A Progress Report on the CVE Initiative Robert Martin Steven Christey David Baker The MITRE...

A Progress Reporton the

CVE Initiative

Robert MartinSteven Christey

David Baker

The MITRE Corporation

June 27, 2002

MITRE

2

Outline for: A Progress Report on the CVE Initiative

0 Motivation0 Implementing CVE0 The CVE List0 Candidates0 Content Decisions0 The Editorial Board and Advisory Council0 CVE Compatibility0 Challenges and Opportunities

MITRE

3

CERT/CC Incidents Reported

0

20000

40000

60000

80000

100000

1200001

98

8

19

89

19

90

19

91

19

92

19

93

19

94

19

95

19

96

19

97

19

98

19

99

20

00

20

01

20

02

Projected based on Q1 2002 actual reported incidentsProjected based on Q1 2002 actual reported incidents

Many Motivations for Getting on top of Vulnerabilities

http://www.eweek.com/article/0,3658,s=701&a=23193,00.asp

http://www.baselinemag.com/article/0,3658,s=1867&a=23195,00.asp

http://www.theregister.co.uk/content/53/24244.html

http://www.cert.org/advisories/CA-2002-06.html

MITRE

4

Vulnerabilities Have Been Found in Almost Every Type of Commercial Software There Is

Routers3220-H DSL Router650-ST ISDN RouterAscend RoutersCisco RoutersR-series routers

Web servers & toolsDomino HTTP ServerIISNCSA Web ServerSawmillWebTrends Log Analyzer

Operating SystemsAIXBeOSBSD/OSDG/UXFreeBSDHP-UXIRIXLinuxMacOS Runtime for JavaMPE/iXNetWareOpenBSDPalm OSRed HatSecurity-Enhanced LinuxSolarisSunOSUltrixWindows 2000Windows 95Windows 98Windows MEWindows NT

FirewallsFirewall-1Gauntlet FirewallPIX FirewallRaptor FirewallSOHO Firewall

Development ToolsClearCaseColdFusionFlashFrontpageGNU EmacsJRunWebLogic ServerVisual BasicVisual Studio

Network ApplicationsBackOfficeMeeting MakerNetMeeting

Security SoftwareACE/ServerBlackICE AgentBlackICE DefenderCertificate ServerCProxy ServerETrust Intrusion DetectionGateKeeperInterScan VirusWallKerberos 5Norton AntiVirusPGPSiteMinderTripwire

Mail Servers1st Up Mail ServerAll-MailALMail32Avirt Mail ServerBecky! Internet MailCWMailDomino Mail ServerExchange ServerHotmailInternet Anywhere Mail ServerITHouse Mail ServerMicrosoft ExchangePegasus MailSendmail

InternetAFSApacheBINDCGICronIMAP

Desktop ApplicationsAcrobat Clip ArtExcelFrameMakerInternet ExplorerNapster clientNotes ClientNovell clientOfficeOutlookPowerPointProjectQuakeR5 ClientStarOfficeTimbuktu ProWordWorksWorkshop

DBMSsAccessDB2 Universal DatabaseFileMaker ProMSQLOracle

Sample of Vulnerabilities Announced in 1999 & 2000

MITRE

5

Difficult to Integrate Information on Vulnerabilities and Exposures

VulnerabilityVulnerabilityScannersScanners

Incident ResponseIncident Response& Reporting& Reporting

Vulnerability WebVulnerability WebSites & DatabasesSites & Databases

Software VendorSoftware VendorPatchesPatches

Intrusion DetectionIntrusion DetectionSystemsSystems

SecuritySecurityAdvisoriesAdvisories

PriorityPriorityListsLists

ResearchResearch

?????????

?????????

????????? ?????????

?????????

?????????

????????? ?????????

?????????

??????????????????

?????????

?????????

?????????

?????????

?????????

?????????

?????????

?????????

