About CVE

Terminology
Documents
FAQs
CVE List

About CVE Identifiers
Obtain a CVE Identifier
Search CVE
Search NVD
CVE In Use

CVE Adoption
CVE-Compatible Products
NVD for CVE Fix Information
More . . .
News & Events

Calendar
Free Newsletter
Community

CVE Editorial Board
Sponsor
Contact Us

Search the Site

CVE Community

Editorial Board
Mail List & Meetings Archive
Roles, Tasks, & Qualifications
Adding New Members
Sponsor

CVE In Use

CVE Compatible Products and Services
More . . .

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CONTENT DECISION: Presence of Services or Applications (SA)

To: cve-editorial-board-list@lists.mitre.org
Subject: CONTENT DECISION: Presence of Services or Applications (SA)
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Tue, 3 Aug 1999 20:32:35 -0400 (EDT)
Sender: owner-cve-editorial-board-list@lists.mitre.org

The final set of candidate clusters touches on what I believe are the
most controversial content decisions with respect to the draft CVE,
since they are often related to enterprise-specific definitions of
"vulnerability."

The SA category is used to identify vulnerabilities where the simple
presence of a service or application is considered a CVE
vulnerability.  We have already seen a number of "SA" category
candidates in the DESIGN cluster such as finger, rexec, etc., where
the service runs as designed, but might be a vulnerability according
to some policies.  As Gene Spafford indicated previously, most SA
category problems may not be considered vulnerabilities in an academic
setting, but they might in a more restrictive context (e.g. classified
or other highly sensitive networks).

Many tools report a fair number of "checks" that reference SA-category
vulnerabilities.  Network scanners average about 25 services per tool.

The SA-* clusters reflect content decisions related to the final
bullet of the CVE vulnerability definition, which includes the use of
a service or application that:

> - (7) is a primary point of entry that an entity may attempt to use
>   to gain access to the system or data


Of course, any service could be regarded as a point of entry, thus it
is a High Cardinality problem to list all services.  However, there
are some services which are "more" of a concern than others, and thus
should be explicitly listed in the CVE because they satisfy bullet (7)
as given above.

Below are three content decisions related to SA Inclusion, i.e. when a
specific service/application should be individually named as a CVE
vulnerability.

1) Include services or applications that have a history of problems.

SMTP, FTP, HTTP, and other services have exhibited a number of
problems, either in the protocol itself, or there have been many
implementations which have had problems - consider Sendmail, wu-ftp,
or IIS, for example.  In some Conditional (enterprise-specific)
policies, running such software can be regarded as a vulnerability,
even if the software is configured correctly and is not believed to
contain any exploitable software flaws.

2) Include services that are common attack points.

Such services may not have a history of problems, but may be commonly
attacked because their compromise could provide significant benefits
to an attacker.  Consider NIS, SNMP, UUCP, rsh, etc., which have a
history of attacks but not too many different vulnerabilities.

3) Include "little" services that are rarely necessary in operations,
but are often useful to an attacker.

Examples include chargen, echo, systat.

- Steve

Follow-Ups:
- Re: CONTENT DECISION: Presence of Services or Applications (SA)
  - From: Gene Spafford <spaf@cs.purdue.edu>

Prev by Date: PROPOSAL: Cluster 33 - NT-REGISTRY (6 candidates)
Next by Date: PROPOSAL: Cluster 34 - SA-HIST (13 candidates)
Prev by thread: PROPOSAL: Cluster 33 - NT-REGISTRY (6 candidates)
Next by thread: Re: CONTENT DECISION: Presence of Services or Applications (SA)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007