520 likes | 534 Views
This progress report discusses the motivation, implementation, and challenges of the Common Vulnerabilities and Exposures (CVE) initiative. It also covers the CVE list, editorial decisions, and compatibility. The report highlights the importance of integrating vulnerability information and the benefits of using CVE numbers.
E N D
A Progress Reporton theCVE Initiative Robert Martin Steven Christey David Baker The MITRE Corporation June 27, 2002
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
CERT/CC Incidents Reported http://www.theregister.co.uk/content/53/24244.html http://www.cert.org/advisories/CA-2002-06.html 120000 Projected based on Q1 2002 actual reported incidents 100000 80000 60000 40000 20000 http://www.baselinemag.com/article/0,3658,s=1867&a=23195,00.asp 0 http://www.eweek.com/article/0,3658,s=701&a=23193,00.asp 1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 Many Motivations for Getting on top of Vulnerabilities
Mail Servers 1st Up Mail Server All-Mail ALMail32 Avirt Mail Server Becky! Internet Mail CWMail Domino Mail Server Exchange Server Hotmail Internet Anywhere Mail Server ITHouse Mail Server Microsoft Exchange Pegasus Mail Sendmail Web servers & tools Domino HTTP Server IIS NCSA Web Server Sawmill WebTrends Log Analyzer Desktop Applications Acrobat Clip Art Excel FrameMaker Internet Explorer Napster client Notes Client Novell client Office Outlook PowerPoint Project Quake R5 Client StarOffice Timbuktu Pro Word Works Workshop Operating Systems AIX BeOS BSD/OS DG/UX FreeBSD HP-UX IRIX Linux MacOS Runtime for Java MPE/iX NetWare OpenBSD Palm OS Red Hat Security-Enhanced Linux Solaris SunOS Ultrix Windows 2000 Windows 95 Windows 98 Windows ME Windows NT Internet AFS Apache BIND CGI Cron IMAP Routers 3220-H DSL Router 650-ST ISDN Router Ascend Routers Cisco Routers R-series routers Security Software ACE/Server BlackICE Agent BlackICE Defender Certificate Server CProxy Server ETrust Intrusion Detection GateKeeper InterScan VirusWall Kerberos 5 Norton AntiVirus PGP SiteMinder Tripwire Development Tools ClearCase ColdFusion Flash Frontpage GNU Emacs JRun WebLogic Server Visual Basic Visual Studio Network Applications BackOffice Meeting Maker NetMeeting Firewalls Firewall-1 Gauntlet Firewall PIX Firewall Raptor Firewall SOHO Firewall DBMSs Access DB2 Universal Database FileMaker Pro MSQL Oracle Vulnerabilities Have Been Found in Almost Every Type of Commercial Software There Is Sample of Vulnerabilities Announced in 1999 & 2000
Security Advisories Priority Lists Software Vendor Patches Vulnerability Scanners Intrusion Detection Systems ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? Research Incident Response & Reporting Vulnerability Web Sites & Databases Difficult to Integrate Information on Vulnerabilities and Exposures
The adoption of CVE Names by the Security Community is starting to address this problem Finding and sharing vulnerability information has been difficult: The Same Problem, Different Names Along with the new rule, “Whoever finds it, gets a CVE name for it” Which has been caused by the rule, “Whoever finds it, names it”
Security Advisories Priority Lists Software Vendor Patches Vulnerability Scanners Intrusion Detection Systems Research Incident Response & Reporting Vulnerability Web Sites & Databases The CVE List provides a path for integrating information on Vulnerabilities and Exposures CVE-1999-0067
All CVE-names Unix Windows Note 2. CVE Numbers You’ll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You may also see CAN numbers. CAN numbers are candidates for CVE entries that are not yet fully verified. For more data on the Award-winning CVE project, see http://cve.mitre.org. In the General Vulnerabilities section, the CVE numbers listed are examples of Some of the vulnerabilities that are covered by each listed item. Those CVE lists are not meant to be all-inclusive. However, for the Windows and Unix Vulnerabilities, the CVE numbers reflect the top Priority vulnerabilities that should be checked for each item. FBI/SANS Institute 2001 Top Twenty uses CVE names…yet another step down the policy road http://www.sans.org/top20.htm
… or the vulnerabilities they do or don’t find... by talking about the vulnerabilities they do or do not have... Ad from SC Magazine (April 2002) Tables from Network Computing Article “To Catch a THIEF” (8/20/2001) CVE is Even Being Used to to Compare and Contrast products
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
