[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Vote - results and next steps

On Thu, 18 Apr 2013, Art Manion wrote:

: What caused me to reconsider was the idea of more and more active CNAs.  
: Now, MITRE is careful to hand out modest allocations of IDs, generally 
: sequentially, to dozens(?) of CNAs.  I don't think there's much waste.
: What I wanted to future-proof is the world with more CNAs (100s?) with 
: more assignment authority (like a modulo slice or big sequential block 
: of the year's CVE ID space).  In this world, there still may still not 
: be more than 1M CVE IDs published per year, but there may be more than 
: 1M CVE IDs allocated to CNAs.  Allocation != publication.

This is a fair point. I do not know a lot about how CNAs run other than 
the overall process. I certainly hope that a CNA is not granted a big pool 
unless they demonstrate they need it. Such a demonstration should only be 
valid if they actually issue that many valid CVEs, and request more during 
the same year.

: Another future scale issue:  Automated ways to find vulnerabilities 
: could overwhelm the current 10K/year human-scale size of the problem.

That is the primary example Carsten Eiram and I offer. A system where an 
automated code analysis tool can essentially auto-assign a CVE for each 
one found. We know the current state of this would mean an incredible 
number of false positives, so I can't see anyone arguing that CVE should 
ever move away from some level of manual review for assignment.

Unless a company demonstrates a scanner that is > 90% accuracy, that 
absolutely should not happen. Even then, if we're seeing a CVE assigned to 
every valid vulnerability, no matter what the exploitation criteria are, 
then we're also ignoring the current policy of grouping similar 
vulnerabilities in similar versions. That also works against the argument 
we're putting forth saying "maybe 1MIL can be reached".

In 14 years, we have a single example of a non-MITRE CNA issuing a 
significant number of identifiers, and that is Kurt Seifried of RedHat. 
Even with the *incredible* amount of hours he spends on it, he too has 
said "I can't keep up in some situations". This is no insult to him by any 
means, it is a basic truth. When Debian gave him a list of several hundred 
vulnerabilities without an ID, he said "yeah, not happening" and asked 
they be posted individually to oss-sec for consideration. When I gave 
Steve Christey / MITRE a list of ~ 260 vulnerabilities from January 2013 
that had no identifier, he too said "not happening".

I do not blame either one, but it illustrates the current model of CVE, 
and illustrates the problem with manpower and identifier assignment. 14 
years and no 10k barrier breached, with CVE and CNAs saying "we can't keep 
up" moving forward, and the project actually moving into a position to 
assign about the same number as previous years, if not less. I don't see a 
1MIL scenario happening unless CVE changes policy completely. If they do, 
then CVE also becomes entirely worthless and I don't care what barrier 
they hit, because most of the industry would drop them quick.

Page Last Updated or Reviewed: October 03, 2014