Date post: | 24-Dec-2015 |
Category: |
Documents |
Upload: | dora-butler |
View: | 218 times |
Download: | 4 times |
A Progress Reporton the
CVE Initiative
Robert MartinSteven Christey
David Baker
The MITRE Corporation
June 27, 2002
MITRE
2
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
3
CERT/CC Incidents Reported
0
20000
40000
60000
80000
100000
1200001
98
8
19
89
19
90
19
91
19
92
19
93
19
94
19
95
19
96
19
97
19
98
19
99
20
00
20
01
20
02
Projected based on Q1 2002 actual reported incidentsProjected based on Q1 2002 actual reported incidents
Many Motivations for Getting on top of Vulnerabilities
http://www.eweek.com/article/0,3658,s=701&a=23193,00.asp
http://www.baselinemag.com/article/0,3658,s=1867&a=23195,00.asp
http://www.theregister.co.uk/content/53/24244.html
http://www.cert.org/advisories/CA-2002-06.html
MITRE
4
Vulnerabilities Have Been Found in Almost Every Type of Commercial Software There Is
Routers3220-H DSL Router650-ST ISDN RouterAscend RoutersCisco RoutersR-series routers
Web servers & toolsDomino HTTP ServerIISNCSA Web ServerSawmillWebTrends Log Analyzer
Operating SystemsAIXBeOSBSD/OSDG/UXFreeBSDHP-UXIRIXLinuxMacOS Runtime for JavaMPE/iXNetWareOpenBSDPalm OSRed HatSecurity-Enhanced LinuxSolarisSunOSUltrixWindows 2000Windows 95Windows 98Windows MEWindows NT
FirewallsFirewall-1Gauntlet FirewallPIX FirewallRaptor FirewallSOHO Firewall
Development ToolsClearCaseColdFusionFlashFrontpageGNU EmacsJRunWebLogic ServerVisual BasicVisual Studio
Network ApplicationsBackOfficeMeeting MakerNetMeeting
Security SoftwareACE/ServerBlackICE AgentBlackICE DefenderCertificate ServerCProxy ServerETrust Intrusion DetectionGateKeeperInterScan VirusWallKerberos 5Norton AntiVirusPGPSiteMinderTripwire
Mail Servers1st Up Mail ServerAll-MailALMail32Avirt Mail ServerBecky! Internet MailCWMailDomino Mail ServerExchange ServerHotmailInternet Anywhere Mail ServerITHouse Mail ServerMicrosoft ExchangePegasus MailSendmail
InternetAFSApacheBINDCGICronIMAP
Desktop ApplicationsAcrobat Clip ArtExcelFrameMakerInternet ExplorerNapster clientNotes ClientNovell clientOfficeOutlookPowerPointProjectQuakeR5 ClientStarOfficeTimbuktu ProWordWorksWorkshop
DBMSsAccessDB2 Universal DatabaseFileMaker ProMSQLOracle
Sample of Vulnerabilities Announced in 1999 & 2000
MITRE
5
Difficult to Integrate Information on Vulnerabilities and Exposures
VulnerabilityVulnerabilityScannersScanners
Incident ResponseIncident Response& Reporting& Reporting
Vulnerability WebVulnerability WebSites & DatabasesSites & Databases
Software VendorSoftware VendorPatchesPatches
Intrusion DetectionIntrusion DetectionSystemsSystems
SecuritySecurityAdvisoriesAdvisories
PriorityPriorityListsLists
ResearchResearch
?????????
?????????
????????? ?????????
?????????
?????????
????????? ?????????
?????????
??????????????????
?????????
?????????
?????????
?????????
?????????
?????????
?????????
?????????