MITRE

6

Finding and sharing vulnerability information has been difficult: The Same Problem, Different Names

Organization Name

CERT CA-96.06.cgi_example_code

CyberSafe Network: HTTP ‘phf’ Attack

ISS http-cgi-phf

AXENT phf CGI allows remote command execution

Bugtraq PHF Attacks – Fun and games for the whole family

BindView #107 – cgi-phf

Cisco #3200 – WWW phf attack

IBM ERS Vulnerability in NCSA/Apache Example Code

CERIAS http_escshellcmd

NAI #10004 - WWW phf check

Which has been caused by the rule, “Whoever finds it, names it”Along with the new rule, “Whoever finds it, gets a CVE name for it”

The adoption of CVE Names by the Security Community is starting to address this problem

MITRE

7

The CVE List provides a path for integrating information on Vulnerabilities and Exposures








ResearchResearch

CVE-1999-0067CVE-1999-0067

MITRE

8

Note 2. CVE NumbersYou’ll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You mayalso see CAN numbers. CAN numbers are candidates for CVEentries that are not yet fully verified. For more data on the Award-winning CVE project, see http://cve.mitre.org. In the GeneralVulnerabilities section, the CVE numbers listed are examples ofSome of the vulnerabilities that are covered by each listed item.Those CVE lists are not meant to be all-inclusive. However, for theWindows and Unix Vulnerabilities, the CVE numbers reflect the topPriority vulnerabilities that should be checked for each item.

All

Unix

Windows

FBI/SANS Institute 2001 Top Twenty uses CVE names

…yet another step down the policy road

CVE-names

http://www.sans.org/top20.htm

MITRE

9

CVE is Even Being Used to to Compare and Contrast products

Ad from SC Magazine (April 2002)

by talking about by talking about the vulnerabilities the vulnerabilities they do or do not they do or do not have...have...

Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)

… … or the or the vulnerabilities vulnerabilities they do or don’t they do or don’t find...find...

MITRE

10



MITRE

11

The Common Vulnerabilities and Exposures (CVE) Initiative

0 An international security community activity led by MITRE focused on developing a list that provides common names for publicly known information security vulnerabilities and exposures.

0 Key tenets– One name for one vulnerability or

exposure– One standardized description for each

vulnerability or exposure– Existence as a dictionary rather than a

database– Publicly accessible for review or

download from the Internet– Industry participation in open forum

(editorial board)0 The CVE list and information about the CVE

effort are available on the CVE web site at [cve.mitre.org]

2223

app

rove

d en

tries

, 241

9 be

ing

vote

d on

, ~45

00 u

nder

ana

lysi

s,

~100

-150

new

/mon

th

MITRE

12

UnreviewedBugtraqs, Mailing lists, Hacker sites

Reviewed Advisories CERT, CIAC,Vendor advisories

Discoverytime

Policy

MethodologiesPurchasing RequirementsEducation

Scanners, Intrusion Detection, Vulnerability Databases

Security Products

2. Establish CVE at security product level in order to ... 3. … enable CVE to permeate

the policy level.

1. Inject Candidate numbers into advisories

Commercial S/W ProductsUpdate and Fix Sites &Update Mechanisms

4. Establish CVE in vendor fix-it sites and update mechanisms

The CVE Strategy

MITRE

13

Network Computing Article “Vulnerability Assessment Scanners” (1/8/2001)

Example: CVE helping to make Detailed Product Comparisons

Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)

MITRE

14

- 51 plus (11 countries)- 11 to 50 registered (39 countries)- 1 to 10 registered (71 countries)

CVE email Lists have an International readership

Representing ~ 2200 registered email subscribers

MITRE

15



MITRE

16

Candidates in New Alerts & Advisories

5–15per/month

Where the CVE List comes from

Editorial Board

Yes Yes Yes

CVE List

~2223~2223

4

CVE Content Team

CVE Candidates

~2419~2419

AXENT, BindView, Harris, Cisco, CERIAS, Hiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus

Vulnerability Databases

Vulnerability Databases

~8400~8400

Legacy Submissions

New Vulnerabilities

New Submissions150–500 per/month

ISS, SecurityFocus, Neohapsis, NIPC CyberNotes

2,500 | 3,900 | 1,100 | 900———

dups info study 563——

MITRE

17

Status(as of June 26, 2002)

