Re: CONTENT DECISION: Presence of Services or Applications (SA)
On Wed, Aug 04, 1999 at 02:55:52PM -0500, Prosser, Mike wrote:
> I agree with these comments as well! Unless there is an actual
> vulnerability related to one of these services, don't see them as
> being CVE material just by running. This becomes a "best practice" or
> company policy decision rather than a vulnerability.
I belive this what the words you are looking for is vulnerability vs
risk. A service running is a risk. Not a vulnerability.
> -----Original Message-----
> From: Aleph One [mailto:aleph1@UNDERGROUND.ORG]
> Sent: Tuesday, August 03, 1999 11:28 PM
> To: spaf@CS.PURDUE.EDU; Steven M. Christey
> Cc: email@example.com
> Subject: Re: CONTENT DECISION: Presence of Services or Applications
> On Tue, Aug 03, 1999 at 08:52:05PM -0500, Gene Spafford wrote:
> > I really do not like the idea behind this category. We might as
> > well include most MS-based protocols, and most TCP services. The
> > fact that a service is present and has a history of being a point of
> > entry on some systems is not a vulnerability. That's like saying
> > that the presence of computers tends to enable hacking -- take away
> > the computers, and you no longer have break-ins!
> Hear, hear!
> > --spaf
> Aleph One / firstname.lastname@example.org
> KeyID 1024/948FD6B5
> Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Aleph One / email@example.com
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01