MITRE
6
Finding and sharing vulnerability information has been difficult: The Same Problem, Different Names
Organization Name
CERT CA-96.06.cgi_example_code
CyberSafe Network: HTTP ‘phf’ Attack
ISS http-cgi-phf
AXENT phf CGI allows remote command execution
Bugtraq PHF Attacks – Fun and games for the whole family
BindView #107 – cgi-phf
Cisco #3200 – WWW phf attack
IBM ERS Vulnerability in NCSA/Apache Example Code
CERIAS http_escshellcmd
NAI #10004 - WWW phf check
Which has been caused by the rule, “Whoever finds it, names it”Along with the new rule, “Whoever finds it, gets a CVE name for it”
The adoption of CVE Names by the Security Community is starting to address this problem
MITRE
7
The CVE List provides a path for integrating information on Vulnerabilities and Exposures
VulnerabilityVulnerabilityScannersScanners
Incident ResponseIncident Response& Reporting& Reporting
Vulnerability WebVulnerability WebSites & DatabasesSites & Databases
Software VendorSoftware VendorPatchesPatches
Intrusion DetectionIntrusion DetectionSystemsSystems
SecuritySecurityAdvisoriesAdvisories
PriorityPriorityListsLists
ResearchResearch
CVE-1999-0067CVE-1999-0067
MITRE
8
Note 2. CVE NumbersYou’ll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You mayalso see CAN numbers. CAN numbers are candidates for CVEentries that are not yet fully verified. For more data on the Award-winning CVE project, see http://cve.mitre.org. In the GeneralVulnerabilities section, the CVE numbers listed are examples ofSome of the vulnerabilities that are covered by each listed item.Those CVE lists are not meant to be all-inclusive. However, for theWindows and Unix Vulnerabilities, the CVE numbers reflect the topPriority vulnerabilities that should be checked for each item.
All
Unix
Windows
FBI/SANS Institute 2001 Top Twenty uses CVE names
…yet another step down the policy road
CVE-names
http://www.sans.org/top20.htm
MITRE
9
CVE is Even Being Used to to Compare and Contrast products
Ad from SC Magazine (April 2002)
by talking about by talking about the vulnerabilities the vulnerabilities they do or do not they do or do not have...have...
Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)
… … or the or the vulnerabilities vulnerabilities they do or don’t they do or don’t find...find...
MITRE
10
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
11
The Common Vulnerabilities and Exposures (CVE) Initiative
0 An international security community activity led by MITRE focused on developing a list that provides common names for publicly known information security vulnerabilities and exposures.
0 Key tenets– One name for one vulnerability or
exposure– One standardized description for each
vulnerability or exposure– Existence as a dictionary rather than a
database– Publicly accessible for review or
download from the Internet– Industry participation in open forum
(editorial board)0 The CVE list and information about the CVE
effort are available on the CVE web site at [cve.mitre.org]
2223
app
rove
d en
tries
, 241
9 be
ing
vote
d on
, ~45
00 u
nder
ana
lysi
s,
~100
-150
new
/mon
th
MITRE
12
UnreviewedBugtraqs, Mailing lists, Hacker sites
Reviewed Advisories CERT, CIAC,Vendor advisories
Discoverytime
Policy
MethodologiesPurchasing RequirementsEducation
Scanners, Intrusion Detection, Vulnerability Databases
Security Products
2. Establish CVE at security product level in order to ... 3. … enable CVE to permeate
the policy level.
1. Inject Candidate numbers into advisories
Commercial S/W ProductsUpdate and Fix Sites &Update Mechanisms
4. Establish CVE in vendor fix-it sites and update mechanisms
The CVE Strategy
MITRE
13
Network Computing Article “Vulnerability Assessment Scanners” (1/8/2001)
Example: CVE helping to make Detailed Product Comparisons
Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)
MITRE
14
- 51 plus (11 countries)- 11 to 50 registered (39 countries)- 1 to 10 registered (71 countries)
CVE email Lists have an International readership
Representing ~ 2200 registered email subscribers
MITRE
15
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
16
Candidates in New Alerts & Advisories
5–15per/month
Where the CVE List comes from
Editorial Board
Yes Yes Yes
CVE List
~2223~2223
4
CVE Content Team
CVE Candidates
~2419~2419
AXENT, BindView, Harris, Cisco, CERIAS, Hiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus
Vulnerability Databases
Vulnerability Databases
~8400~8400
Legacy Submissions
New Vulnerabilities
New Submissions150–500 per/month
ISS, SecurityFocus, Neohapsis, NIPC CyberNotes
2,500 | 3,900 | 1,100 | 900———
dups info study 563——
MITRE
17
