[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: upcoming intel issue

To: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
Subject: Re: upcoming intel issue
From: Kurt Seifried <kseifried@redhat.com>
Date: Wed, 3 Jan 2018 19:28:28 -0700
Authentication-results: spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=fail action=none header.from=redhat.com;
Cc: "Coffin, Chris" <ccoffin@mitre.org>, Kurt Seifried <kurt@seifried.org>, Art Manion <amanion@cert.org>, "Landfield, Kent" <Kent_Landfield@mcafee.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Thu Jan 4 07:57:18 2018
In-reply-to: <7748E4BAEC3B964387F3535351DCBA1F01154572CF@D2ASEPREA010>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CABqVa3-+RnbeTMamFGSXJ8s+7E=Q+PkMDPUYmtdjjey3DZpC0g@mail.gmail.com> <04FBEC57-6834-46C3-B010-8F1105414BF0@mcafee.com> <alpine.LNX.2.00.1801031553470.6952@forced.attrition.org> <9cdfef90-3dc7-960d-b050-9913f2c077a4@cert.org> <2d4f623e-8245-8cc1-4730-6cb1bd3a007a@cert.org> <7748E4BAEC3B964387F3535351DCBA1F011545723D@D2ASEPREA010> <CABqVa3-CVyd4kB2PpiX7YqHLFEgkV+0tSyj-2fTk9JL15SFLvw@mail.gmail.com> <BL0PR0901MB24209A333358CF3BA8CC03D3A11E0@BL0PR0901MB2420.namprd09.prod.outlook.com> <7748E4BAEC3B964387F3535351DCBA1F01154572CF@D2ASEPREA010>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2

Just a note at least one of my emails got bounced by mcafee's system
as spam. Not sure if anyone else's system ate it.

On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas 
<Thomas.Millar@hq.dhs.gov> wrote:
> Yes to all that.
>
>
>
> Tom Millar, US-CERT
>
> Sent from +1-202-631-1915
> https://www.us-cert.gov
>
> ________________________________
> From: Coffin, Chris
> Sent: Wednesday, January 03, 2018 11:46:59 PM
> To: Kurt Seifried; Millar, Thomas
> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
> Subject: RE: upcoming intel issue
>
> Agree that this is worthy of a discussion, special handling, and 
> probably
> some documented guidelines. One thought is that the CNA should 
> identify
> issues that affect other vendors and notify/coordinate where 
> appropriate, or
> at the very least contact their parent CNA so that they can share the
> reserved CVE ID and some limited bit of detail.
>
>
>
> It used to be the case that MITRE handled issue like this once public,
> though we have moved away from that in the past few years.
>
>
>
> Regards,
>
>
>
> Chris
>
>
>
>
>
> From: owner-cve-editorial-board-list@lists.mitre.org
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
> Kurt
> Seifried
> Sent: Wednesday, January 3, 2018 5:35 PM
> To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>
> Cc: Art Manion <amanion@cert.org>; jericho <jericho@attrition.org>;
> Landfield, Kent <Kent_Landfield@mcafee.com>; cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: upcoming intel issue
>
>
>
> So some challenges with this one:
>
>
>
> 1) it is multiple issues
>
> 2) it affects multiple vendors at the root cause level
>
> 2) it affects multiple vendors with workaround/fix (e.g.... all the 
> OSs,
> sigh)
>
>
>
> So yes it is correct to say that these 3 CVE's were from Intel's CNA 
> and
> thus "owned" by Intel, but it's clear that literally every OS vendor 
> on the
> planet that runs on x86 (and some others...) is going to need to deal 
> with
> this, so from that perspective I think one could argue for more 
> community
> "ownership" of the CVEs.
>
>
>
> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, 
> lots of
> projects that are used by literally everyone), the best way I 
> can/could
> think of to fix this was the JSON format with per vendor/product 
> statements
> so everyone can have their own cake on their own table as it were.
>
>
>
> I also know MITRE has poked me in past for high visibility CVEs, and I
> generally agree with this, so perhaps some guidelines should be 
> created,
> e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or 
> higher and
> more than 10 million affected instances should be high priority, or 
> if it
> hits cnn.com AND the BBC AND Reuters... and if the original CNA 
> doesn't get
> it in quickly some other CNA is allowed to).
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas 
> <Thomas.Millar@hq.dhs.gov>
> wrote:
>
> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
> Art
> Manion
> Sent: Wednesday, January 3, 2018 17:51
> To: jericho <jericho@attrition.org>; Landfield, Kent
> <Kent_Landfield@McAfee.com>
> Cc: cve-editorial-board-list 
> <cve-editorial-board-list@LISTS.MITRE.ORG>
> Subject: Re: upcoming intel issue
>
> On 1/3/18 5:25 PM, Art Manion wrote:
>
>> So first, what is the vulnerability (or vulnerabilities) -- things 
>> that
>> warrant a CVE ID, and second who is responsible for assigning IDs?
>
> https://meltdownattack.com/
>
> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>
> Not immediately populated, so not sure what the distinctions are.
>
>   - Art
>
>
>
>
>
> --
>
> Kurt Seifried
> kurt@seifried.org



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- Re: upcoming intel issue
  - From: "Landfield, Kent" <Kent_Landfield@McAfee.com>

References:
- upcoming intel issue
  - From: Kurt Seifried <kurt@seifried.org>
- Re: upcoming intel issue
  - From: "Landfield, Kent" <Kent_Landfield@McAfee.com>
- Re: upcoming intel issue
  - From: jericho <jericho@attrition.org>
- Re: upcoming intel issue
  - From: Art Manion <amanion@cert.org>
- Re: upcoming intel issue
  - From: Art Manion <amanion@cert.org>
- RE: upcoming intel issue
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: upcoming intel issue
  - From: Kurt Seifried <kurt@seifried.org>
- RE: upcoming intel issue
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: upcoming intel issue
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>

Prev by Date: RE: upcoming intel issue
Next by Date: Re: upcoming intel issue
Previous by thread: RE: upcoming intel issue
Next by thread: Re: upcoming intel issue
Index(es):
- Date
- Thread