• 2223 entries• 2419 candidates

CVE Growth

Se

p-9

9O

ct-9

9N

ov-

99

De

c-9

9Ja

n-0

0F

eb

-00

Ma

r-0

0A

pr-

00

Ma

y-0

0Ju

n-0

0Ju

l-00

Au

g-0

0S

ep

-00

Oct

-00

No

v-0

0D

ec-

00

Jan

-01

Fe

b-0

1M

ar-

01

Ap

r-0

1M

ay-

01

Jun

-01

Jul-0

1A

ug

-01

Se

p-0

1O

ct-0

1N

ov-

01

De

c-0

1Ja

n-0

2F

eb

-02

Ma

r-0

2A

pr-

02

Ma

y-0

2Ju

n-0

2

0

500

1000

1500

2000

2500

3000

3500

4000

4500

5000

CandidatesCVE Entries

MITRE

18



MITRE

19

Identifying Known Vulnerabilities:The CVE Submission Stage

0 Sources provide MITRE with their lists of all known vulnerabilities0 MITRE’s CVE Content Team processes submissions

Conversion• Convert items in database/tool to submission format• Assign temporary ID’s to each submission

Matching• Find most similar submissions, candidates, and entries

based on keywords

Refinement• Combine all matched submissions into groups• Use each group to create candidates

MITRE

20

Backmap

Candidate Stage: Assignment

To Source B17 = CAN-YYYY-NNNN524 = CAN-1999-1234

To Source C19 = CAN-YYYY-NNNN

To Source Aftp-pasv = CAN-YYYY-NNNN

iis-dos = CAN-1999-1234

A:1iis-dos

B:3524

CAN-1999-1234

B:117

C:119

A:2ftp-pasv

CAN-YYYY-NNNN• Assign new number (CAN-YYYY-NNNN)• YYYY is the year in which the number was

assigned; NNNN is a counter for that year

• Backmap: internal ID’s mapped to candidate names, sent back to provider

• Submissions removed

MITRE

21

Candidate Reservation Process

Researcher /Vendor

• Request candidate from CNA• Provide candidate number to

vendor and other parties• Include candidate number in

initial public announcement• Notify MITRE of announcement• Perform due diligence to avoid

duplicate or incorrect candidates• Follow responsible disclosure

practices to increase confidence in correctness of the candidate

CandidateNumberingAuthority

• Obtain pool of candidate numbers from MITRE

• Define requirements for researchers to obtain a candidate

• Assign correct number of candidate numbers (follow content decisions)

• Ensure candidate is shared across all parties

• Do not use candidates in “competitive” fashion

CANPOOL MITRE

• Primary CNA• Accessible to

researchers and vendors

• Educate CNA about content decisions

• Update CVE web site when candidate is publicly announced

• Track potential abuses

Request Candidate

CAN-YYYY-NNNN

Reserving and coordinating CANs requires a process change for all parties.

400+CANs

reserved

MITRE

22

assigned CAN-2001-0869 to this issue.assigned CAN-2001-0869 to this issue.

Many organizations are reserving CVE names and using them in their alerts and advisories

To-date, CVE names have been included in initial advisories from:

• ISS X-Force • IBM• Rain Forest Puppy • @stake • BindView • HP • CERT/CC • SGI • COMPAQ • Microsoft• Ernst & Young • eEye • CISCO • Rapid 7 • NSFOCUS • Sanctum • SecurityFocus • Red Hat • VIGILANTe • Apache• Apple

http://www.redhat.com/support/errata/RHSA-2001-150.html

MITRE

23

Candidate Stage: Proposal Through Final Decision

• Add references, change description• Change level of abstraction• Significant changes may require another round of voting

Modification

• ACCEPT or REJECT (Requires sufficient votes)• At least 2 weeks after initial proposal• 4 days for last-minute feedback

InterimDecision

• ACCEPT or REJECT• Convert CAN-YYYY-NNNN to CVE-YYYY-NNNN• Report final voting record• Create new CVE version

FinalDecision

• Clustering (date of discovery, OS, service type, etc.)• Published on CVE web site• Editorial Board members vote on candidate

•ACCEPT, MODIFY, REVIEWING, NOOP (No Opinion), RECAST (change level of abstraction), REJECT

Proposal

CAN-YYYY-NNNN

MITRE

24

Entry Stage

• Minor modifications• Add references• Change description

Modification

• New information may force a re-examination of the entry• Level of abstraction may need to be changed• May be a duplicate • May not be a problem after all

Reassessment

• May need to “delete” an existing entry (e.g. duplicate entries)• But, some products may still use this number• Register the “deletion” but keep entry available for review

Deprecation

• Publish new CVE version and difference reportPublication

CVE-YYYY-NNNN

MITRE

25



MITRE

26

Content Decisions

0 Explicit guidelines for content of CVE entries– Ensure and publicize consistency within CVE– Provide “lessons learned” for researchers– Document differences between vulnerability “views”

0 Three basic types– Inclusion: What goes into CVE? What doesn’t, and why?– Level of Abstraction: One or many entries for similar issues?– Format: How are CVE entries formatted?

