ISSA CVE Talk - Basic Slides - Common Vulnerabilities and

advertisement
A Progress Report
on the
CVE Initiative
Robert Martin
Steven Christey
David Baker
The MITRE Corporation
June 27, 2002
2
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
3
Many Motivations for Getting on top of Vulnerabilities
CERT/CC Incidents Reported
http://www.theregister.co.uk/content/53/24244.html
http://www.cert.org/advisories/CA-2002-06.html
120000
Projected based on Q1 2002 actual reported incidents
100000
80000
60000
40000
20000
http://www.baselinemag.com/article/0,3658,s=1867&a=23195,00.asp
2002
2001
2000
1999
1998
1997
http://www.eweek.com/article/0,3658,s=701&a=23193,00.asp
1996
1995
1994
1993
1992
1991
1990
1989
1988
0
MITRE
4
Vulnerabilities Have Been Found in Almost Every
Type of Commercial Software There Is
Mail Servers
1st Up Mail Server
All-Mail
ALMail32
Avirt Mail Server
Becky! Internet Mail
CWMail
Domino Mail Server
Exchange Server
Hotmail
Internet Anywhere Mail Server
ITHouse Mail Server
Microsoft Exchange
Pegasus Mail
Sendmail
Security Software
ACE/Server
BlackICE Agent
BlackICE Defender
Certificate Server
CProxy Server
ETrust Intrusion Detection
GateKeeper
InterScan VirusWall
Kerberos 5
Norton AntiVirus
PGP
SiteMinder
Tripwire
Sample of Vulnerabilities Announced in 1999 & 2000
Web servers & tools
Domino HTTP Server
IIS
NCSA Web Server
Sawmill
WebTrends Log Analyzer
Internet
AFS
Apache
BIND
CGI
Cron
IMAP
Routers
3220-H DSL Router
650-ST ISDN Router
Ascend Routers
Cisco Routers
R-series routers
Network Applications
BackOffice
Meeting Maker
NetMeeting
DBMSs
Access
DB2 Universal Database
FileMaker Pro
MSQL
Oracle
Desktop Applications
Acrobat
Clip Art
Excel
FrameMaker
Internet Explorer
Napster client
Notes Client
Novell client
Office
Outlook
PowerPoint
Project
Quake
R5 Client
StarOffice
Timbuktu Pro
Word
Works
Workshop
Development Tools
ClearCase
ColdFusion
Flash
Frontpage
GNU Emacs
JRun
WebLogic Server
Visual Basic
Visual Studio
Operating Systems
AIX
BeOS
BSD/OS
DG/UX
FreeBSD
HP-UX
IRIX
Linux
MacOS Runtime for Java
MPE/iX
NetWare
OpenBSD
Palm OS
Red Hat
Security-Enhanced Linux
Solaris
SunOS
Ultrix
Windows 2000
Windows 95
Windows 98
Windows ME
Windows NT
Firewalls
Firewall-1
Gauntlet Firewall
PIX Firewall
Raptor Firewall
SOHO Firewall
MITRE
5
Difficult to Integrate Information on
Vulnerabilities and Exposures
Security
Advisories
Priority
Lists
?
Vulnerability
Scanners
?
Research
?
?
?
?
? ??
? ? ?
?
??
?
?
?
?
?
Software Vendor
Patches
Intrusion Detection
Systems
?
