[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Examples for Technical Issues in the CVE
All: Below are some specific CVE examples to illustrate some of the technical issues that I plan to discuss this Sunday. I didn't release them earlier because I didn't want to bog down the "bigger questions" in details, but perhaps they can provide some food for thought. - Steve Examples for some CVE technical issues ====================================== Inclusion --------- Most SA category vulnerabilities may not be a "vulnerability" from some perspectives. Consider information gathering using CVE-00612, CVE-00629, or CVE-00626. Nonetheless, many "restrictive" security policies would consider them vulnerabilities, at least in some situations. CVE-00500 - not a vulnerability by some perspectives (assuming not a critical system directory) CVE-00497 - if "properly" configured, not a vulnerability by some perspectives (note specific related CF category problems e.g. CVE-00563 or CVE-00527). "unfixable" design flaws are not included (e.g. Digital Unix 4.0 moving to stack-based execution), but "fixable" problems related to design limitations are (e.g. Smurf, CVE-00513). High cardinality vulnerabilities -------------------------------- The following entries are some of the high cardinality vulnerabilities in CVE version 199904290013. Note they also may have level of abstraction (LOA) problems. CVE-00119 - should each buggy beta software get its own entry? what about "commonly used" or "prevalent" beta software? CVE-00660 - rolls all post-compromise installed hacker utilities into one CVE-00586 - *any* network service could run on an unusual port, which may not be accounted for by network filters CVE-00559 - there are too many "critical" files or directories to enumerate. But then who says what is "critical"? (Partial answer: not the CVE.) CVE-00537, CVE-00538 - too many different-but-related "options" in web browsers Level of Abstraction (LOA) examples ----------------------------------- CVE-00502, CVE-00504, CVE-00506, CVE-00508, CVE-00519 - all have to do with default passwords, but they're separated by "functionality." So is this too low an LOA? Note also the converse - these are high cardinality vulnerabilities too. CVE-00536 - LOA is too high for NT experts, but what is the appropriate way to split this vulnerability? CVE-00534 - configuration problem whose LOA is fixed because each right is an option on the same menu. CVE-00620, CVE-00621 - service "suites" that consist of component services CVE-00346, CVE-00068 - most tools roll these into one, but they're split because they're different executables. CVE-00578, CVE-00579 - other vulnerabilities like these discriminate between "system critical" and "normal" resources, the idea being that "system critical" may allow system compromise, while "normal" may at worst leak information. CVE-00025, CVE-00026, CVE-00027, ... - same as previous example CVE-00552 - too low level? An instance of a higher cardinality vulnerability, e.g. "TCP/IP service or surrogate available through web interface" CVE-00557, CVE-00558, CVE-00559 - are 557 and 558 subsumed by 559? Is 559 at the proper LOA? CVE-00306, CVE-00030 - same application on different OS'es Description Problems -------------------- Some of these examples are due to incomplete information provided from my source (e.g. an advisory that's written to obscure relevant details). CVE-000022, CVE-00023, CVE-00187 - 22 and 23 are distinguishable by the function name, but it requires a glance at the references to be certain of the difference - 187 appears different than 22 and 23, but the associated advisory doesn't provide additional details CVE-00001 - not enough info in source advisory CVE-00254 and CVE-00186 have inconsistent terminology. Descriptions often don't need software version numbers, but consider CVE-00478, CVE-00393, CVE-00047, CVE-00205, and CVE-00204 as examples where version numbers are useful to a human reader who is trying to distinguish between these vulnerabilities. CVE-00534 - has "too much" information (listing most known privileges), however is useful for some mapping/search tasks, so the specific options are included. Missing Vulnerabilities ----------------------- Example: Note that CVE-00661 is only intended to refer to "normal" software packages that have been replaced by Trojan Horses at their distribution site (e.g. TCP Wrappers of a few months ago). [Note also the desciption problems.] There isn't a specific vulnerability for Trojan Horses that a hacker might install after a compromise (though it would fall under GENERIC-MP), but such an entry would overlap CVE-00660. Other MP category vulnerabilities are missing too, e.g. hacker-modified configurations (although some configurations would already be "spotted" under CVE-00663).