[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE for hosted services

To: Kurt Seifried <kseifried@redhat.com>, Art Manion <amanion@cert.org>
Subject: RE: CVE for hosted services
From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Date: Fri, 24 Feb 2017 16:03:16 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=hq.dhs.gov;
Cc: jericho <jericho@attrition.org>, "Booth, Harold (Fed)" <harold.booth@nist.gov>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Fri Feb 24 11:44:37 2017
In-reply-to: <CANO=Ty2BR-h-2BO-HnqYTt0V8YTmfA_D3dYAaPpjh9iO_bvi1g@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <A4305A50-AD19-4025-842E-D89337B8269C@cisco.com> <379DDB8A-F1D2-4E4B-9307-CFBFDB0521F5@intel.com> <8942442A-17E2-4EEB-9943-648F27125AA6@cisco.com> <079d4575-d5ef-be7c-bdfb-f817e625b02e@cert.org> <CANO=Ty052fUY+BUC2zziFeiJ=cBPQWUbQozm-9ymKDkBuxo2Xg@mail.gmail.com> <ad8435b9-ba08-a5ee-25ef-cf314c75e0e5@cert.org> <1487797534.7382.18.camel@cerias.purdue.edu> <alpine.LNX.2.00.1702221518090.19881@forced.attrition.org> <d78f00cb-280e-a674-9264-edf9ed3b4507@cert.org> <CY4PR09MB1255385CC89FEF05C100E83BE6530@CY4PR09MB1255.namprd09.prod.outlook.com> <alpine.LNX.2.00.1702231801000.19881@forced.attrition.org> <4689d956-c638-b3cc-94cb-1e877c5dc64d@cert.org>,<CANO=Ty2BR-h-2BO-HnqYTt0V8YTmfA_D3dYAaPpjh9iO_bvi1g@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSh8Aj1e59GSRwMUG57Y4RbN3D2aFqdf6AgABamYCAAR9IAIAIQX6AgAGqPYCAAAeIAIAAA8oAgAAFkYCAAQuaAIAAr76AgAA66ICAAMtlgP//sWEI
Thread-topic: CVE for hosted services

How do I use a CVE for a service vuln to check if my environment was affected and if so, that my ops have applied the proper remedies?

Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Friday, February 24, 2017 3:44:39 PM
To: Art Manion
Cc: jericho; Booth, Harold (Fed); cve-editorial-board-list
Subject: Re: CVE for hosted services

So uhh I'll just leave this example here:

https://www.google.ca/search?q=cloudflare+cloudbleed

I know for example on the CloudSecurityAlliance side I now need to forcibly reset every password for all our websites, and look at the third parties we do auth from (e.g. FaceBook/Linkedin) to see if they are affected (not that there is much we can do other than notify people).

On Thu, Feb 23, 2017 at 8:36 PM, Art Manion <amanion@cert.org> wrote:

On 2017-02-23 19:05, jericho wrote:

> https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
>
> Harold, how would you write a CVE-ish description of this, in the context
> of moving CVE to site-specific issues? The service and info disclosed is
> the easy part. Then what? Do you also mention some of the services that
> use Cloudflare? Some businesses may know, where individuals do not (e.g.
> 1Password is hosted on it). What date range do you put down for this? You
> know the fix date, but not the start date. This goes back to the problem
> of making such entries useful to companies trying to determine risk.

Not answering your question, but:

This issue should get a CVE ID so the world can talk about it and have
confidence they're talking about the same "it." The description might
be tricky, but the description is primarily to catalog/de-duplicate, not
to help assess risk.

CVE is lower layer of infrastructure. Someone else (NVD, CVSS, RBS,
CERT, a CloudFlare customer) can add to the severity/risk assessment.

- Art

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- Re: CVE for hosted services
  - From: Kurt Seifried <kurt@seifried.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>

References:
- CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Re: CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- RE: CVE for hosted services
  - From: "Booth, Harold (Fed)" <harold.booth@nist.gov>
- RE: CVE for hosted services
  - From: jericho <jericho@attrition.org>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: CVE for hosted services
Next by Date: Re: CVE for hosted services
Previous by thread: Re: CVE for hosted services
Next by thread: Re: CVE for hosted services
Index(es):
- Date
- Thread