[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: An example of hardware/software vulns - GPUs

I think my main goal in having a category of hardware vulnerabilities 
covered by CVE would merely be to ensure that manufacturing or design 
issues that cannot be addressed with complete confidence by a software 
change are enumerated so that security teams can know they have a 
problem that will require a shipping invoice to properly fix, so to 
speak.

-----Original Message-----
From: kseifried@redhat.com [mailto:kseifried@redhat.com] 
Sent: Thursday, July 13, 2017 10:44 AM
To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>; Kent Landfield 
<bitwatcher@gmail.com>
Cc: Art Manion <amanion@cert.org>; Kurt Seifried <kurt@seifried.org>; 
cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: An example of hardware/software vulns - GPUs



On 07/13/2017 08:17 AM, Millar, Thomas wrote:
> So the answer turns out to be that if we want greater coverage of 
> true 
> hardware vulnerabilities, we need to figure out how to include 
> exactly 
> what needs to be covered in the Counting Rules definitions and then 
> update the documentation. I think Kurt’s point about tolerances 
> inherited from product standards and/or marketing pronouncements is a 
> reasonable starting point.

I'd also like to posit that DoS is a much broader category then say 
"privilege escalation" for physical things and that we might want to 
specifically state that "due to the ability to physically smash/inject 
glue into/wrap in duct tape the category of attacks that result in 
physical DoS of a given object or system must show some property that 
allows an attacker to very easily achieve this goal or the DoS is 
especially severe and threatening and take it on a case by case basis.
And we might end up with a bunch of CVEs for attacks that can't easily 
be addressed/fixed, but at least people might be more aware of the 
risks involved and take other measures.


-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 
7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security 
contact: secalert@redhat.com
Page Last Updated or Reviewed: July 13, 2017