Re: Issues for configuration problems in the CVE

To: "Steven M. Christey" <coley@linus.mitre.org>
Subject: Re: Issues for configuration problems in the CVE
From: Gene Spafford <spaf@cs.purdue.edu>
Date: Sat, 17 Jul 1999 11:19:43 -0500
Cc: cve-editorial-board-list@lists.mitre.org
In-Reply-To: <199907161713.NAA14486@basie.mitre.org>
References: <199907161713.NAA14486@basie.mitre.org>
Reply-To: spaf@cs.purdue.edu
Sender: owner-cve-editorial-board-list@lists.mitre.org

At 1:13 PM -0400 7/16/99, Steven M. Christey wrote:
>Gene Spafford wrote:
>
> >When I first had a student (Taimur Aslam) look at classifications of
> >problems, configuration errors fell out as one category.  However, we
> >found there were some ambiguities with user interface error, and
> >incorrect documentation.  If something is misconfigured because the
> >documentation is unclear (or wrong), is that a bug?  If so, where?  In
> >the software that doesn't match the documentation, or in the
> >documentation that doesn't match the software?
>
>I see why the questions needs to be asked from a perspective of
>classification and explanation; however, I don't think this particular
>issue has much of an impact on the CVE.  The configuration problem
>exists because of something a user did, regardless of how the user did
>it or why they did it.  I believe that's sufficient for the CVE.
>
>- Steve

The documentation and online help message says "-s" is the security
mode switch.   The user builds a config file to run with "-s".
However, it turns out that either the programmer got the logic
backwards, or the documentation is wrong, and "-s" turns the security
OFF.   The result is a vulnerability.

Is that a bug or an operator error?

The system comes with default accounts with well-known passwords.
The operator does not notice these, and installs the system with the
accounts intact.   This results in a vulnerability.

Is that an operator error?

The system comes with a program that installs patches.   The vendor
releases a patch to a problem.   The operator runs the program, and
in addition to installing the patch, it sets some directory
permissions and ownerships to new values that result in a
vulnerability.

Is that a bug or operator error?

In each case, " The configuration problem exists because of something
a user did, regardless of how the user did it or why they did it," so
I would assume you would classify them all as operator errors.
However,  all three are also vulnerabilities that are in some sense
"built in" by the vendor.

I would argue that #2 is the only one that is directly a user error.
Problems that occur because the operator should have know better if
he/she had read documentation and security literature fall in this
category.  Vulnerabilities that result from hidden features, bugs,
bad documentation of features, etc are not.

Comments?

--spaf

References:
- Re: Issues for configuration problems in the CVE
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: Administrivia
Next by Date: Re: CONTENT DECISION: Content Decisions for "Password Selection" problems
Prev by thread: Re: Issues for configuration problems in the CVE
Next by thread: Re: Issues for configuration problems in the CVE
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: Issues for configuration problems in the CVE