[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: upcoming intel issue

On 1/3/18 4:57 PM, jericho wrote:

On Wed, 3 Jan 2018, Landfield, Kent wrote:

: On your second question, you have hit one of my sore points?  I am a
: vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE
: creating CVEs for my company?s issues except my PSIRT team.  Vendors
: need to be given the first opportunity and only if they officially 
have
: stated they are not going to issue an appropriate CVE in a clear and
: precise way, should anyone ever get in the way of their alerting their
: customers through an established advisory process.  There is NO
: first-come-first-served with an authorized CVE CNAs.  Period.

First, I understand your point completely and appreciate it. Second,
devil's advocate:

The first 24 hours of news coverage had the same bit; "Intel has not
responded to our request for comment". The Wired article published about
half an hour ago is the first I have seen to quote someone from Intel.
Meanwhile, Apple already patched via workaround in macOS over a month 
ago,
Linux patches have been public for some time, etc. A single article I 
have
seen has given this vuln a name (Chipzilla), meaning the last 24+ hours
this has been "the Intel bug" to some, "the Linux Kernel vulnerability" 
to
others. Since CVE was designed in part to give a single unique 
identifier,
it's worth discussing if high-profile issues w/o public vendor / CNA
reference should use a different assignment process.


Good discussion, but this is a tricky case.

There seem to be multiple attacks, one or more vulnerabilities, and 
different impacts depending on the hardware involved.

Yes, Intel (or any other vendor) should assign/populate CVE IDs for 
vendor-specific issues.

It's not clear that this is one (or more) Intel-specific issue.  My current 
understanding is that there is one "vulnerability" (some x86/x64 
architectures map kernel address space in user space), a variety of side channel 
attacks, and the impact is considerably worse on some Intel CPUs (read kernel 
memory) than other CPUs (bypass KASLR).

So first, what is the vulnerability (or vulnerabilities) -- things that 
warrant a CVE ID, and second who is responsible for assigning IDs?

I don't immediately know the guidance for a truly non-vendor-specific 
issue.  DWF, or MITRE, or a coordinator like CERT/CC?

 - Art
Page Last Updated or Reviewed: January 04, 2018