The Common Vulnerabilities and Exposures (CVE) Initiative • An international security community activity led by MITRE focused on developing a list that provides common names for publicly known information security vulnerabilities and exposures. • Key tenets • One name for one vulnerability or exposure • One standardized description for each vulnerability or exposure • Existence as a dictionary rather than a database • Publicly accessible for review or download from the Internet • Industry participation in open forum (editorial board) • The CVE list and information about the CVE effort are available on the CVE web site at [cve.mitre.org] 2223 approved entries, 2419 being voted on, ~4500 under analysis, ~100-150 new/month
4. Establish CVE in vendor fix-it sites and update mechanisms 1. Inject Candidate numbers into advisories 2. Establish CVE at security product level in order to ... 3. … enable CVE to permeate the policy level. The CVE Strategy Commercial S/W Products Update and Fix Sites & Update Mechanisms Unreviewed Bugtraqs, Mailing lists, Hacker sites Discovery Policy time Security Products Reviewed Advisories CERT, CIAC, Vendor advisories Methodologies Purchasing Requirements Education Scanners, Intrusion Detection, Vulnerability Databases
Tables from Network Computing Article “To Catch a THIEF” (8/20/2001) Example: CVE helping to make Detailed Product Comparisons Network Computing Article “Vulnerability Assessment Scanners” (1/8/2001)
- 51 plus (11 countries) - 11 to 50 registered (39 countries) - 1 to 10 registered (71 countries) CVE email Lists have an International readership Representing ~ 2200 registered email subscribers
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
ISS, SecurityFocus, Neohapsis, NIPC CyberNotes New Submissions 150–500 per/month AXENT, BindView, Harris, Cisco, CERIAS, Hiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus Candidates in New Alerts & Advisories 5–15 per/month New Vulnerabilities Vulnerability Databases CVE Content Team Vulnerability Databases Legacy Submissions ~8400 CVE Candidates ——— —— 563 dups ~2419 Yes Yes Yes 4 CVE List Editorial Board ~2223 Where the CVE List comes from 2,500|3,900|1,100|900 info study
5000 Candidates 4500 CVE Entries 4000 3500 Sep-99 Oct-99 Nov-99 Dec-99 Jan-00 Feb-00 Mar-00 Apr-00 May-00 Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01 Jul-01 Aug-01 Sep-01 Oct-01 Nov-01 Dec-01 Jan-02 Feb-02 Mar-02 Apr-02 May-02 Jun-02 3000 2500 2000 1500 1000 500 0 CVE Growth Status (as of June 26, 2002) • 2223 entries • 2419 candidates
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
Conversion • Convert items in database/tool to submission format • Assign temporary ID’s to each submission Matching • Find most similar submissions, candidates, and entries based on keywords Refinement • Combine all matched submissions into groups • Use each group to create candidates Identifying Known Vulnerabilities:The CVE Submission Stage • Sources provide MITRE with their lists of all known vulnerabilities • MITRE’s CVE Content Team processes submissions
B:1 17 C:1 19 To Source A ftp-pasv = CAN-YYYY-NNNN iis-dos = CAN-1999-1234 A:2 ftp-pasv To Source B 17 = CAN-YYYY-NNNN 524 = CAN-1999-1234 Backmap To Source C 19 = CAN-YYYY-NNNN CAN-1999-1234 B:3 524 A:1 iis-dos Candidate Stage: Assignment • Assign new number (CAN-YYYY-NNNN) • YYYY is the year in which the number was assigned; NNNN is a counter for that year CAN-YYYY-NNNN • Backmap: internal ID’s mapped to candidate names, sent back to provider • Submissions removed
Candidate Numbering Authority Researcher / Vendor Request Candidate MITRE CAN POOL CAN-YYYY-NNNN • Primary CNA • Accessible to researchers and vendors • Educate CNA about content decisions • Update CVE web site when candidate is publicly announced • Track potential abuses • Request candidate from CNA • Provide candidate number to vendor and other parties • Include candidate number in initial public announcement • Notify MITRE of announcement • Perform due diligence to avoid duplicate or incorrect candidates • Follow responsible disclosure practices to increase confidence in correctness of the candidate • Obtain pool of candidate numbers from MITRE • Define requirements for researchers to obtain a candidate • Assign correct number of candidate numbers (follow content decisions) • Ensure candidate is shared across all parties • Do not use candidates in “competitive” fashion Candidate Reservation Process 400+ CANs reserved Reserving and coordinating CANs requires a process change for all parties.
