[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CNA Rules Announcement

On Mon, 10 Oct 2016, Monroe, Bruce wrote:

: Here's a good example and one that we just encountered internally. 
: about unquoted service path?
: As you can see from the search results every vendor is assigning 
: own. We recently saw that and made an internal decision to do the 
: but it's effectively the same vulnerability repeated over lots of 
: software.

More so because a majority of 'unquoted search path' privilege 
issues are NOT a vulnerability. Often times they require some form of 
administrative access to carry out the 'attack', and they aren't really 
crossing privilege boundaries at that point.

: Challenges: 
: - People assigning CVE's would have to look before assigning another 
CVE. Not sure that would always happen...

MITRE is generally good about doing this, but they are restricted 
they can't see assignments made by CNAs that aren't public yet. 
if they are behind in monitoring a CNA's disclosure point, they may 
assign due to that race condition of sorts.

: - Listing would eventually grow to be enormous and I expect it would 
: a bit of a pain to dig through...this one currently has 3 pages of 
: ;)

VulnDB has 61 entries with 'unquoted search path' in the title, 34 that 
not have a CVE. Based on the CVSS scores, only 1 of them was considered 

: Agree we should be consistent in our approach, if we could come up 
: a simple, solid, easily repeatable way to reference a master CVE and 
: pile on with "like" issues I'd be in favor of that approach, as long 
: it could be done without losing visibility of each sub-entry.

The 'easiest' way (said externally, knowing it is a lot more work for 
MITRE) is to reference the other CVEs in the entry as someone previous 
mentioned. They already do it for duplicate assignments (e.g. REJECTED 
CVE-1234-5678". They could carry this on as "MASTER see IDs 1,2,3,4,5 
similar issues" in better language.


Page Last Updated or Reviewed: October 11, 2016