[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: upcoming intel issue

I also received an undeliverable for Kent's McAfee address yesterday.

The Intel CNA provided the details and the CVEs were added to the 
master list this morning.

http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Chris 

-----Original Message-----
From: Landfield, Kent [mailto:Kent_Landfield@McAfee.com] 
Sent: Wednesday, January 3, 2018 8:31 PM
To: Kurt Seifried <kseifried@redhat.com>
Cc: Millar, Thomas <Thomas.Millar@hq.dhs.gov>; Coffin, Chris 
<ccoffin@mitre.org>; Kurt Seifried <kurt@seifried.org>; Art Manion 
<amanion@cert.org>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Subject: Re: upcoming intel issue

Interesting... I seem to be getting them.

Kent Landfield
Kent_Landfield@McAfee.com
+1.817.637.8026

> On Jan 3, 2018, at 8:28 PM, Kurt Seifried <kseifried@redhat.com> 
> wrote:
> 
> Just a note at least one of my emails got bounced by mcafee's system 
> as spam. Not sure if anyone else's system ate it.
> 
>> On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas 
>> <Thomas.Millar@hq.dhs.gov> wrote:
>> Yes to all that.
>> 
>> 
>> 
>> Tom Millar, US-CERT
>> 
>> Sent from +1-202-631-1915
>> https://www.us-cert.gov
>> 
>> ________________________________
>> From: Coffin, Chris
>> Sent: Wednesday, January 03, 2018 11:46:59 PM
>> To: Kurt Seifried; Millar, Thomas
>> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
>> Subject: RE: upcoming intel issue
>> 
>> Agree that this is worthy of a discussion, special handling, and 
>> probably some documented guidelines. One thought is that the CNA 
>> should identify issues that affect other vendors and 
>> notify/coordinate where appropriate, or at the very least contact 
>> their parent CNA so that they can share the reserved CVE ID and some 
>> limited bit of detail.
>> 
>> 
>> 
>> It used to be the case that MITRE handled issue like this once 
>> public, though we have moved away from that in the past few years.
>> 
>> 
>> 
>> Regards,
>> 
>> 
>> 
>> Chris
>> 
>> 
>> 
>> 
>> 
>> From: owner-cve-editorial-board-list@lists.mitre.org
>> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
>> Kurt Seifried
>> Sent: Wednesday, January 3, 2018 5:35 PM
>> To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>
>> Cc: Art Manion <amanion@cert.org>; jericho <jericho@attrition.org>; 
>> Landfield, Kent <Kent_Landfield@mcafee.com>; 
>> cve-editorial-board-list 
>> <cve-editorial-board-list@lists.mitre.org>
>> Subject: Re: upcoming intel issue
>> 
>> 
>> 
>> So some challenges with this one:
>> 
>> 
>> 
>> 1) it is multiple issues
>> 
>> 2) it affects multiple vendors at the root cause level
>> 
>> 2) it affects multiple vendors with workaround/fix (e.g.... all the 
>> OSs,
>> sigh)
>> 
>> 
>> 
>> So yes it is correct to say that these 3 CVE's were from Intel's CNA 
>> and thus "owned" by Intel, but it's clear that literally every OS 
>> vendor on the planet that runs on x86 (and some others...) is going 
>> to need to deal with this, so from that perspective I think one 
>> could 
>> argue for more community "ownership" of the CVEs.
>> 
>> 
>> 
>> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, 
>> lots of projects that are used by literally everyone), the best way 
>> I 
>> can/could think of to fix this was the JSON format with per 
>> vendor/product statements so everyone can have their own cake on 
>> their own table as it were.
>> 
>> 
>> 
>> I also know MITRE has poked me in past for high visibility CVEs, and 
>> I generally agree with this, so perhaps some guidelines should be 
>> created, e.g. around severity/popularity/impact (e.g. CVSS score of 
>> 9.0 or higher and more than 10 million affected instances should be 
>> high priority, or if it hits cnn.com AND the BBC AND Reuters... and 
>> if the original CNA doesn't get it in quickly some other CNA is 
>> allowed to).
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas 
>> <Thomas.Millar@hq.dhs.gov>
>> wrote:
>> 
>> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-mem
>> ory-with-side.html
>> 
>> -----Original Message-----
>> From: owner-cve-editorial-board-list@lists.mitre.org
>> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
>> Art Manion
>> Sent: Wednesday, January 3, 2018 17:51
>> To: jericho <jericho@attrition.org>; Landfield, Kent 
>> <Kent_Landfield@McAfee.com>
>> Cc: cve-editorial-board-list 
>> <cve-editorial-board-list@LISTS.MITRE.ORG>
>> Subject: Re: upcoming intel issue
>> 
>>> On 1/3/18 5:25 PM, Art Manion wrote:
>>> 
>>> So first, what is the vulnerability (or vulnerabilities) -- things 
>>> that warrant a CVE ID, and second who is responsible for assigning 
>>> IDs?
>> 
>> https://meltdownattack.com/
>> 
>> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>> 
>> Not immediately populated, so not sure what the distinctions are.
>> 
>>  - Art
>> 
>> 
>> 
>> 
>> 
>> --
>> 
>> Kurt Seifried
>> kurt@seifried.org
> 
> 
> 
> --
> 
> Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 
> 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security 
> contact: secalert@redhat.com
Page Last Updated or Reviewed: January 04, 2018