Re: Level of Abstraction Issue: Similar Applications, "Same" Vulnerability
On Tue, Jun 29, 1999 at 03:52:13PM -0500, Gene Spafford wrote:
| If I send a huge flood of Christmas Tree packets to your network, and
| machines of all kinds crash because the underlying code didn't handle
| unusual combinations of option flags, would that be one CVE entry?
| Even if it crashed Windows, Unix, Mac, VMS and Cisco boxes alike?
Let me suggest an alternate hypothetical, and offer a proposed rule.
If the same packet crashes only Linux, Free- and OpenBSD, and on
examination of the code, it turns out that the actual errors were
different, should we have one CVE entry or three?
I suggest that the proper distinction is made when either we know or have
solid reason to believe the code is different, and when the bug is not
widespread across a large number of platforms.
Thus, Spaf's question has an answer or one, and mine has an answer of
| Suppose I send a carefully crafted set of packets to your Linux box.
| Version 93.7 crashes, and version 93.8 lets me on as root. The only
| difference between the two is that some code in the disk driver was
| changed. Is this two CVE entries or one?
| How would the IDS vendors count these? If the CVE only has entries
| for attacks, and not for code base, will vendor XYZ advertise "We
| catch all 987 attacks in the CVE, plus another 100 that aren't
The IDS vendors will count 17 for this, one for each TCP flag. :)
More seriously, as a vendor, we will list "280 instances of
CVE-GEN-CONFIG" in our marketing stuff. We will announce 71
vulnerabilities not yet in the CVE.
My personal hope is that the CVE will make more transparent such
games, but it won't eliminate them until we have a certification
process for products.