[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Examples for Technical Issues in the CVE




All:

Below are some specific CVE examples to illustrate some of the
technical issues that I plan to discuss this Sunday.  I didn't release
them earlier because I didn't want to bog down the "bigger questions"
in details, but perhaps they can provide some food for thought.

- Steve



Examples for some CVE technical issues
======================================

Inclusion
---------

Most SA category vulnerabilities may not be a "vulnerability" from
some perspectives.  Consider information gathering using CVE-00612,
CVE-00629, or CVE-00626.  Nonetheless, many "restrictive" security
policies would consider them vulnerabilities, at least in some
situations.

CVE-00500 - not a vulnerability by some perspectives (assuming not a
critical system directory)

CVE-00497 - if "properly" configured, not a vulnerability by some
perspectives (note specific related CF category problems
e.g. CVE-00563 or CVE-00527).

"unfixable" design flaws are not included (e.g. Digital Unix 4.0
moving to stack-based execution), but "fixable" problems related to
design limitations are (e.g. Smurf, CVE-00513).


High cardinality vulnerabilities
--------------------------------

The following entries are some of the high cardinality vulnerabilities
in CVE version 199904290013.  Note they also may have level of
abstraction (LOA) problems.

CVE-00119 - should each buggy beta software get its own entry?
what about "commonly used" or "prevalent" beta software?

CVE-00660 - rolls all post-compromise installed hacker utilities into
one

CVE-00586 - *any* network service could run on an unusual port, which
may not be accounted for by network filters

CVE-00559 - there are too many "critical" files or directories to
enumerate.  But then who says what is "critical"?  (Partial answer:
not the CVE.)

CVE-00537, CVE-00538 - too many different-but-related "options" in web
browsers


Level of Abstraction (LOA) examples
-----------------------------------

CVE-00502, CVE-00504, CVE-00506, CVE-00508, CVE-00519 - all have to do
with default passwords, but they're separated by "functionality."  So
is this too low an LOA?  Note also the converse - these are high
cardinality vulnerabilities too.

CVE-00536 - LOA is too high for NT experts, but what is the
appropriate way to split this vulnerability?

CVE-00534 - configuration problem whose LOA is fixed because each
right is an option on the same menu.

CVE-00620, CVE-00621 - service "suites" that consist of component
services

CVE-00346, CVE-00068 - most tools roll these into one, but they're
split because they're different executables.

CVE-00578, CVE-00579 - other vulnerabilities like these discriminate
between "system critical" and "normal" resources, the idea being that
"system critical" may allow system compromise, while "normal" may at
worst leak information.

CVE-00025, CVE-00026, CVE-00027, ... - same as previous example

CVE-00552 - too low level?  An instance of a higher cardinality
vulnerability, e.g. "TCP/IP service or surrogate available through web
interface"

CVE-00557, CVE-00558, CVE-00559 - are 557 and 558 subsumed by 559?  Is
559 at the proper LOA?

CVE-00306, CVE-00030 - same application on different OS'es


Description Problems
--------------------

Some of these examples are due to incomplete information provided from
my source (e.g. an advisory that's written to obscure relevant
details).

CVE-000022, CVE-00023, CVE-00187
  - 22 and 23 are distinguishable by the function name, but it
    requires a glance at the references to be certain of the
    difference
  - 187 appears different than 22 and 23, but the associated advisory
    doesn't provide additional details

CVE-00001 - not enough info in source advisory

CVE-00254 and CVE-00186 have inconsistent terminology.

Descriptions often don't need software version numbers, but consider
CVE-00478, CVE-00393, CVE-00047, CVE-00205, and CVE-00204 as examples
where version numbers are useful to a human reader who is trying to
distinguish between these vulnerabilities.

CVE-00534 - has "too much" information (listing most known
privileges), however is useful for some mapping/search tasks, so the
specific options are included.


Missing Vulnerabilities
-----------------------

Example: Note that CVE-00661 is only intended to refer to "normal"
software packages that have been replaced by Trojan Horses at their
distribution site (e.g. TCP Wrappers of a few months ago).  [Note also
the desciption problems.]  There isn't a specific vulnerability for
Trojan Horses that a hacker might install after a compromise (though
it would fall under GENERIC-MP), but such an entry would overlap
CVE-00660.  Other MP category vulnerabilities are missing too,
e.g. hacker-modified configurations (although some configurations
would already be "spotted" under CVE-00663).

 
Page Last Updated: May 22, 2007