Status(as of June 26, 2002)
• 2223 entries• 2419 candidates
CVE Growth
Se
p-9
9O
ct-9
9N
ov-
99
De
c-9
9Ja
n-0
0F
eb
-00
Ma
r-0
0A
pr-
00
Ma
y-0
0Ju
n-0
0Ju
l-00
Au
g-0
0S
ep
-00
Oct
-00
No
v-0
0D
ec-
00
Jan
-01
Fe
b-0
1M
ar-
01
Ap
r-0
1M
ay-
01
Jun
-01
Jul-0
1A
ug
-01
Se
p-0
1O
ct-0
1N
ov-
01
De
c-0
1Ja
n-0
2F
eb
-02
Ma
r-0
2A
pr-
02
Ma
y-0
2Ju
n-0
2
0
500
1000
1500
2000
2500
3000
3500
4000
4500
5000
CandidatesCVE Entries
MITRE
18
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
19
Identifying Known Vulnerabilities:The CVE Submission Stage
0 Sources provide MITRE with their lists of all known vulnerabilities0 MITRE’s CVE Content Team processes submissions
Conversion• Convert items in database/tool to submission format• Assign temporary ID’s to each submission
Matching• Find most similar submissions, candidates, and entries
based on keywords
Refinement• Combine all matched submissions into groups• Use each group to create candidates
MITRE
20
Backmap
Candidate Stage: Assignment
To Source B17 = CAN-YYYY-NNNN524 = CAN-1999-1234
To Source C19 = CAN-YYYY-NNNN
To Source Aftp-pasv = CAN-YYYY-NNNN
iis-dos = CAN-1999-1234
A:1iis-dos
B:3524
CAN-1999-1234
B:117
C:119
A:2ftp-pasv
CAN-YYYY-NNNN• Assign new number (CAN-YYYY-NNNN)• YYYY is the year in which the number was
assigned; NNNN is a counter for that year
• Backmap: internal ID’s mapped to candidate names, sent back to provider
• Submissions removed
MITRE
21
Candidate Reservation Process
Researcher /Vendor
• Request candidate from CNA• Provide candidate number to
vendor and other parties• Include candidate number in
initial public announcement• Notify MITRE of announcement• Perform due diligence to avoid
duplicate or incorrect candidates• Follow responsible disclosure
practices to increase confidence in correctness of the candidate
CandidateNumberingAuthority
• Obtain pool of candidate numbers from MITRE
• Define requirements for researchers to obtain a candidate
• Assign correct number of candidate numbers (follow content decisions)
• Ensure candidate is shared across all parties
• Do not use candidates in “competitive” fashion
CANPOOL MITRE
• Primary CNA• Accessible to
researchers and vendors
• Educate CNA about content decisions
• Update CVE web site when candidate is publicly announced
• Track potential abuses
Request Candidate
CAN-YYYY-NNNN
Reserving and coordinating CANs requires a process change for all parties.
400+CANs
reserved
MITRE
22
assigned CAN-2001-0869 to this issue.assigned CAN-2001-0869 to this issue.
Many organizations are reserving CVE names and using them in their alerts and advisories
To-date, CVE names have been included in initial advisories from:
• ISS X-Force • IBM• Rain Forest Puppy • @stake • BindView • HP • CERT/CC • SGI • COMPAQ • Microsoft• Ernst & Young • eEye • CISCO • Rapid 7 • NSFOCUS • Sanctum • SecurityFocus • Red Hat • VIGILANTe • Apache• Apple
http://www.redhat.com/support/errata/RHSA-2001-150.html
MITRE
23
Candidate Stage: Proposal Through Final Decision
• Add references, change description• Change level of abstraction• Significant changes may require another round of voting
Modification
• ACCEPT or REJECT (Requires sufficient votes)• At least 2 weeks after initial proposal• 4 days for last-minute feedback
InterimDecision
• ACCEPT or REJECT• Convert CAN-YYYY-NNNN to CVE-YYYY-NNNN• Report final voting record• Create new CVE version
FinalDecision
• Clustering (date of discovery, OS, service type, etc.)• Published on CVE web site• Editorial Board members vote on candidate
•ACCEPT, MODIFY, REVIEWING, NOOP (No Opinion), RECAST (change level of abstraction), REJECT
Proposal
CAN-YYYY-NNNN
MITRE
24
Entry Stage
• Minor modifications• Add references• Change description
Modification
• New information may force a re-examination of the entry• Level of abstraction may need to be changed• May be a duplicate • May not be a problem after all
Reassessment
• May need to “delete” an existing entry (e.g. duplicate entries)• But, some products may still use this number• Register the “deletion” but keep entry available for review
Deprecation
• Publish new CVE version and difference reportPublication
CVE-YYYY-NNNN
MITRE
25
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
26
Content Decisions
0 Explicit guidelines for content of CVE entries– Ensure and publicize consistency within CVE– Provide “lessons learned” for researchers– Document differences between vulnerability “views”
0 Three basic types– Inclusion: What goes into CVE? What doesn’t, and why?– Level of Abstraction: One or many entries for similar issues?– Format: How are CVE entries formatted?