Incident Response
& Reporting
Vulnerability Web
Sites & Databases
MITRE
The
adoption
of CVEvulnerability
Names by the
Security has
Finding
and sharing
information
been difficult:
The Same
Different
Names
Community
is starting
to Problem,
address this
problem
Organization Name
CERT
CyberSafe
ISS
AXENT
Bugtraq
BindView
Cisco
IBM ERS
CERIAS
NAI
CA-96.06.cgi_example_code
Network: HTTP ‘phf’ Attack
http-cgi-phf
phf CGI allows remote command execution
PHF Attacks – Fun and games for the whole family
#107 – cgi-phf
#3200 – WWW phf attack
Vulnerability in NCSA/Apache Example Code
http_escshellcmd
#10004 - WWW phf check
Along
with
newcaused
rule, “Whoever
finds
it, gets finds
a CVEit,name
Which
hasthe
been
by the rule,
“Whoever
namesforit”it”
MITRE
6
7
The CVE List provides a path for integrating
information on Vulnerabilities and Exposures
Security
Advisories
Priority
Lists
Vulnerability
Scanners
Software Vendor
Patches
CVE-1999-0067
Intrusion Detection
Systems
Incident Response
& Reporting
Research
Vulnerability Web
Sites & Databases
MITRE
8
FBI/SANS Institute 2001 Top Twenty uses CVE names
…yet another step down the policy road
All
CVE-names
Unix
Windows
Note 2. CVE Numbers
You’ll find references to CVE (Common Vulnerabilities
and Exposures) numbers accompanying each vulnerability. You may
also see CAN numbers. CAN numbers are candidates for CVE
entries that are not yet fully verified. For more data on the
Award-winning CVE project, see http://cve.mitre.org. In the General
Vulnerabilities section, the CVE numbers listed are examples of
Some of the vulnerabilities that are covered by each listed item.
Those CVE lists are not meant to be all-inclusive. However, for the
Windows and Unix Vulnerabilities, the CVE numbers reflect the top
Priority vulnerabilities that should be checked for each item.
http://www.sans.org/top20.htm
MITRE
9
CVE is Even Being Used to to
Compare and Contrast products
… or the
vulnerabilities
they do or don’t
find...
Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)
by talking about
the vulnerabilities
they do or do not
have...
Ad from SC Magazine (April 2002)
MITRE
10
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
11
The Common Vulnerabilities and Exposures (CVE)
Initiative
0 An international security community activity
led by MITRE focused on developing a list
that provides common names for publicly
known information security vulnerabilities
and exposures.
0 Key tenets
– One name for one vulnerability or
exposure
– One standardized description for each
vulnerability or exposure
– Existence as a dictionary rather than a
database
– Publicly accessible for review or
download from the Internet
– Industry participation in open forum
(editorial board)
0 The CVE list and information about the CVE
effort are available on the CVE web site at
[cve.mitre.org]
MITRE
12
The CVE Strategy
4. Establish CVE in vendor fix-it
sites and update mechanisms
Commercial S/W Products
Unreviewed
Update and Fix Sites &
Update Mechanisms
Bugtraqs, Mailing lists,
Hacker sites
Discovery
Policy
Reviewed Advisories
CERT, CIAC,
Vendor advisories
1. Inject Candidate
numbers into
advisories
Security Products
Scanners, Intrusion Detection,
Vulnerability Databases
2. Establish CVE at security
product level in order to ...
time
Methodologies
Purchasing
Requirements
Education
3. … enable CVE to permeate
the policy level.
MITRE
13
Example:
CVE helping to make Detailed Product Comparisons
Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)
Network Computing Article “Vulnerability Assessment Scanners” (1/8/2001)
MITRE
14
CVE email Lists have an International readership
Representing ~ 2200 registered email subscribers
- 51 plus (11 countries)
- 11 to 50 registered (39 countries)
- 1 to 10 registered (71 countries)
MITRE
15
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
16
Where the CVE List comes from
AXENT, BindView, Harris,
Cisco, CERIAS, Hiverworld,
SecurityFocus, ISS, NAI,
Symantec, Nessus
ISS, SecurityFocus,
New Submissions
Neohapsis, NIPC
150–500 per/month
CyberNotes
New
Vulnerabilities
Vulnerability Databases
Vulnerability Databases
CVE Content
Team
Candidates in New
Alerts & Advisories
5–15
per/month
Legacy Submissions
~8400 
2,500 | 3,900 | 1,100 | 900 563
dups
info
study
CVE
Candidates
~2419
4
~2223
MITRE
4500
4000
Status
(as of June 26, 2002)
• 2223 entries
• 2419 candidates
Sep-99
Oct-99
Nov-99
