[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CONTENT DECISION: Not a CVE Vulnerability
Content Decisions - Not a CVE Vulnerability ------------------------------------------- Each of these content decisions describes characteristics of some "vulnerabilities" that technically satisfy the CVE vulnerability definition, but still should not be considered a CVE vulnerability. I propose that if a candidate has one of these characteristics, it should not be placed into the CVE. If we agree to these content decisions, then some of the candidates listed in the upcoming NOVULN cluster should be REJECTed. 1) "Beta or alpha software is not a CVE vulnerability." (Beta Code Exception) A beta or alpha version of software can not be associated with a CVE vulnerability, *unless* the beta version is the only version that is expected to be available. Beta and alpha software are universally understood to have flaws of all kinds, and typically do not appear in an operational environment - but they may appear more frequently in an academic or research environment. So, Windows NT 4.0 beta - while it has security flaws - does not contain CVE vulnerabilities. However, ICQ is only available as a series of beta programs, so it may contain CVE vulnerabilities. 2) "Compromise by an extended Brute Force attack is not a CVE vulnerability." (Brute Force Exception) If a state in a computing system can only be compromised by a brute force attack that could in the average case take longer than one week on an average desktop CPU, then it is not a CVE vulnerability. Obviously, it's hard to quantify how much "brute force" is sufficient to say that a particular design choice does not contain a vulnerability, and perhaps it should be considered on a per-case basis. Example: an 8-character Unix password could be guessed by brute force within days or weeks using a large number of machines, but we probably won't consider that a vulnerability; but if a PGP key can be cracked within the same time using the same resources, we probably would. 3) "A denial of service in a client that is easy to recover from, is not a CVE vulnerability." (Client-Side Denial of Service Exception) If client-side software can be subjected to a denial of service for a user alone, but the denial of service only affects that application, and the user can easily recreate the state which that software was in before the attack, then that software does not contain a CVE vulnerability. Example: many attacks on browsers, where the attack causes the browser to hang or spawn extra windows; a user can be forced out of an IRC channel; a user can be flooded with Instant Messenger messages; etc. Note, though, that bugs in these same applications which allow an attacker to crash the client's machine or allow the attacker to gain access, would still qualify as CVE vulnerabilities. This exception clearly reflects a bias towards the enterprise here, as it excludes most denials-of-service in chat programs and other interactive, "social" online activities, like ICQ, Instant Messenger, IRC, and web browsers. In my opinion, this type of denial of service problem is more of an inconvenience than a security risk.