0 Difficult to document– “[It’s] like trying to grasp wet corn starch” (Board member)

Incomplete information is the bane of consistency - and content decisions!

MITRE

27

Example Content Decision: SF-LOC(Software Flaws/Lines of Code)

0 Older versions of this CD distinguished between problems of the same type– “Split-by-default” approach generated “too many” candidates– Also “unfair” to vendors with source code or detailed reports– Once produced 8 candidates where other tools and databases

would have created only 1 vulnerability record0 Affected by amount of available information

– Especially source code and exploit details0 For all candidates affected by SF-LOC, see:

– http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CD:SF-LOC

Create separate entries for problems in the same program that are of different types, or that appear in different software versions.

MITRE

28

SF-LOC Examples

0 CAN-2001-0019 is clearly different than CAN-2001-0020– But a single patch fixes both problems

0 CAN-2001-0019 could be 1, 2, or 6 vulnerabilities

CAN-2001-0020 Directory traversal vulnerability in Arrowpoint (aka Cisco Content Services, or CSS) allows local unprivileged users to read arbitrary files via a .. (dot dot) attack

CAN-2001-0019Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the “show script,” “clear script,” “show archive,” “clear archive,” “show log,” or “clear log” commands.

CAN-2000-0971 Avirt Mail 4.0 and 4.2 allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long "RCPT TO" or "MAIL FROM" command.

2 failure points

CAN-2000-0686Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the fromfile parameter.

CAN-2000-0687 Auction Weaver CGI script 1.03 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) attack in the catdir parameter.

2 failurepoints

6 failurepoints

MITRE

29

Why CAN-2001-0019 Could Identify 1, 2, or 6 Vulnerabilities

if (strcmp(cmd, "show") == 0) { if (strcmp(arg1, "script") == 0) { strcpy(str, long_input); show_script(str); } elsif (strcmp(arg1, "archive") == 0) { strcpy(str, long_input); show_archive(str); } elsif (strcmp(arg1, "log") == 0) { strcpy(str, long_input); show_log(str); } }elsif (strcmp(cmd, "clear") == 0) { if (strcmp(arg1, "script") == 0) { strcpy(str, long_input); show_script(str); } elsif (strcmp(arg1, "archive") == 0) { strcpy(str, long_input); show_archive(str); } elsif (strcmp(arg1, "log") == 0) { strcpy(str, long_input); show_log(str); } }

strcpy(arg, long_input);if (strcmp(cmd, "show") == 0) { process_show_command(arg); }elsif (strcmp(cmd, "clear") == 0) { process_show_command(arg); }

if (strcmp(cmd, "show") == 0) { strcpy(str, long_input); process_show_command(str); }elsif (strcmp(cmd, "clear") == 0) { strcpy(str, long_input); process_clear_command(str); }

0 3 different source code scenarios0 Without actual source, can’t be sure

which scenario is true0 Even with source, there are different

ways of counting0 Multiple format string problems are

especially difficult to distinguish

MITRE

30



MITRE

31

CVE Editorial Board

0 Includes mostly technical representatives from 35 different organizations including researchers, tool vendors, response teams, and end users

0 Reviews and approves CVE entries

0 Discusses issues related to CVE maintenance

0 Holds monthly meetings (face-to-face or phone)

0 Maintains publicly viewable mailing list archives [cve.mitre.org/board/archives]

[cve.mitre.org/board/boardmembers.html][cve.mitre.org/board/boardmembers.html]

MITRE

32

Editorial Board Roles, Tasks, and Qualifications

0 Minimum Expectations0 Tasks for All Members 0 Technical Member Tasks 0 Liaison Tasks 0 Advocate Tasks 0 Emeritus Tasks 0 Recognition of Former Members 0 Roles for MITRE

[cve.mitre.org/board/edroles.html][cve.mitre.org/board/edroles.html]

MITRE

33

CVE Senior Advisory Council Objectives and Roles

...The CVE Council is established to ensure that the CVE program receives the sponsorship, including funding and guidance, required to maximize the effectiveness of this program ...

