective of having mature, publicly known information.  The
sysadmin perspective argues for inclusion in the CVE, but the maturity
perspective argues for exclusion.  Which should be preferred?  There's
also the tension between precision and completeness.  We can't be very
precise about the nature of this particular vulnerability, but on the
other hand, leaving out a confirmed vulnerability will render the CVE
incomplete.

I think that if a vulnerability is confirmed by the software vendor,
then that should be sufficient for inclusion into the CVE (at the very
least, a candidate that remains in Proposal phase).  If the security
tool vendors are taken to task for not detecting that particular CVE,
then they will have a strong argument (as confirmed by Editorial Board
discussions and/or candidate annotations?) that they cannot perform
that detection because there is not sufficient information available.

In the short term, I don't think we'll be able to get away from the
fact that some information sources will not provide sufficient
vulnerability information even for a good description in the CVE.  But
as long as the description is distinctive - as it is in the above
candidate, using the SSH version number - then there is some record
that a vulnerability does exist.

- Steve

Page Last Updated or Reviewed: May 22, 2007