0 Difficult to document– “[It’s] like trying to grasp wet corn starch” (Board member)
Incomplete information is the bane of consistency - and content decisions!
MITRE
27
Example Content Decision: SF-LOC(Software Flaws/Lines of Code)
0 Older versions of this CD distinguished between problems of the same type– “Split-by-default” approach generated “too many” candidates– Also “unfair” to vendors with source code or detailed reports– Once produced 8 candidates where other tools and databases
would have created only 1 vulnerability record0 Affected by amount of available information
– Especially source code and exploit details0 For all candidates affected by SF-LOC, see:
– http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CD:SF-LOC
Create separate entries for problems in the same program that are of different types, or that appear in different software versions.
MITRE
28
SF-LOC Examples
0 CAN-2001-0019 is clearly different than CAN-2001-0020– But a single patch fixes both problems
0 CAN-2001-0019 could be 1, 2, or 6 vulnerabilities
CAN-2001-0020 Directory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack
CAN-2001-0019Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the “show script,” “clear script,” “show archive,” “clear archive,” “show log,” or “clear log” commands.
CAN-2000-0971 Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command.
2 failure points
CAN-2000-0686Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter.
CAN-2000-0687 Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter.
2 failurepoints
6 failurepoints
MITRE
29
Why CAN-2001-0019 Could Identify 1, 2, or 6 Vulnerabilities
if (strcmp(cmd, "show") == 0) { if (strcmp(arg1, "script") == 0) { strcpy(str, long_input); show_script(str); } elsif (strcmp(arg1, "archive") == 0) { strcpy(str, long_input); show_archive(str); } elsif (strcmp(arg1, "log") == 0) { strcpy(str, long_input); show_log(str); } }elsif (strcmp(cmd, "clear") == 0) { if (strcmp(arg1, "script") == 0) { strcpy(str, long_input); show_script(str); } elsif (strcmp(arg1, "archive") == 0) { strcpy(str, long_input); show_archive(str); } elsif (strcmp(arg1, "log") == 0) { strcpy(str, long_input); show_log(str); } }
strcpy(arg, long_input);if (strcmp(cmd, "show") == 0) { process_show_command(arg); }elsif (strcmp(cmd, "clear") == 0) { process_show_command(arg); }
if (strcmp(cmd, "show") == 0) { strcpy(str, long_input); process_show_command(str); }elsif (strcmp(cmd, "clear") == 0) { strcpy(str, long_input); process_clear_command(str); }
0 3 different source code scenarios0 Without actual source, can’t be sure
which scenario is true0 Even with source, there are different
ways of counting0 Multiple format string problems are
especially difficult to distinguish
MITRE
30
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
31
CVE Editorial Board
0 Includes mostly technical representatives from 35 different organizations including researchers, tool vendors, response teams, and end users
0 Reviews and approves CVE entries
0 Discusses issues related to CVE maintenance
0 Holds monthly meetings (face-to-face or phone)
0 Maintains publicly viewable mailing list archives [cve.mitre.org/board/archives]
[cve.mitre.org/board/boardmembers.html][cve.mitre.org/board/boardmembers.html]
MITRE
32
Editorial Board Roles, Tasks, and Qualifications
0 Minimum Expectations0 Tasks for All Members 0 Technical Member Tasks 0 Liaison Tasks 0 Advocate Tasks 0 Emeritus Tasks 0 Recognition of Former Members 0 Roles for MITRE
[cve.mitre.org/board/edroles.html][cve.mitre.org/board/edroles.html]
MITRE
33
CVE Senior Advisory Council Objectives and Roles
...The CVE Council is established to ensure that the CVE program receives the sponsorship, including funding and guidance, required to maximize the effectiveness of this program ...
Council Roles
0 Act as a catalyst for CVE and related activities.0 Assure funding for the core CVE activity over the
long term including outreach to Government organizations and agencies.
