RE: [TECH] High-level candidates for recent SNMP problems
> From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
> I don't think many people would like to see a single candidate for
> HTTP GET buffer overflows.
Actually, customer requests are definitely moving us towards
managing our vulnerabilities at two, possibly even three,
levels of abstraction. From what I can tell, these customer
needs are being driven by the very different ways that
different customers approach the remediation problem.
For some, all they want to know is that they have a vulnerable
web server at this particular IP address, in which case a
single CVE number for HTTP GET BOs would be more than
sufficient. For others, they want to tweak the server
into some form of compliance, so they need more specific
info (classic CVE names, for ex.)
"Open" SMB shares is another example that jumps to mind.
Some customers just want to deal with the issue at a fairly
high level of abstraction. Others want platform specific
information (NT, W2K, Samba...).
We may all be dragged (kicking and screaming, no doubt)
into a CVE language that allows us to better talk at multiple
levels of abstraction. Time to revive the idea of "dot"
notation? [Dave ducks under his keyboard]
I suspect this related to "vagueness" issue, btw.
> We haven't seen vendors actively advertising how many CVE's they
> check yet, but I think that will happen.
I'm not sure of this, actually.
I sense that the market is evolving away from the old
"check-count" wars, even if it is dressed up in new CVE
clothing. Increasingly, we are being asked to provide
standards based solutions (e.g. HIPPA, SANS Top 10,
SANS Top 20, Center for Internet Security, various
OS Vendor standards, etc.). In this context, CVE is
useful for clarifying the standards and connecting
vague policy statements to specific checks.
The problem here is that, by necessity, these standards
are often written a much higher level of abstraction
than that at which CVE currently operates.
I should note, btw, that without higher level identifiers,
CVE simply will never be useful (to our customers) in some
circumstances. For example, RAZOR has cataloged, what?, 80ish
vulnerabilities relating to old versions of sendmail. Specific
CVE names for these old issues might pump up our check count
numbers, but they mean little to nothing to many of our customers.
They are interested in only one thing. Is their Sendmail up to
date? Here, a single, higher level CVE name for outdated Sendmail
would be more useful.
Now, on to more pressing issues like, Why has the skiing
been so pitiful here in southern New England?
Dave Mann || e-mail: firstname.lastname@example.org
Security Program Manager || phone: 508-485-7737 x254
RAZOR Security Team || cell: 617-943-3507
BindView Corporation || fax: 508-485-0737