|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [TECH] High-level candidates for recent SNMP problems
You didn't say I couldn't bring up old arguments, so... >8-) Unless you're willing to type up CANs for each and every little variant that gets discovered, then (IMVHO - opposite of IMNSHO) I would try not to establish a low level of abstraction. It's going to get really, really ugly. I well understand the academic arguments, but there's a pragmatic concern - I don't think we want to double the size of the CVE database (oops, list pretending not to be a database, sorry) just to cover a bazillion variants of this particular bug. Even getting it down to codebase is going to be very, very difficult. IMHO, I'd put the 2 CANs you've got through and call it a day. You've got better things to do with your time than try and sort all this out. My $0.02, YMMV, do what you like from here. > -----Original Message----- > From: Steven M. Christey [mailto:coley@linus.mitre.org] > Sent: Tuesday, February 12, 2002 2:00 PM > To: cve-editorial-board-list@lists.mitre.org > Subject: [TECH] High-level candidates for recent SNMP problems > > > All, > > The recently announced SNMP problems pose a special challenge > for using CVE candidates. The basic problem is that the CVE > content decisions dictate that we should provide different > candidates for each implementation that is affected by the > PROTOS suite (Jim Magdych, this probably isn't a good time to > bring up old arguments please ;-) > > Despite the number and complexity of the issues, the CVE > content decisions are pretty clear on how candidates should > be assigned: > > - separate candidates for each affected codebase (CD:SF-CODEBASE) > > - separate candidates for each type of problem within the same > codebase (CD:SF-LOC) and version > > However, there is insufficient information at this time to > assign the proper number of candidates. So, we currently > only have a few candidates, and they are at a level of > abstraction that is higher than they "should" be (relative to > content decisions). > > The codebase issue is a difficult one, but the general > approach will probably be to distinguish by vendor, unless > there is clear proof that multiple vendors use the same codebase. > > Below is the current list of candidates that CERT/CC has > assigned and publicized. They will be on the CVE web site > within an hour. They will likely change rapidly and without notice. > > As we better understand the specifics, I will be assigning > separate candidates to the more explicitly identified issues. > If other general "classes" of vulnerabilities are also > discovered, it is likely that other high-level candidates > will be created for that, too. > > This is a prime example of how CVE content decisions are > dependent on the amount of available information. I've been > able to remove the dependencies of content decisions on > certain types of information, but there is still a reliance > on problem types, affected codebases, and affected versions. > I alluded to this difficulty in a post to Bugtraq a week or two ago. > > - Steve > > > ====================================================== > Candidate: CAN-2002-0012 > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0012 > Final-Decision: > Interim-Decision: > Modified: > Proposed: > Assigned: 20020110 > Category: SF > Reference: ISS:20020212 PROTOS Remote SNMP Attack Tool > Reference: URL:http://www.iss.net/security_center/alerts/advise110.php > Reference: CERT:CA-2002-03 > Reference: URL:http://www.cert.org/advisories/CA-2002-03.html > Reference: CERT-VN:VU#107186 > Reference: URL:http://www.kb.cert.org/vuls/id/107186 > > Vulnerabilities in a large number of SNMP implementations > allow remote attackers to cause a denial of service or gain > privileges via SNMPv1 trap handling, as demonstrated by the > PROTOS c06-SNMPv1 test suite. NOTE: It is highly likely that > this candidate will be SPLIT into multiple candidates, one or > more for each vendor. This and other SNMP-related candidates > will be updated when more accurate information is available. > > > > ====================================================== > Candidate: CAN-2002-0013 > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0013 > Final-Decision: > Interim-Decision: > Modified: > Proposed: > Assigned: 20020110 > Category: SF/CF/MP/SA/AN/unknown > Reference: ISS:20020212 PROTOS Remote SNMP Attack Tool > Reference: URL:http://www.iss.net/security_center/alerts/advise110.php > Reference: CERT:CA-2002-03 > Reference: URL:http://www.cert.org/advisories/CA-2002-03.html > Reference: CERT-VN:VU#854306 > Reference: URL:http://www.kb.cert.org/vuls/id/854306 > > Vulnerabilities in the SNMPv1 request handling of a large > number of SNMP implementations allow remote attackers to > cause a denial of service or gain privileges via (1) > GetRequest, (2) GetNextRequest, and > (3) SetRequest messages, as demonstrated by the PROTOS > c06-SNMPv1 test suite. NOTE: It is highly likely that this > candidate will be SPLIT into multiple candidates, one or more > for each vendor. This and other SNMP-related candidates will > be updated when more accurate information is available. >
|
||||