0 Discuss community needs and possible new CVE services.
0 Promote the adoption of CVE at the strategic level.
0 Business planning & prioritization.0 Discuss CVE and related security policy
implications for the Federal Government. 0 Identify CVE related materials & resources for
use by Government CIOs and senior managers.
MITRE
34
CVE Senior Advisory Council Members
Co-Chairs:0 John Gilligan, CIO of the USAF, and Co-chair of the
Architecture/Interoperability Committee of the CIO Council0 Sallie McDonald, GSA Assistant Commissioner Office of Info
Assurance and Critical Infrastructure Protection
Participating Organizations0 Department of the Treasury0 Department of Energy 0 Department of Labor0 Department of Health and Human Services0 Internal Revenue Service0 National Institute of Standards and Technology0 Critical Infrastructure Assurance Office0 National Infrastructure Protection Center0 Office of Management and Budget
GSAASD/C3I DISA Air ForceNSAIntelligence
CommunityNASA
MITRE
35
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
36
What does CVE-compatible mean?
0 CVE-compatible means that a tool, database, web site, or security service can “speak CVE” and correlate data with other CVE-compatible items
0 CVE-compatible means it meets the following requirements:– Can find items by CVE name (CVE searchable)– Includes CVE name in output for each
item (CVE output)– Explain the CVE functionality in
their item’s documentation (CVE documentation)
– Provided MITRE with “vulnerability” item mappings to validate the accuracy of the product or services CVE entries
– Makes a good faith effort to keep mappings accurate
[cve.mitre.org/compatible/requirements.html]
MITRE
37
New CVE Compatibility Procedure (as of 18 June 2002)
0 Consists of two parts (phase 1 and phase 2):– Phase 1 - Compliance Declaration
= Item listed on Compatibility page and quote posted if given– Phase 2 - Compliance Questionnaire
= Submitted response is evaluated by MITRE = Upon concurrence with Questionnaire:
– Questionnaire response put on CVE site & mapping accuracy evaluated = Upon completion of mapping accuracy evaluation
– Use of the CVE-Compatible logo granted– Vendor free to refer to product or service as CVE-Compatible
0 Status:– Draft questionnaire developed/tested (takes ~ 3 days to do)– “sample” questionnaire using CVE Web site created as example– alpha- & beta-tests conducted with MITRE/Editorial Board
= Also discussed at length with ~30 organizations w/positive responses– Revised Compatibility pages to support new processes
MITRE
38
Examples of CVE-compatible items:The ICAT Metabase
CVE-names
http://icat.nist.gov
08.13.01 Government Computer News
MITRE
39
Advanced Research CorporationArcSight, Inc.Application Security, Inc.BindView CorporationCERIAS, Purdue UniversityCERT/CCCisco Systems, Inc.Citadel Security Software, Inc.eEye Digital SecurityEnterasys Networks, Inc.Entercept SECURITY TECHNOLOGIESESecurityOnlineFoundstone, Inc.Harris CorporationISS - Internet Security Systems, Inc.KaVaDo Inc.LURHQ CompanyNCircle Network SecurityNetiQ CorporationNetwork Associates Inc.Network Security Systems, Inc.NFR Security, Inc.NISTQualys, Inc.Recourse Technologies, Inc.SAINT CorporationSanctum Inc.The SANS InstituteSecureInfo CorporationSecurityFocusSnort.OrgSpiDYNAMICSStrongbox Security Inc.Symantec CorporationTiger Testing Inc.Tivoli Systems, Inc.UCDavis Computer Security LaboratoryVIGILANTe.Com, Inc.
37 Organizations, 59 Items37 Organizations, 59 Items
Red Hat Inc.
2 Items2 Items
E*MAZE Networks S.P.A.
1 Item1 Item
nSecure Software (P) Ltd.
1 Item1 Item
Shake Communications Pty Ltd
1 Item1 Item
INZEN CO., Ltd.NetSecure Technology, Inc.Penta Security Systems, Inc.SecureSoft, Inc.Wins Technet Co., Ltd.
9 Items9 Items
SecurityWatch.Com
1 Item1 Item
Where CVE-compatible Items Have Come From
+1, 7+1, 7
+1, 1+1, 1
and Where the New Ones Are Coming From
5 Items5 Items
Alliance Qualité LogicielCert-ISTINTRANODE Software TechnologiesINTRINsecThe Nessus Project
+2, 2+2, 2
(as of 25 June 2002)
E-Soft Inc.