Dec-99
Jan-00
Feb-00
Mar-00
Apr-00
May-00
Jun-00
Jul-00
Aug-00
Sep-00
Oct-00
Nov-00
Dec-00
Jan-01
Feb-01
Mar-01
Apr-01
May-01
Jun-01
Jul-01
Aug-01
Sep-01
Oct-01
Nov-01
Dec-01
Jan-02
Feb-02
Mar-02
Apr-02
May-02
Jun-02
17
CVE Growth
5000
Candidates
CVE Entries
3500
3000
2500
2000
1500
1000
500
0
MITRE
18
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
19
Identifying Known Vulnerabilities:
The CVE Submission Stage
0 Sources provide MITRE with their lists of all known vulnerabilities
0 MITRE’s CVE Content Team processes submissions
Conversion
• Convert items in database/tool to submission format
• Assign temporary ID’s to each submission
Matching
• Find most similar submissions, candidates, and entries
based on keywords
Refinement
• Combine all matched submissions into groups
• Use each group to create candidates
MITRE
20
Candidate Stage: Assignment
CAN-YYYY-NNNN
B:1
C:1
17
19
• Assign new number (CAN-YYYY-NNNN)
• YYYY is the year in which the number was
assigned; NNNN is a counter for that year
To Source A
ftp-pasv = CAN-YYYY-NNNN
iis-dos = CAN-1999-1234
A:2
ftp-pasv
Backmap
CAN-1999-1234
B:3
A:1
524
iis-dos
To Source B
17 = CAN-YYYY-NNNN
524 = CAN-1999-1234
To Source C
19 = CAN-YYYY-NNNN
• Backmap: internal ID’s mapped to
candidate names, sent back to provider
• Submissions removed
MITRE
21
Candidate Reservation Process
Request Candidate
Researcher /
Vendor
CAN-YYYY-NNNN
• Request candidate from CNA
• Provide candidate number to
vendor and other parties
• Include candidate number in
initial public announcement
• Notify MITRE of announcement
• Perform due diligence to avoid
duplicate or incorrect candidates
• Follow responsible disclosure
practices to increase confidence in
correctness of the candidate
Candidate
Numbering
Authority
CAN
POOL
• Obtain pool of candidate
numbers from MITRE
• Define requirements for
researchers to obtain a candidate
• Assign correct number of
candidate numbers (follow
content decisions)
• Ensure candidate is shared across
all parties
• Do not use candidates in
“competitive” fashion
MITRE
400+
CANs
reserved
• Primary CNA
• Accessible to
researchers and
vendors
• Educate CNA about
content decisions
• Update CVE web site
when candidate is
publicly announced
• Track potential abuses
Reserving and coordinating CANs requires a process change for all parties.
MITRE
22
Many organizations are reserving CVE names and
using them in their alerts and advisories
To-date, CVE names have been
included in initial advisories from:
• ISS X-Force
• IBM
• Rain Forest Puppy • @stake
• BindView
• HP
• CERT/CC
• SGI
• COMPAQ
• Microsoft
• Ernst &
Young
• eEye
• CISCO
• Rapid 7
• NSFOCUS
• Sanctum
• SecurityFocus
• Red Hat
• VIGILANTe
• Apache
• Apple
http://www.redhat.com/support/errata/RHSA-2001-150.html
assigned CAN-2001-0869 to this issue.
MITRE
23
Candidate Stage: Proposal Through Final Decision
CAN-YYYY-NNNN
Proposal
Modification
• Clustering (date of discovery, OS, service type, etc.)
• Published on CVE web site
• Editorial Board members vote on candidate
•ACCEPT, MODIFY, REVIEWING, NOOP (No Opinion),
RECAST (change level of abstraction), REJECT
• Add references, change description
• Change level of abstraction
• Significant changes may require another round of voting
Interim
Decision
• ACCEPT or REJECT (Requires sufficient votes)
• At least 2 weeks after initial proposal
• 4 days for last-minute feedback
Final
Decision
• ACCEPT or REJECT
• Convert CAN-YYYY-NNNN to CVE-YYYY-NNNN
• Report final voting record
• Create new CVE version
MITRE
24
Entry Stage
CVE-YYYY-NNNN
Publication
• Publish new CVE version and difference report
Modification
• Minor modifications
• Add references
• Change description
Reassessment
• New information may force a re-examination of the entry
• Level of abstraction may need to be changed
• May be a duplicate
• May not be a problem after all
Deprecation
• May need to “delete” an existing entry (e.g. duplicate entries)
• But, some products may still use this number
• Register the “deletion” but keep entry available for review
MITRE
25
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
26
Content Decisions
0 Explicit guidelines for content of CVE entries
– Ensure and publicize consistency within CVE
– Provide “lessons learned” for researchers
– Document differences between vulnerability “views”
0 Three basic types
– Inclusion: What goes into CVE? What doesn’t, and why?