assigned CAN-2001-0869 to this issue. Many organizations are reserving CVE names and using them in their alerts and advisories To-date, CVE names have been included in initial advisories from: • ISS X-Force • IBM • Rain Forest Puppy • @stake • BindView • HP • CERT/CC • SGI • COMPAQ • Microsoft • Ernst & Young • eEye • CISCO • Rapid 7 • NSFOCUS • Sanctum • SecurityFocus • Red Hat • VIGILANTe • Apache • Apple http://www.redhat.com/support/errata/RHSA-2001-150.html
CAN-YYYY-NNNN • Clustering (date of discovery, OS, service type, etc.) • Published on CVE web site • Editorial Board members vote on candidate • ACCEPT, MODIFY, REVIEWING, NOOP (No Opinion), RECAST (change level of abstraction), REJECT Proposal • Add references, change description • Change level of abstraction • Significant changes may require another round of voting Modification • ACCEPT or REJECT (Requires sufficient votes) • At least 2 weeks after initial proposal • 4 days for last-minute feedback Interim Decision • ACCEPT or REJECT • Convert CAN-YYYY-NNNN to CVE-YYYY-NNNN • Report final voting record • Create new CVE version Final Decision Candidate Stage: Proposal Through Final Decision
CVE-YYYY-NNNN Publication • Publish new CVE version and difference report • Minor modifications • Add references • Change description Modification • New information may force a re-examination of the entry • Level of abstraction may need to be changed • May be a duplicate • May not be a problem after all Reassessment • May need to “delete” an existing entry (e.g. duplicate entries) • But, some products may still use this number • Register the “deletion” but keep entry available for review Deprecation Entry Stage
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
Content Decisions • Explicit guidelines for content of CVE entries • Ensure and publicize consistency within CVE • Provide “lessons learned” for researchers • Document differences between vulnerability “views” • Three basic types • Inclusion: What goes into CVE? What doesn’t, and why? • Level of Abstraction: One or many entries for similar issues? • Format: How are CVE entries formatted? • Difficult to document • “[It’s] like trying to grasp wet corn starch” (Board member) Incomplete information is the bane of consistency - and content decisions!
Example Content Decision: SF-LOC(Software Flaws/Lines of Code) • Older versions of this CD distinguished between problems of the same type • “Split-by-default” approach generated “too many” candidates • Also “unfair” to vendors with source code or detailed reports • Once produced 8 candidates where other tools and databases would have created only 1 vulnerability record • Affected by amount of available information • Especially source code and exploit details • For all candidates affected by SF-LOC, see: • http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CD:SF-LOC Create separate entries for problems in the same program that are of different types, or that appear in different software versions.
Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command. CAN-2000-0971 2 failure points Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter. CAN-2000-0686 2 failure points Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter. CAN-2000-0687 Directory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack CAN-2001-0020 Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the “show script,” “clear script,” “show archive,” “clear archive,” “show log,” or “clear log” commands. CAN-2001-0019 SF-LOC Examples • CAN-2001-0019 is clearly different than CAN-2001-0020 • But a single patch fixes both problems • CAN-2001-0019 could be 1, 2, or 6 vulnerabilities 6 failure points
Why CAN-2001-0019 Could Identify 1, 2, or 6 Vulnerabilities • 3 different source code scenarios • Without actual source, can’t be sure which scenario is true • Even with source, there are different ways of counting • Multiple format string problems are especially difficult to distinguish if (strcmp(cmd, "show") == 0) { if (strcmp(arg1, "script") == 0) { strcpy(str, long_input); show_script(str); } elsif (strcmp(arg1, "archive") == 0) { strcpy(str, long_input); show_archive(str); } elsif (strcmp(arg1, "log") == 0) { strcpy(str, long_input); show_log(str); } } elsif (strcmp(cmd, "clear") == 0) { if (strcmp(arg1, "script") == 0) { strcpy(str, long_input); show_script(str); } elsif (strcmp(arg1, "archive") == 0) { strcpy(str, long_input); show_archive(str); } elsif (strcmp(arg1, "log") == 0) { strcpy(str, long_input); show_log(str); } } strcpy(arg, long_input); if (strcmp(cmd, "show") == 0) { process_show_command(arg); } elsif (strcmp(cmd, "clear") == 0) { process_show_command(arg); } if (strcmp(cmd, "show") == 0) { strcpy(str, long_input); process_show_command(str); } elsif (strcmp(cmd, "clear") == 0) { strcpy(str, long_input); process_clear_command(str); }
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
CVE Editorial Board • Includes mostly technical representatives from 35 different organizations including researchers, tool vendors, response teams, and end users • Reviews and approves CVE entries • Discusses issues related to CVE maintenance • Holds monthly meetings (face-to-face or phone) • Maintains publicly viewable mailing list archives [cve.mitre.org/board/archives] [cve.mitre.org/board/boardmembers.html]
Editorial Board Roles, Tasks, and Qualifications • Minimum Expectations • Tasks for All Members • Technical Member Tasks • Liaison Tasks • Advocate Tasks • Emeritus Tasks • Recognition of Former Members • Roles for MITRE [cve.mitre.org/board/edroles.html]
CVE Senior Advisory Council Objectives and Roles ...The CVE Council is established to ensure that the CVE program receives the sponsorship, including funding and guidance, required to maximize the effectiveness of this program ... Council Roles • Act as a catalyst for CVE and related activities. • Assure funding for the core CVE activity over the long term including outreach to Government organizations and agencies. • Discuss community needs and possible new CVE services. • Promote the adoption of CVE at the strategic level. • Business planning & prioritization. • Discuss CVE and related security policy implications for the Federal Government. • Identify CVE related materials & resources for use by Government CIOs and senior managers.
CVE Senior Advisory Council Members Co-Chairs: • John Gilligan, CIO of the USAF, and Co-chair of the Architecture/Interoperability Committee of the CIO Council • Sallie McDonald, GSA Assistant Commissioner Office of Info Assurance and Critical Infrastructure Protection Participating Organizations • Department of the Treasury • Department of Energy • Department of Labor • Department of Health and Human Services • Internal Revenue Service • National Institute of Standards and Technology • Critical Infrastructure Assurance Office • National Infrastructure Protection Center • Office of Management and Budget • GSA • ASD/C3I • DISA • Air Force • NSA • Intelligence Community • NASA
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
What does CVE-compatible mean? • CVE-compatible means that a tool, database, web site, or security service can “speak CVE” and correlate data with other CVE-compatible items • CVE-compatible means it meets the following requirements: • Can find items by CVE name (CVE searchable) • Includes CVE name in output for each item (CVE output) • Explain the CVE functionality in their item’s documentation (CVE documentation) • Provided MITRE with “vulnerability” item mappings to validate the accuracy of the product or services CVE entries • Makes a good faith effort to keep mappings accurate [cve.mitre.org/compatible/requirements.html]
