Examples for Technical Issues in the CVE
Below are some specific CVE examples to illustrate some of the
technical issues that I plan to discuss this Sunday. I didn't release
them earlier because I didn't want to bog down the "bigger questions"
in details, but perhaps they can provide some food for thought.
Examples for some CVE technical issues
Most SA category vulnerabilities may not be a "vulnerability" from
some perspectives. Consider information gathering using CVE-00612,
CVE-00629, or CVE-00626. Nonetheless, many "restrictive" security
policies would consider them vulnerabilities, at least in some
CVE-00500 - not a vulnerability by some perspectives (assuming not a
critical system directory)
CVE-00497 - if "properly" configured, not a vulnerability by some
perspectives (note specific related CF category problems
e.g. CVE-00563 or CVE-00527).
"unfixable" design flaws are not included (e.g. Digital Unix 4.0
moving to stack-based execution), but "fixable" problems related to
design limitations are (e.g. Smurf, CVE-00513).
High cardinality vulnerabilities
The following entries are some of the high cardinality vulnerabilities
in CVE version 199904290013. Note they also may have level of
abstraction (LOA) problems.
CVE-00119 - should each buggy beta software get its own entry?
what about "commonly used" or "prevalent" beta software?
CVE-00660 - rolls all post-compromise installed hacker utilities into
CVE-00586 - *any* network service could run on an unusual port, which
may not be accounted for by network filters
CVE-00559 - there are too many "critical" files or directories to
enumerate. But then who says what is "critical"? (Partial answer:
not the CVE.)
CVE-00537, CVE-00538 - too many different-but-related "options" in web
Level of Abstraction (LOA) examples
CVE-00502, CVE-00504, CVE-00506, CVE-00508, CVE-00519 - all have to do
with default passwords, but they're separated by "functionality." So
is this too low an LOA? Note also the converse - these are high
cardinality vulnerabilities too.
CVE-00536 - LOA is too high for NT experts, but what is the
appropriate way to split this vulnerability?
CVE-00534 - configuration problem whose LOA is fixed because each
right is an option on the same menu.
CVE-00620, CVE-00621 - service "suites" that consist of component
CVE-00346, CVE-00068 - most tools roll these into one, but they're
split because they're different executables.
CVE-00578, CVE-00579 - other vulnerabilities like these discriminate
between "system critical" and "normal" resources, the idea being that
"system critical" may allow system compromise, while "normal" may at
worst leak information.
CVE-00025, CVE-00026, CVE-00027, ... - same as previous example
CVE-00552 - too low level? An instance of a higher cardinality
vulnerability, e.g. "TCP/IP service or surrogate available through web
CVE-00557, CVE-00558, CVE-00559 - are 557 and 558 subsumed by 559? Is
559 at the proper LOA?
CVE-00306, CVE-00030 - same application on different OS'es
Some of these examples are due to incomplete information provided from
my source (e.g. an advisory that's written to obscure relevant
CVE-000022, CVE-00023, CVE-00187
- 22 and 23 are distinguishable by the function name, but it
requires a glance at the references to be certain of the
- 187 appears different than 22 and 23, but the associated advisory
doesn't provide additional details
CVE-00001 - not enough info in source advisory
CVE-00254 and CVE-00186 have inconsistent terminology.
Descriptions often don't need software version numbers, but consider
CVE-00478, CVE-00393, CVE-00047, CVE-00205, and CVE-00204 as examples
where version numbers are useful to a human reader who is trying to
distinguish between these vulnerabilities.
CVE-00534 - has "too much" information (listing most known
privileges), however is useful for some mapping/search tasks, so the
specific options are included.
Example: Note that CVE-00661 is only intended to refer to "normal"
software packages that have been replaced by Trojan Horses at their
distribution site (e.g. TCP Wrappers of a few months ago). [Note also
the desciption problems.] There isn't a specific vulnerability for
Trojan Horses that a hacker might install after a compromise (though
it would fall under GENERIC-MP), but such an entry would overlap
CVE-00660. Other MP category vulnerabilities are missing too,
e.g. hacker-modified configurations (although some configurations
would already be "spotted" under CVE-00663).