– Level of Abstraction: One or many entries for similar issues?
– Format: How are CVE entries formatted?
0 Difficult to document
– “[It’s] like trying to grasp wet corn starch” (Board member)
Incomplete information is the bane of consistency - and content decisions!
MITRE
27
Example Content Decision: SF-LOC
(Software Flaws/Lines of Code)
Create separate entries for problems in the same program that are
of different types, or that appear in different software versions.
0 Older versions of this CD distinguished between problems of the
same type
– “Split-by-default” approach generated “too many” candidates
– Also “unfair” to vendors with source code or detailed reports
– Once produced 8 candidates where other tools and databases
would have created only 1 vulnerability record
0 Affected by amount of available information
– Especially source code and exploit details
0 For all candidates affected by SF-LOC, see:
– http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CD:SF-LOC
MITRE
28
SF-LOC Examples
CAN-2000-0686
Auction Weaver CGI script 1.03 and earlier allows remote attackers to
read arbitrary files via a .. (dot dot) attack in the fromfile parameter.
2 failure
points
CAN-2000-0687
Auction Weaver CGI script 1.03 and earlier allows remote attackers to
read arbitrary files via a .. (dot dot) attack in the catdir parameter.
CAN-2000-0971
Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possibly
execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command.
2 failure points
CAN-2001-0019
Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a
denial of service via a long argument to the “show script,” “clear script,” “show
archive,” “clear archive,” “show log,” or “clear log” commands.
CAN-2001-0020
Directory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or
CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack
6 failure
points
0 CAN-2001-0019 is clearly different than CAN-2001-0020
– But a single patch fixes both problems
0 CAN-2001-0019 could be 1, 2, or 6 vulnerabilities
MITRE
29
Why CAN-2001-0019 Could Identify 1, 2, or 6
Vulnerabilities
0 3 different source code scenarios
0 Without actual source, can’t be sure
which scenario is true
0 Even with source, there are different
ways of counting
0 Multiple format string problems are
especially difficult to distinguish
strcpy(arg, long_input);
if (strcmp(cmd, "show") == 0) {
process_show_command(arg); }
elsif (strcmp(cmd, "clear") == 0) {
process_show_command(arg); }
if (strcmp(cmd, "show") == 0) {
strcpy(str, long_input);
process_show_command(str); }
elsif (strcmp(cmd, "clear") == 0) {
strcpy(str, long_input);
process_clear_command(str); }
if (strcmp(cmd, "show") == 0) {
if (strcmp(arg1, "script") == 0) {
strcpy(str, long_input);
show_script(str); }
elsif (strcmp(arg1, "archive") == 0) {
strcpy(str, long_input);
show_archive(str); }
elsif (strcmp(arg1, "log") == 0) {
strcpy(str, long_input);
show_log(str); } }
elsif (strcmp(cmd, "clear") == 0) {
if (strcmp(arg1, "script") == 0) {
strcpy(str, long_input);
show_script(str); }
elsif (strcmp(arg1, "archive") == 0) {
strcpy(str, long_input);
show_archive(str); }
elsif (strcmp(arg1, "log") == 0) {
strcpy(str, long_input);
show_log(str); } }
MITRE
30
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
31
CVE Editorial Board
0 Includes mostly technical
representatives from 35 different
organizations including
researchers, tool vendors,
response teams, and end users
0 Reviews and approves CVE
entries
0 Discusses issues related to CVE
maintenance
0 Holds monthly meetings (face-
to-face or phone)
0 Maintains publicly viewable
mailing list archives
[cve.mitre.org/board/archives]
[cve.mitre.org/board/boardmembers.html] MITRE
32
Editorial Board Roles, Tasks, and Qualifications
0
0
0
0
0
0
0
0
Minimum Expectations
Tasks for All Members
Technical Member Tasks
Liaison Tasks
Advocate Tasks
Emeritus Tasks
Recognition of Former Members
Roles for MITRE
[cve.mitre.org/board/edroles.html]
MITRE
33
CVE Senior Advisory Council Objectives and Roles
...The CVE Council is established to ensure
that the CVE program receives the sponsorship,
including funding and guidance, required to
maximize the effectiveness of this program ...