1 Item1 Item
EsCERT-UPC
1 Item1 Item
N-Stalker, Inc.
1 Item
China National Computer Software & Technology Service CorporationFuJian RongJi Software Development Company,LtdNSFOCUS Information Technology Co., LtdTsinghua UnisNet Ltd.Venus Information Technology Inc.
9 Items9 Items
+1, 1+1, 1
+1, 5+1, 5
+3, 3+3, 3
+2, 2+2, 2+13, 30+13, 30
+1, 1+1, 1
+2, 2+2, 2
+2, 2+2, 2
+1+1
MITRE
40
Timeline of CVE Compatibility Declarations(as of 18 June 2002)
Oc
tob
er-
19
99
No
ve
mb
er-
19
99
De
ce
mb
er-
19
99
Ja
nu
ary
-20
00
Fe
bru
ary
-20
00
Ma
rch
-20
00
Ap
ril-
20
00
Ma
y-2
00
0
Ju
ne
-20
00
Ju
ly-2
00
0
Au
gu
st-
20
00
Se
pte
mb
er-
20
00
Oc
tob
er-
20
00
No
ve
mb
er-
20
00
De
ce
mb
er-
20
00
Ja
nu
ary
-20
01
Fe
bru
ary
-20
01
Ma
rch
-20
01
Ap
ril-
20
01
Ma
y-2
00
1
Ju
ne
-20
01
Ju
ly-2
00
1
Au
gu
st-
20
01
Se
pte
mb
er-
20
01
Oc
tob
er-
20
01
No
ve
mb
er-
20
01
De
ce
mb
er-
20
01
Ja
nu
ary
-20
02
Fe
bru
ary
-20
02
Ma
rch
-20
02
Ap
ril-
20
02
Ma
y-2
00
2
Ju
ne
-20
02
Ju
ly 2
00
20
10
20
30
40
50
60
70
80
90
100
Now at 92 products and services from 61 organizations
MITRE
41
Several Parts of the Federal Government Have Called for the Use of CVE and CVE-Compatible products
.
http://www.acq.osd.mil/dsb/tfreports.htmhttp://csrc.nist.gov/publications/drafts/Use_of_the_CVE.PDF
Furthermore, preference should be given to products that are Compatible with the Common Vulnerabilities and Exposures (CVE) list.
Federal departments and agencies should…1. give substantial consideration to ... [CVE-compatible] products and services.2. periodically monitor their systems for applicable vulnerabilities listed in ... CVE3. use [CVE] in their descriptions and communications of vulnerabilities
MITRE
42
Outline for: A Progress Report on the CVE Initiative
0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities
MITRE
43
Challenge: Improving the Naming Scheme
0 Some benefits with the current naming scheme– Compact– Candidate/entry status encoded within the name– Most CAN-YYYY-NNNN will become CVE-YYYY-NNNN– Removes debate about what a “good” name is
0 Some issues– Changing a CAN to a CVE incurs maintenance costs– Differences not obvious to casual users– Year segment can be misunderstood as year of discovery– Name is not atomic in most search engines, thus difficult to find– Maximum 10,000 candidates per year (CAN-10K problem)
0 Once public, names must not disappear without explanation– Deprecated entries, rejected candidates... even typos– Mappings from old to new names
Any change to the CVE naming scheme will impact many users.
MITRE
44
Managing the Scope of the CVE List
0 What issues should be included?– Exposures (CD:DEFINITION)
= e.g., running finger= Highly controversial topic before CVE was even public
– Beta software (CD:EX-BETA)– Online services / ASPs (CD:EX-ONLINE-SVC)– Client-side DoS (CD:EX-CLIENT-DOS)– Vague vendor advisories (CD:VAGUE)
0 Malicious code (viruses, Trojans)0 Configuration problems
– Challenges in abstraction= Default passwords: 1 CVE, or hundreds?