New CVE Compatibility Procedure (as of 18 June 2002) • Consists of two parts (phase 1 and phase 2): • Phase 1 - Compliance Declaration • Item listed on Compatibility page and quote posted if given • Phase 2 - Compliance Questionnaire • Submitted response is evaluated by MITRE • Upon concurrence with Questionnaire: • Questionnaire response put on CVE site & mapping accuracy evaluated • Upon completion of mapping accuracy evaluation • Use of the CVE-Compatible logo granted • Vendor free to refer to product or service as CVE-Compatible • Status: • Draft questionnaire developed/tested (takes ~ 3 days to do) • “sample” questionnaire using CVE Web site created as example • alpha- & beta-tests conducted with MITRE/Editorial Board • Also discussed at length with ~30 organizations w/positive responses • Revised Compatibility pages to support new processes
08.13.01 Government Computer News Examples of CVE-compatible items:The ICAT Metabase CVE-names http://icat.nist.gov
China National Computer Software & Technology Service Corporation FuJian RongJi Software Development Company,Ltd NSFOCUS Information Technology Co., Ltd Tsinghua UnisNet Ltd. Venus Information Technology Inc. +3, 3 E-Soft Inc. +1, 7 +2, 2 SecurityWatch.Com 1 Item +1, 5 9 Items 1 Item +2, 2 +1, 1 Red Hat Inc. +2, 2 +13, 30 2 Items 37 Organizations, 59 Items Advanced Research Corporation ArcSight, Inc. Application Security, Inc. BindView Corporation CERIAS, Purdue University CERT/CC Cisco Systems, Inc. Citadel Security Software, Inc. eEye Digital Security Enterasys Networks, Inc. Entercept SECURITY TECHNOLOGIES ESecurityOnline Foundstone, Inc. Harris Corporation ISS - Internet Security Systems, Inc. KaVaDo Inc. LURHQ Company NCircle Network Security NetiQ Corporation Network Associates Inc. Network Security Systems, Inc. NFR Security, Inc. NIST Qualys, Inc. Recourse Technologies, Inc. SAINT Corporation Sanctum Inc. The SANS Institute SecureInfo Corporation SecurityFocus Snort.Org SpiDYNAMICS Strongbox Security Inc. Symantec Corporation Tiger Testing Inc. Tivoli Systems, Inc. UCDavis Computer Security Laboratory VIGILANTe.Com, Inc. EsCERT-UPC 1 Item N-Stalker, Inc. INZEN CO., Ltd. NetSecure Technology, Inc. Penta Security Systems, Inc. SecureSoft, Inc. Wins Technet Co., Ltd. +1 1 Item E*MAZE Networks S.P.A. +1, 1 1 Item 9 Items nSecure Software (P) Ltd. Alliance Qualité Logiciel Cert-IST INTRANODE Software Technologies INTRINsec The Nessus Project +2, 2 1 Item 5 Items Shake Communications Pty Ltd +1, 1 1 Item and Where the New Ones Are Coming From Where CVE-compatible Items Have Come From (as of 25 June 2002)
100 90 October-1999 November-1999 December-1999 January-2000 February-2000 March-2000 April-2000 May-2000 June-2000 July-2000 August-2000 September-2000 October-2000 November-2000 December-2000 January-2001 February-2001 March-2001 April-2001 May-2001 June-2001 July-2001 August-2001 September-2001 October-2001 November-2001 December-2001 January-2002 February-2002 March-2002 April-2002 May-2002 June-2002 July 2002 80 70 60 50 40 30 20 Now at 92 products and services from 61 organizations 10 0 Timeline of CVE Compatibility Declarations (as of 18 June 2002)
Several Parts of the Federal Government Have Called for the Use of CVE and CVE-Compatible products Furthermore, preference should be given to products that are Compatible with the Common Vulnerabilities and Exposures (CVE) list. . Federal departments and agencies should… 1. give substantial consideration to ... [CVE-compatible] products and services. 2. periodically monitor their systems for applicable vulnerabilities listed in ... CVE 3. use [CVE] in their descriptions and communications of vulnerabilities http://www.acq.osd.mil/dsb/tfreports.htm http://csrc.nist.gov/publications/drafts/Use_of_the_CVE.PDF
Outline for: A Progress Report on the CVE Initiative • Motivation • Implementing CVE • The CVE List • Candidates • Content Decisions • The Editorial Board and Advisory Council • CVE Compatibility • Challenges and Opportunities
Challenge: Improving the Naming Scheme • Some benefits with the current naming scheme • Compact • Candidate/entry status encoded within the name • Most CAN-YYYY-NNNN will become CVE-YYYY-NNNN • Removes debate about what a “good” name is • Some issues • Changing a CAN to a CVE incurs maintenance costs • Differences not obvious to casual users • Year segment can be misunderstood as year of discovery • Name is not atomic in most search engines, thus difficult to find • Maximum 10,000 candidates per year (CAN-10K problem) • Once public, names must not disappear without explanation • Deprecated entries, rejected candidates... even typos • Mappings from old to new names Any change to the CVE naming scheme will impact many users.