Council Roles
0 Act as a catalyst for CVE and related activities.
0 Assure funding for the core CVE activity over the
0
0
0
0
0
long term including outreach to Government
organizations and agencies.
Discuss community needs and possible new
CVE services.
Promote the adoption of CVE at the strategic
level.
Business planning & prioritization.
Discuss CVE and related security policy
implications for the Federal Government.
Identify CVE related materials & resources for
use by Government CIOs and senior managers.
MITRE
34
CVE Senior Advisory Council Members
Co-Chairs:
0 John Gilligan, CIO of the USAF, and Co-chair of the
Architecture/Interoperability Committee of the CIO Council
0 Sallie McDonald, GSA Assistant Commissioner Office of Info
Assurance and Critical Infrastructure Protection
0
0
0
0
0
0
0
0
0
Participating Organizations
Department of the Treasury
Department of Energy
Department of Labor
Department of Health and Human Services
Internal Revenue Service
National Institute of Standards and Technology
Critical Infrastructure Assurance Office
National Infrastructure Protection Center
Office of Management and Budget
 GSA
 ASD/C3I
 DISA
 Air Force
 NSA
 Intelligence
Community
 NASA
MITRE
35
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
36
What does CVE-compatible mean?
0 CVE-compatible means that a tool, database, web site, or security
service can “speak CVE” and correlate data with other CVEcompatible items
0 CVE-compatible means it meets the following requirements:
– Can find items by CVE name (CVE searchable)
– Includes CVE name in output for
each item (CVE output)
– Explain the CVE functionality in
their item’s documentation
(CVE documentation)
– Provided MITRE with “vulnerability”
item mappings to validate the
accuracy of the product or services
CVE entries
– Makes a good faith effort to keep
mappings accurate
[cve.mitre.org/compatible/requirements.html] MITRE
37
New CVE Compatibility Procedure (as of 18 June 2002)
0 Consists of two parts (phase 1 and phase 2):
– Phase 1 - Compliance Declaration
=
Item listed on Compatibility page and quote posted if given
– Phase 2 - Compliance Questionnaire
=
=
Submitted response is evaluated by MITRE
Upon concurrence with Questionnaire:
– Questionnaire response put on CVE site & mapping accuracy evaluated
=
Upon completion of mapping accuracy evaluation
– Use of the CVE-Compatible logo granted
– Vendor free to refer to product or service as CVE-Compatible
0 Status:
– Draft questionnaire developed/tested (takes ~ 3 days to do)
– “sample” questionnaire using CVE Web site created as example
– alpha- & beta-tests conducted with MITRE/Editorial Board
=
Also discussed at length with ~30 organizations w/positive responses
– Revised Compatibility pages to support new processes
MITRE
38
Examples of CVE-compatible items:
The ICAT Metabase
08.13.01 Government Computer News
CVE-names
http://icat.nist.gov
MITRE
39
Where CVE-compatible Items Have Come From
and Where the New Ones Are Coming From
+2, 2
+3, 3
E-Soft Inc.
SecurityWatch.Com
1 Item
+1, 5
1 Item
+2, 2
China National Computer Software & Technology Service Corporation
FuJian RongJi Software Development Company,Ltd
NSFOCUS Information Technology Co., Ltd
Tsinghua UnisNet Ltd.
Venus Information Technology Inc.
9 Items
+1, 1
+13, 30
+2, 2
Red Hat Inc.
2 Items
37 Organizations, 59 Items
Advanced Research Corporation
ArcSight, Inc.
Application Security, Inc.
BindView Corporation
CERIAS, Purdue University
CERT/CC
Cisco Systems, Inc.
Citadel Security Software, Inc.
eEye Digital Security
Enterasys Networks, Inc.
Entercept SECURITY TECHNOLOGIES
ESecurityOnline
Foundstone, Inc.
Harris Corporation
ISS - Internet Security Systems, Inc.
KaVaDo Inc.
LURHQ Company
NCircle Network Security
NetiQ Corporation
Network Associates Inc.
Network Security Systems, Inc.
NFR Security, Inc.
