[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: speaking of hardware CVEs
- To: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: speaking of hardware CVEs
- From: Art Manion <amanion@cert.org>
- Date: Mon, 13 Mar 2017 13:36:19 -0400
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
- Delivery-date: Mon Mar 13 13:50:59 2017
- In-reply-to: <CANO=Ty09VEAZQwjRA-NZ=Mj1Dj4Z1XYWmg_1K+68Pqvzc87Phg@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty09VEAZQwjRA-NZ=Mj1Dj4Z1XYWmg_1K+68Pqvzc87Phg@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
On 3/10/17 10:06 PM, Kurt Seifried wrote: > This timely article is > out: > https://www.cylance.com/en_us/blog/uefi-ransomware-full-disclosure-at-black-hat-asia.html > seems like some UEFI implementations are lacking basic security > checks/best practices, I would think failing to sue those things > should > be CVE worthy in the modern world. I didn't read the Cylance page carefully, but there have been issues with BIOS/UEFI vulnerabilities that I'll argue are *software* and CVE-worthy. BIOS is software. On 3/12/17 11:59 PM, jericho wrote: > CVE has largely said they will not create for default credentials, > even > when it means complete administrative access to the app/device/OS > [1]. If > that isn't CVE-worthy, then "missing other best practices" doesn't > seem > like it would qualify either. Getting into the "lacking basic security" discussion, I'll argue that "insecure default configuration" should warrant a CVE in some cases (open ACLs on squid a long time ago, maybe mongoDB and memcached today, and yes, default/shared/hard-coded credentials when the vendor knows quite well in advance that the thing will be on the internet). Vulnerabilities are also about surprise/expectations and interaction with (changing) environment; vulnerabilities aren't purely technical. I know, unsatisfying in an engineering sense, and changing the definition of "vulnerability that gets a CVE ID" makes the corpus messy. Classification is messy, the world (and thinking about the world) changes, Pluto is a planet, Apatosaurus is not Brontosaurus. - Art
- Follow-Ups:
- RE: speaking of hardware CVEs
- From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: speaking of hardware CVEs
- References:
- speaking of hardware CVEs
- From: Kurt Seifried <kseifried@redhat.com>
- speaking of hardware CVEs
- Prev by Date: Re: speaking of hardware CVEs
- Next by Date: RE: speaking of hardware CVEs
- Previous by thread: Re: speaking of hardware CVEs
- Next by thread: RE: speaking of hardware CVEs
- Index(es):
