CVE Validation Plan: Candidate Clusters

["Steven M. Christey" <coley@linus.mitre.org>]

All:

Sorry for the continued delays with respect to getting some candidate
vulnerabilities out there for discussion.  I spent an extra day or two
trying to refine everything, and I think I've got a better handle on
the most effective approach for verifying these initial 650
vulnerabilities.

It's difficult to schedule for when all these vulnerabilities should
be reviewed.  I will attempt to do so over the next week or so,
partially based on how things go for the first few groups of
vulnerabilities.

I am placing the current CVE Vulnerabilities into 3 categories, based
on how much discussion I think they will generate:

1) LOW controversy - vulnerability reflects all vulnerability
databases I've seen; may need to make some minor changes to a
description, add a reference, etc.  Vulnerability is well-known and
often has a reference to an advisory posted by a reputable
organization.  Vendors probably don't need to have seen their tool
mappings to decide whether they "like" these or not.

2) MEDIUM controversy - reflects a content design decision that may
conflict with some vulnerability databases, but which I believe are
"reasonable"; some may not be vulnerabilities according to some
definitions, although they are CVE vulnerabilities and I believe they
would be generally accepted; some vulnerabilities may look very
similar (and may be duplicates, or require significant description
rewrites); or the vulnerabilities may be more obscure, without much
supporting information (e.g. references).  Vendors may need to have
seen their tool mappings in order to decide on these.

3) HIGH controversy - may have a significant difference with some/most
vulnerability databases; may not be considered vulnerabilities by many
Editorial Board members, although they are CVE vulnerabilities (thus,
the CVE vulnerability definition itself may be debated); most likely
to be split, merged, or deprecated.

4) UNKNOWN - generally, newly discovered vulnerabilities (Jan-April
1999) whose only discussion was on the Bugtraqs, thus may not be
confirmed.

Note that if you agree with the content decisions as described in the
tech paper I included when I provided you with the CVE data, there
shouldn't be too many problems with vulnerabilities I've called
medium/high controversy.

The vulnerabilities in the current version of the CVE break down as
follows:

Low controversy - 287
Medium controversy - 175
High controversy - 156
Unknown - 67

As discussed previously, I will present each vulnerability as a
candidate, in order to begin to flesh out the candidate discussion
process (see another document on that).  The candidate number will be
equivalent to the CVE number (in version 199904290013),
i.e. CAN-1999-00345 will be the same as CVE-00345 in your CVE
distribution.

I will first propose the Low candidates, then the Medium, then the
High, then finally the Unknown.  Once we get to the Unknown
candidates, we will have settled on most content decisions, but we
will have to start learning how to deal with "uncertain" information.
We can use our experience with Unknown vulnerabilities to start
bringing in new, up-to-date vulnerabilities.

I have grouped vulnerabilities into "candidate clusters" so that each
cluster reflects a particular CVE content decision, or some other
unifying characteristic.  That way, we can all debate the higher level
content decisions and adapt (or adopt) the candidates accordingly.

Below are the candidate clusters.  While there is overlap between
these clusters, they do follow a certain logic that I can't
necessarily translate easily into text.  To those of you who want to
scream bloody taxonomy, the purpose of these clusters is ONLY to
facilitate discussion of the initial CVE.

These candidate clusters will be proposed in roughly the order they
are presented below, according to a schedule that hasn't been fleshed
out yet.


======================
Name: CERT
Controversy: Low
Number of candidates: 61

Some (not all) of the vulnerabilities reported in CERT advisories of
the past few years.

======================
Name: NT-LOW
Controversy: Low
Number of candidates: 19

Some (not all) NT vulnerabilities.

======================
Name: VEN
Controversy: Low
Number of candidates: 65

Some (not all) vulnerabilities with advisories by the OS vendor

======================
Name: BUF
Controversy: Low
Number of candidates: 33

Some (not all) buffer overflows in single applications

======================
Name: CGI
Controversy: Low
Number of candidates: 32

Some (not all) CGI/web programs

======================
Name: DENY
Controversy: Low
Number of candidates: 19

Some (not all) denial of service

======================
Name: REST-LOW
Controversy: Low
Number of candidates: 53

The rest of the Low controversy vulnerabilities.  Some may have
limited or no references but appear in multiple vulnerability
databases or come from advisories from well-known vulnerability
analysts.

======================
Name: REFS
Controversy: Medium
Number of candidates: 68

Vulnerability has limited references (most likely just to the X-Force
database); are we certain these are vulnerabilities?

======================
Name: DESC
Controversy: Medium
Number of candidates: 9

Need improved descriptions; either the source(s) were too vague, or my
sources were private databases (e.g. tools) so I couldn't use them as
references

======================
Name: MULT
Controversy: Medium
Number of candidates: 35

Multiple executables split into multiple vulnerabilities, but some
might want to roll them up; *or*, multiple programs with same
function; *or*, same application but multiple operating systems

======================
Name: PASS
Controversy: Medium
Number of candidates: 15

Configuration problems related to passwords.

======================
Name: NT-CONFIG
Controversy: Medium
Number of candidates: 15

Configuration problems related to Windows NT.

======================
Name: SERVICE-DESIGN
Controversy: Medium
Number of candidates: 12

A service is running that has inherent security flaws or is useful for
information gathering.

======================
Name: REST-MED
Controversy: Medium
Number of candidates: 21

The rest of the Medium controversy vulnerabilities.

======================
Name: LOA
Controversy: High
Number of candidates: 16

Potentially controversial level of abstraction decisions.

======================
Name: PROT-FLAW
Controversy: High
Number of candidates: 17

Protocol flaws that don't necessarily have solutions.

======================
Name: NOVULN
Controversy: High
Number of candidates: 46

May not be regarded as a vulnerability by many people.

======================
Name: NETCONF
Controversy: High
Number of candidates: 13

Network/router configuration problems.

======================
Name: DATA
Controversy: High
Number of candidates: 21

Data access/permissions problems.

======================
Name: IDS
Controversy: High
Number of candidates: 6

Limitations (implementation or design) of IDSes.

======================
Name: SRUN
Controversy: High
Number of candidates: 37

A well-known service with a history of problems is running

======================
Name: Unknown
Controversy: Unknown
Number of candidates: 66

"Unknown" or unverified vulnerabilities.  Possibly gleaned from
Bugtraq postings, but without any (or much) external confirmation from
other sources.