NIST
Qualys, Inc.
Recourse Technologies, Inc.
SAINT Corporation
Sanctum Inc.
The SANS Institute
SecureInfo Corporation
SecurityFocus
Snort.Org
SpiDYNAMICS
Strongbox Security Inc.
Symantec Corporation
Tiger Testing Inc.
Tivoli Systems, Inc.
UCDavis Computer Security Laboratory
VIGILANTe.Com, Inc.
+1, 7
EsCERT-UPC
1 Item
+1
N-Stalker, Inc.
1 Item
+1, 1
+2, 2
E*MAZE Networks S.P.A.
1 Item
Alliance Qualité Logiciel
Cert-IST
INTRANODE Software Technologies
INTRINsec
The Nessus Project
5 Items
INZEN CO., Ltd.
NetSecure Technology, Inc.
Penta Security Systems, Inc.
SecureSoft, Inc.
Wins Technet Co., Ltd.
+1, 1
nSecure Software (P) Ltd.
9 Items
1 Item
Shake Communications Pty Ltd
1 Item
(as of 25 June 2002)
MITRE
0
July 2002
June-2002
May-2002
April-2002
March-2002
February-2002
January-2002
December-2001
November-2001
October-2001
September-2001
August-2001
July-2001
June-2001
May-2001
April-2001
March-2001
February-2001
January-2001
December-2000
November-2000
October-2000
September-2000
August-2000
July-2000
20
June-2000
May-2000
April-2000
March-2000
February-2000
January-2000
December-1999
November-1999
October-1999
40
Timeline of CVE Compatibility Declarations
(as of 18 June 2002)
100
90
80
70
60
50
40
30
Now at 92 products and services from 61 organizations
10
MITRE
41
Several Parts of the Federal Government Have Called for
the Use of CVE and CVE-Compatible products
Furthermore, preference should be
given to products that are Compatible
with the Common Vulnerabilities and
Exposures (CVE) list.
.
Federal departments and agencies should…
1. give substantial consideration to ...
[CVE-compatible] products and services.
2. periodically monitor their systems for
applicable vulnerabilities listed in ... CVE
3. use [CVE] in their descriptions and
communications of vulnerabilities
http://www.acq.osd.mil/dsb/tfreports.htm
http://csrc.nist.gov/publications/drafts/Use_of_the_CVE.PDF
MITRE
42
Outline for: A Progress Report on the CVE Initiative
0
0
0
0
0
0
0
0
Motivation
Implementing CVE
The CVE List
Candidates
Content Decisions
The Editorial Board and Advisory Council
CVE Compatibility
Challenges and Opportunities
MITRE
43
Challenge: Improving the Naming Scheme
0 Some benefits with the current naming scheme
– Compact
– Candidate/entry status encoded within the name
– Most CAN-YYYY-NNNN will become CVE-YYYY-NNNN
– Removes debate about what a “good” name is
0 Some issues
– Changing a CAN to a CVE incurs maintenance costs
– Differences not obvious to casual users
– Year segment can be misunderstood as year of discovery
– Name is not atomic in most search engines, thus difficult to find
– Maximum 10,000 candidates per year (CAN-10K problem)
0 Once public, names must not disappear without explanation
– Deprecated entries, rejected candidates... even typos
– Mappings from old to new names
Any change to the CVE naming scheme will impact many users.
MITRE
44
Managing the Scope of the CVE List
0 What issues should be included?
– Exposures (CD:DEFINITION)
=
=
e.g., running finger
Highly controversial topic before CVE was even public
– Beta software (CD:EX-BETA)
– Online services / ASPs (CD:EX-ONLINE-SVC)
– Client-side DoS (CD:EX-CLIENT-DOS)
– Vague vendor advisories (CD:VAGUE)
0 Malicious code (viruses, Trojans)
0 Configuration problems
– Challenges in abstraction
=
0
0
0
0
Default passwords: 1 CVE, or hundreds?
– Blurry lines between policy, security, and environment
Large-scale analyses, e.g. PROTOS
Voting: how much confidence is needed for official CVE entries?
Timeliness: Fast and noisy or slow and stable?
Intrusion events that do not map to vulnerabilities
MITRE
45
Applicability of CVE to IDS
CVE
0 Vulnerabilities and exposures
IDSes
0 Exploits, detects, decodes,
anomalies, reconnaissance,
probes, scans, malware...
