Re: Level of Abstraction Issue: Similar Applications, "Same"Vulnerability
Well, let me weigh in again. I think Pascal covered most of my thoughts here.
If I send a huge flood of Christmas Tree packets to your network, and
machines of all kinds crash because the underlying code didn't handle
unusual combinations of option flags, would that be one CVE entry?
Even if it crashed Windows, Unix, Mac, VMS and Cisco boxes alike?
Suppose I send a carefully crafted set of packets to your Linux box.
Version 93.7 crashes, and version 93.8 lets me on as root. The only
difference between the two is that some code in the disk driver was
changed. Is this two CVE entries or one?
How would the IDS vendors count these? If the CVE only has entries
for attacks, and not for code base, will vendor XYZ advertise "We
catch all 987 attacks in the CVE, plus another 100 that aren't
If you can answer all three questions, plus variants, with a set of
well-defined rules, then you have the basis for abstraction decisions
in the CVE. Until you can, any decisions will be ad hoc.