|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CD MODIFICATION: DEFINITION version 2 - Interim Decision 8/30
ACCEPT "Steven M. Christey" wrote: > > Please vote on the following modification to the DEFINITION content > decision, which uses the new "exposure" terminology. > > Our proposal for the use of the "exposure" term has received very > little commentary, but since it (a) requires a change to the CVE name > itself, and (b) attempts to resolve some of the most significant > debates that have occurred on the Editorial Board list so far, it is > critical that adoption of this terminology be decided ASAP. > > VOTE: > > (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.) > > Short Description > ----------------- > > In an attempt to remain independent of the multiple perspectives of > what a "vulnerability" is, the CVE identifies both "universal > vulnerabilities" (i.e. those problems that are normally regarded as > vulnerabilities within the contect of all reasonable security > policies) and "exposures" (i.e. problems that are only violations of > some reasonable security policies). > > Definitions > ----------- > > A "universal" vulnerability is one that is considered a vulnerability > under any commonly used security policy which includes at least some > requirements for minimizing the threat from an attacker. (This > excludes entirely "open" security policies in which all users are > trusted, or where there is no consideration of risk to the system.) > > The following guidelines, while imprecise, provide the basis of a > "universal vulnerability" definition. A universal vulnerability is a > state in a computing system (or set of systems) which either: > - allows an attacker to execute commands as another user > - allows an attacker to access data that is contrary to the > specified access restrictions for that data > - allows an attacker to pose as another entity > - allows an attacker to conduct a denial of service > > The following guidelines provide the basis for a definition of an > "exposure." An exposure is a state in a computing system (or set of > systems) which is not a universal vulnerability, but either: > - allows an attacker to conduct information gathering activities > - allows an attacker to hide activities > - includes a capability that behaves as expected, but can be easily > compromised > - is a primary point of entry that an attacker may attempt to use > to gain access to the system or data > - is considered a problem according to some reasonable security > policy > > Rationale > --------- > > Discussions on the Editorial Board mailing list and during the CVE > Review meetings indicate that there is no definition for a > "vulnerability" that is acceptable to the entire community. At least > two different definitions of vulnerability have arisen and been > discussed. There appears to be a universally accepted, historically > grounded, "core" definition which deals primarily with specific flaws > that directly allow some compromise of the system (a "universal" > definition). A broader definition includes problems that don't > directly allow compromise, but could be an important component of a > successful attack, and are a violation of some security policies (a > "contingent" definition). > > In accordance with the original stated requirements for the CVE, the > CVE should remain independent of multiple perspectives. Since the > definition of "vulnerability" varies so widely depending on context > and policy, the CVE should avoid imposing an overly restrictive > perspective on the vulnerability definition itself. Therefore, the > term "universal vulnerability" is to be applied to those CVE entries > which are considered vulnerabilities under any security policy (and > thus by any perspective), and "exposure" is to be applied to the > remaining CVE entries which include violations of *some* reasonable > security policy. > > Examples > -------- > > Examples of universal vulnerabilities include: > - phf (remote command execution as user "nobody") > - rpc.ttdbserverd (remote command execution as root) > - world-writeable password file (modification of system-critical > data) > - default password (remote command execution or other access) > - denial of service problems that allow an attacker to cause a Blue > Screen of Death > - smurf (denial of service by flooding a network) > > Examples of exposures include: > - running services such as finger (useful for information gathering, > though it works as advertised) > - inappropriate settings for Windows NT auditing policies (where > "inappropriate" is enterprise-specific) > - running services that are common attack points (e.g. HTTP, FTP, or > SMTP) > - use of applications or services that can be successfully attacked > by brute force methods (e.g. use of trivially broken encryption, > or a small key space) -- Stephen Moore Lead Infosec Engineer The MITRE Corporation sjmoore@mitre.org
|
||||
