[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CNA Rules Announcement



On Mon, 10 Oct 2016, Monroe, Bruce wrote:

: Here's a good example and one that we just encountered internally. 
How 
: about unquoted service path?
: 
: 
https://web.nvd.nist.gov/view/vuln/search-results?query=unquoted+search+path&search_type=all&cves=on
: 
: As you can see from the search results every vendor is assigning 
their 
: own. We recently saw that and made an internal decision to do the 
same 
: but it's effectively the same vulnerability repeated over lots of 
: software.

More so because a majority of 'unquoted search path' privilege 
escalation 
issues are NOT a vulnerability. Often times they require some form of 
administrative access to carry out the 'attack', and they aren't really 
crossing privilege boundaries at that point.

: Challenges: 
: 
: - People assigning CVE's would have to look before assigning another 
CVE. Not sure that would always happen...

MITRE is generally good about doing this, but they are restricted 
because 
they can't see assignments made by CNAs that aren't public yet. 
Further, 
if they are behind in monitoring a CNA's disclosure point, they may 
dupe 
assign due to that race condition of sorts.

: - Listing would eventually grow to be enormous and I expect it would 
be 
: a bit of a pain to dig through...this one currently has 3 pages of 
CVEs 
: ;)

VulnDB has 61 entries with 'unquoted search path' in the title, 34 that 
do 
not have a CVE. Based on the CVSS scores, only 1 of them was considered 
valid.

: Agree we should be consistent in our approach, if we could come up 
with 
: a simple, solid, easily repeatable way to reference a master CVE and 
: pile on with "like" issues I'd be in favor of that approach, as long 
as 
: it could be done without losing visibility of each sub-entry.

The 'easiest' way (said externally, knowing it is a lot more work for 
MITRE) is to reference the other CVEs in the entry as someone previous 
mentioned. They already do it for duplicate assignments (e.g. REJECTED 
see 
CVE-1234-5678". They could carry this on as "MASTER see IDs 1,2,3,4,5 
for 
similar issues" in better language.

Brian


Page Last Updated or Reviewed: October 11, 2016