Managing the Scope of the CVE List • What issues should be included? • Exposures (CD:DEFINITION) • e.g., running finger • Highly controversial topic before CVE was even public • Beta software (CD:EX-BETA) • Online services / ASPs (CD:EX-ONLINE-SVC) • Client-side DoS (CD:EX-CLIENT-DOS) • Vague vendor advisories (CD:VAGUE) • Malicious code (viruses, Trojans) • Configuration problems • Challenges in abstraction • Default passwords: 1 CVE, or hundreds? • Blurry lines between policy, security, and environment • Large-scale analyses, e.g. PROTOS • Voting: how much confidence is needed for official CVE entries? • Timeliness: Fast and noisy or slow and stable? • Intrusion events that do not map to vulnerabilities
Vulnerabilities and exposures System states Atomic entities Easier to classify Tools less varied Similar levels of granularity Easier to match across tools Many public databases Known and provable vulnerabilities Exploits, detects, decodes, anomalies, reconnaissance, probes, scans, malware... Events Hybrid entities Harder to classify Tools more varied Multiple levels of granularity Harder to match across tools One public “database” Bad cut-and-paste between signatures, scans for incorrect vulnerability reports Applicability of CVE to IDS CVE IDSes
CIEL (Common Intrusion Event List) • Standardize names for IDS events • Use lessons learned from CVE • Handle multiple levels of abstraction • Ease of use • Independent of the methods used to detect the event • Past Activities (2001) • Draft CIEL with almost 40 high-level entries created by MITRE • Effectively a draft taxonomy • Too complex • Did not achieve exhaustiveness and mutual exclusiveness • CIEL Working Group • First meeting in March 2001 • Part of the CVE Editorial Board • Structure, membership, and process TBD • Current CIEL • Names formed from attributes
CVE in Incident Handling • Current Activity Summaries • Which vulnerabilities are being actively exploited? • Incident Reports • CVE clarifies which vulnerability was exploited • Simplifies data collection from multiple sources • Share incident data across teams • Share data across language barriers
Responsible Disclosure and CVE: A Case Study • CVE analysis includes distinguishing between similar issues • Reporters who reserve CVE candidates must follow good disclosure practices to minimizeerrors • When reporter and vendor do not work closely together • Multiple CVE’s assigned to the same issue • reporter describes symptom, vendor describes the problem • Inaccurate, incomplete, or unverified reports • When vendors do not acknowledge the vulnerability • Less likely that the Editorial Board will accept a candidate • Too resource-intensive to verify every report • When vendors do not include sufficient details in advisories • Can be difficult to tell which vulnerability was fixed • Change logs can be vague • Even credits aren’t always enough! • Source diffs (when available) may be insufficient
4. Establish CVE in vendor fix-it sites and update mechanisms 1. Inject CVE Names into advisories 2. Establish CVE at security product level in order to ... 3. … enable CVE to permeate the policy level. : Where are we? (as of 18 June 2002) The CVE Strategy • Adding CVE names broached with 13 groups. Commercial S/W Products Update and Fix Sites & Update Mechanisms Unreviewed Bugtraqs, Mailing lists, Hacker sites Discovery Policy time Security Products Reviewed Advisories CERT, CIAC, Vendor advisories Methodologies Purchasing Requirements Education Scanners, Intrusion Detection, Vulnerability Databases CVE names have been included in initial advisories from ISS X-Force, Rain Forest Puppy, IBM, @stake, BindView, CERT/CC, HP, SGI, COMPAQ, Microsoft, Ernst & Young, eEye, CISCO, Rapid 7, NSFOCUS, Sanctum, SecurityFocus, VIGILANTe, Red Hat, Apache, and Apple. • SANS / FBI Top 20 uses CVE names • Network Computing IDS & Scanner Comparisons included CVE • Draft NIST Rec. calls for use of CVE • DSB Report calls for CVE compatibility • Network World IDS Comparison included CVE coverage • 2223 CVE Entries -- 2419 Candidates. • 92 CVE-compatible products from 61 groups. • 54 more from 27 others in “the works”.
Security Advisories Priority Lists Software Vendor Patches Vulnerability Scanners Intrusion Detection Systems Research Incident Response & Reporting Vulnerability Web Sites & Databases Progress in a Nutshell 400+ CANs Reserved Broached w/ 13 vendors SANS Top 20 Scanner Comparisons CIEL Cassandra FIRST ICAT