– Blurry lines between policy, security, and environment0 Large-scale analyses, e.g. PROTOS0 Voting: how much confidence is needed for official CVE entries?0 Timeliness: Fast and noisy or slow and stable?0 Intrusion events that do not map to vulnerabilities
MITRE
45
Applicability of CVE to IDS
0 Vulnerabilities and exposures
0 System states
0 Atomic entities0 Easier to classify0 Tools less varied0 Similar levels of granularity0 Easier to match across tools
0 Many public databases
0 Known and provable vulnerabilities
0 Exploits, detects, decodes, anomalies, reconnaissance, probes, scans, malware...
0 Events
0 Hybrid entities0 Harder to classify0 Tools more varied0 Multiple levels of granularity0 Harder to match across tools
0 One public “database”
0 Bad cut-and-paste between signatures, scans for incorrect vulnerability reports
CVECVE IDSesIDSes
MITRE
46
CIEL (Common Intrusion Event List)
0 Standardize names for IDS events – Use lessons learned from CVE– Handle multiple levels of abstraction– Ease of use– Independent of the methods used to detect the event
0 Past Activities (2001)– Draft CIEL with almost 40 high-level entries created by MITRE
= Effectively a draft taxonomy= Too complex= Did not achieve exhaustiveness and mutual exclusiveness
0 CIEL Working Group– First meeting in March 2001– Part of the CVE Editorial Board– Structure, membership, and process TBD
0 Current CIEL– Names formed from attributes
MITRE
47
CVE in Incident Handling
0 Current Activity Summaries– Which vulnerabilities are being actively exploited?
0 Incident Reports– CVE clarifies which vulnerability was exploited
0 Simplifies data collection from multiple sources0 Share incident data across teams0 Share data across language barriers
MITRE
48
Responsible Disclosure and CVE: A Case Study
0 CVE analysis includes distinguishing between similar issues0 Reporters who reserve CVE candidates must follow good disclosure
practices to minimize errors
0 When reporter and vendor do not work closely together– Multiple CVE’s assigned to the same issue
= reporter describes symptom, vendor describes the problem– Inaccurate, incomplete, or unverified reports
0 When vendors do not acknowledge the vulnerability– Less likely that the Editorial Board will accept a candidate– Too resource-intensive to verify every report
0 When vendors do not include sufficient details in advisories– Can be difficult to tell which vulnerability was fixed– Change logs can be vague– Even credits aren’t always enough!– Source diffs (when available) may be insufficient
MITRE
49
UnreviewedBugtraqs, Mailing lists, Hacker sites
Reviewed Advisories CERT, CIAC,Vendor advisories
Discoverytime
Policy
MethodologiesPurchasing RequirementsEducation
Scanners, Intrusion Detection, Vulnerability Databases
Security Products
3. … enable CVE to permeate the policy level.
1. Inject CVE Names into advisories
Commercial S/W ProductsUpdate and Fix Sites &Update Mechanisms
4. Establish CVE in vendor fix-it sites and update mechanisms
The CVE Strategy
CVE names have been included in initial advisories from ISS X-Force, Rain Forest Puppy, IBM, @stake, BindView, CERT/CC, HP, SGI, COMPAQ, Microsoft, Ernst & Young, eEye, CISCO, Rapid 7, NSFOCUS, Sanctum, SecurityFocus, VIGILANTe, Red Hat, Apache, and Apple.
• SANS / FBI Top 20 uses CVE names• Network Computing IDS & Scanner
Comparisons included CVE• Draft NIST Rec. calls for use of CVE• DSB Report calls for CVE compatibility• Network World IDS Comparison
included CVE coverage
(as of 18 June 2002)
• Adding CVE names broached with 13 groups.
: Where are we?
• 2223 CVE Entries -- 2419 Candidates.
• 92 CVE-compatible products from 61 groups.
• 54 more from 27 others in “the works”.
2. Establish CVE at security product level in order to ...
MITRE
50
Progress in a Nutshell
VulnerabilityVulnerabilityScannersScanners
Incident ResponseIncident Response& Reporting& Reporting
Vulnerability WebVulnerability WebSites & DatabasesSites & Databases
Software VendorSoftware VendorPatchesPatches
Intrusion DetectionIntrusion DetectionSystemsSystems
SecuritySecurityAdvisoriesAdvisories
PriorityPriorityListsLists
ResearchResearch
400+ CANs Reserved400+ CANs Reserved
SANS Top 20SANS Top 20
CIELCIEL
Broached w/Broached w/13 vendors13 vendors
FIRSTFIRST
ICATICAT
CassandraCassandra
ScannerScannerComparisonsComparisons
MITRE
51
CVE web site http://cve.mitre.org
For More Information
MITRE
52