|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: An example of hardware/software vulns - GPUs
- To: Art Manion <amanion@cert.org>, "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>, "kseifried@redhat.com" <kseifried@redhat.com>, Kent Landfield <bitwatcher@gmail.com>
- Subject: RE: An example of hardware/software vulns - GPUs
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Date: Thu, 13 Jul 2017 18:12:27 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
- Cc: Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Thu Jul 13 15:56:30 2017
- In-reply-to: <da99b9bd-8313-23f3-02df-55b08cca6c16@cert.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa38bvOMyz_NRtahUOFSsO_89NjYJ9C_nk2vvKrqMkFyzeQ@mail.gmail.com> <dedf2254-ddce-9d87-e4b1-139016fe0e5f@cert.org> <7748E4BAEC3B964387F3535351DCBA1F011535D9B2@D2ASEPREA010> <3F480F42-6FE5-4BDC-9F40-0C21EED241A7@gmail.com> <7748E4BAEC3B964387F3535351DCBA1F011535DAEB@D2ASEPREA010> <aabc6d44-8799-96a6-b90c-2949630b5a83@redhat.com> <7748E4BAEC3B964387F3535351DCBA1F011535DC3E@D2ASEPREA010> <da99b9bd-8313-23f3-02df-55b08cca6c16@cert.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHS+TLtTVJv5XgQFEa+m//a6/wOdKJRvQQAgAAC5oCAAAqnAIAACKWAgAAHPACAAAtvAIAAGdqAgAAMtjA=
- Thread-topic: An example of hardware/software vulns - GPUs
The most current vulnerability definition would be the following taken from the CNA Rules Appendix A. http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf "A vulnerability in the context of the CVE Program is defined by the Counting Rules as listed in Appendix C. In general, a vulnerability is defined as a weakness in the computational logic (e.g., code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, OR availability. Mitigation of the vulnerabilities in this context typically involves coding changes, but could also include specification changes or even specification deprecations (e.g., removal of affected protocols or functionality in their entirety)." If we decide to move forward, it would appear that this definition covers us for hardware-specific vulnerabilities. Does anyone think differently or believe that it needs significant changes? The counting rules themselves would likely need some tweaks as we refer to code and software in a few places. For example, CNT2.2A refers to the above definition and would not need to be changed, but CNT2.2B states "software" specifically. We also would need to change the Inclusion decisions to either tweak INC3 in regards to customer-controlled software, or add a new decision that would be inclusive of hardware. Regards, Chris -----Original Message----- From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Art Manion Sent: Thursday, July 13, 2017 11:57 AM To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>; kseifried@redhat.com; Kent Landfield <bitwatcher@gmail.com> Cc: Kurt Seifried <kurt@seifried.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org> Subject: Re: An example of hardware/software vulns - GPUs On 7/13/17 11:24 AM, Millar, Thomas wrote: > I think my main goal in having a category of hardware vulnerabilities > covered by CVE would merely be to ensure that manufacturing or design > issues that cannot be addressed with complete confidence by a > software > change are enumerated so that security teams can know they have a > problem that will require a shipping invoice to properly fix, so to > speak. Yes -- if I have to replace hardware/silicon to fully remove a vulnerability, that should get a CVE ID. Or if instead of replacing I keep the (strictly) vulnerable hardware but apply microcode/firmware that mitigates the vulnerability -- CVE ID. I believe the current counting rules allow this, Kurt, do you disagree? Do we need to change the counting rules? - Art
- References:
- An example of hardware/software vulns - GPUs
- From: Kurt Seifried <kurt@seifried.org>
- Re: An example of hardware/software vulns - GPUs
- From: Art Manion <amanion@cert.org>
- RE: An example of hardware/software vulns - GPUs
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: An example of hardware/software vulns - GPUs
- From: Kent Landfield <bitwatcher@gmail.com>
- RE: An example of hardware/software vulns - GPUs
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: An example of hardware/software vulns - GPUs
- From: "kseifried@redhat.com" <kseifried@redhat.com>
- RE: An example of hardware/software vulns - GPUs
- From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: An example of hardware/software vulns - GPUs
- From: Art Manion <amanion@cert.org>
- An example of hardware/software vulns - GPUs
- Prev by Date: Re: Atlassian follow-up
- Next by Date: CVE Board Meeting Minutes - 28 June 2017
- Previous by thread: Re: An example of hardware/software vulns - GPUs
- Next by thread: Re: An example of hardware/software vulns - GPUs
- Index(es):