0 System states
0
0
0
0
0
Atomic entities
Easier to classify
Tools less varied
Similar levels of granularity
Easier to match across tools
0 Events
0
0
0
0
0
Hybrid entities
Harder to classify
Tools more varied
Multiple levels of granularity
Harder to match across tools
0 Many public databases
0 One public “database”
0 Known and provable
0 Bad cut-and-paste between
vulnerabilities
signatures, scans for incorrect
vulnerability reports
MITRE
46
CIEL (Common Intrusion Event List)
0 Standardize names for IDS events
– Use lessons learned from CVE
– Handle multiple levels of abstraction
– Ease of use
– Independent of the methods used to detect the event
0 Past Activities (2001)
– Draft CIEL with almost 40 high-level entries created by MITRE
=
=
=
Effectively a draft taxonomy
Too complex
Did not achieve exhaustiveness and mutual exclusiveness
0 CIEL Working Group
– First meeting in March 2001
– Part of the CVE Editorial Board
– Structure, membership, and process TBD
0 Current CIEL
– Names formed from attributes
MITRE
47
CVE in Incident Handling
0 Current Activity Summaries
0
0
0
0
– Which vulnerabilities are being actively exploited?
Incident Reports
– CVE clarifies which vulnerability was exploited
Simplifies data collection from multiple sources
Share incident data across teams
Share data across language barriers
MITRE
48
Responsible Disclosure and CVE: A Case Study
0 CVE analysis includes distinguishing between similar issues
0 Reporters who reserve CVE candidates must follow good
disclosure practices to minimize errors
0 When reporter and vendor do not work closely together
– Multiple CVE’s assigned to the same issue
=
reporter describes symptom, vendor describes the problem
– Inaccurate, incomplete, or unverified reports
0 When vendors do not acknowledge the vulnerability
– Less likely that the Editorial Board will accept a candidate
– Too resource-intensive to verify every report
0 When vendors do not include sufficient details in advisories
– Can be difficult to tell which vulnerability was fixed
– Change logs can be vague
– Even credits aren’t always enough!
– Source diffs (when available) may be insufficient
MITRE
49
The CVE Strategy: Where are we?
4. Establish CVE in vendor fix-it
sites and update mechanisms
• Adding CVE names broached with 13 groups.
Commercial S/W Products
Unreviewed
Update and Fix Sites &
Update Mechanisms
Bugtraqs, Mailing lists,
Hacker sites
Discovery
Policy
Reviewed Advisories
CERT, CIAC,
Vendor advisories
Security Products
Scanners, Intrusion Detection,
Vulnerability Databases
1. Inject CVE Names
into advisories
CVE names have been included
in initial advisories from ISS XForce, Rain Forest Puppy, IBM,
@stake, BindView, CERT/CC,
HP, SGI, COMPAQ, Microsoft,
Ernst & Young, eEye, CISCO,
Rapid 7, NSFOCUS, Sanctum,
SecurityFocus, VIGILANTe,
Red Hat, Apache, and Apple.
(as of 18 June 2002)
2. Establish CVE at security
product level in order to ...
• 2223 CVE Entries -2419 Candidates.
• 92 CVE-compatible
products from 61 groups.
• 54 more from 27 others
in “the works”.
time
Methodologies
Purchasing
Requirements
Education
3. … enable CVE to permeate
the policy level.
• SANS / FBI Top 20 uses CVE names
• Network Computing IDS & Scanner
Comparisons included CVE
• Draft NIST Rec. calls for use of CVE
• DSB Report calls for CVE compatibility
• Network World IDS Comparison
included CVE coverage
MITRE
50
Progress in a Nutshell
400+ CANs Reserved
Security
Advisories
Broached w/
13 vendors
SANS Top 20
Priority
Lists
Scanner
Comparisons
Software Vendor
Patches
Vulnerability
Scanners
Intrusion Detection
Systems
CIEL
Incident Response
& Reporting
Research
Cassandra
FIRST
Vulnerability Web
Sites & Databases
ICAT
MITRE
51
For More Information
CVE web site
http://cve.mitre.org
MITRE
52
MITRE
Download