Council Roles

0 Act as a catalyst for CVE and related activities.0 Assure funding for the core CVE activity over the

long term including outreach to Government organizations and agencies.

0 Discuss community needs and possible new CVE services.

0 Promote the adoption of CVE at the strategic level.

0 Business planning & prioritization.0 Discuss CVE and related security policy

implications for the Federal Government. 0 Identify CVE related materials & resources for

use by Government CIOs and senior managers.

MITRE

34

CVE Senior Advisory Council Members

Co-Chairs:0 John Gilligan, CIO of the USAF, and Co-chair of the

Architecture/Interoperability Committee of the CIO Council0 Sallie McDonald, GSA Assistant Commissioner Office of Info

Assurance and Critical Infrastructure Protection

Participating Organizations0 Department of the Treasury0 Department of Energy 0 Department of Labor0 Department of Health and Human Services0 Internal Revenue Service0 National Institute of Standards and Technology0 Critical Infrastructure Assurance Office0 National Infrastructure Protection Center0 Office of Management and Budget

GSAASD/C3I DISA Air ForceNSAIntelligence

CommunityNASA

MITRE

35



MITRE

36

What does CVE-compatible mean?

0 CVE-compatible means that a tool, database, web site, or security service can “speak CVE” and correlate data with other CVE-compatible items

0 CVE-compatible means it meets the following requirements:– Can find items by CVE name (CVE searchable)– Includes CVE name in output for each

item (CVE output)– Explain the CVE functionality in

their item’s documentation (CVE documentation)

– Provided MITRE with “vulnerability” item mappings to validate the accuracy of the product or services CVE entries

– Makes a good faith effort to keep mappings accurate

[cve.mitre.org/compatible/requirements.html]

MITRE

37

New CVE Compatibility Procedure (as of 18 June 2002)

0 Consists of two parts (phase 1 and phase 2):– Phase 1 - Compliance Declaration

= Item listed on Compatibility page and quote posted if given– Phase 2 - Compliance Questionnaire

= Submitted response is evaluated by MITRE = Upon concurrence with Questionnaire:

– Questionnaire response put on CVE site & mapping accuracy evaluated = Upon completion of mapping accuracy evaluation

– Use of the CVE-Compatible logo granted– Vendor free to refer to product or service as CVE-Compatible

0 Status:– Draft questionnaire developed/tested (takes ~ 3 days to do)– “sample” questionnaire using CVE Web site created as example– alpha- & beta-tests conducted with MITRE/Editorial Board

= Also discussed at length with ~30 organizations w/positive responses– Revised Compatibility pages to support new processes

MITRE

38

Examples of CVE-compatible items:The ICAT Metabase

CVE-names

http://icat.nist.gov

08.13.01 Government Computer News

MITRE

39

Advanced Research CorporationArcSight, Inc.Application Security, Inc.BindView CorporationCERIAS, Purdue UniversityCERT/CCCisco Systems, Inc.Citadel Security Software, Inc.eEye Digital SecurityEnterasys Networks, Inc.Entercept SECURITY TECHNOLOGIESESecurityOnlineFoundstone, Inc.Harris CorporationISS - Internet Security Systems, Inc.KaVaDo Inc.LURHQ CompanyNCircle Network SecurityNetiQ CorporationNetwork Associates Inc.Network Security Systems, Inc.NFR Security, Inc.NISTQualys, Inc.Recourse Technologies, Inc.SAINT CorporationSanctum Inc.The SANS InstituteSecureInfo CorporationSecurityFocusSnort.OrgSpiDYNAMICSStrongbox Security Inc.Symantec CorporationTiger Testing Inc.Tivoli Systems, Inc.UCDavis Computer Security LaboratoryVIGILANTe.Com, Inc.

37 Organizations, 59 Items37 Organizations, 59 Items

Red Hat Inc.

2 Items2 Items

E*MAZE Networks S.P.A.

1 Item1 Item

nSecure Software (P) Ltd.

1 Item1 Item

Shake Communications Pty Ltd

1 Item1 Item

INZEN CO., Ltd.NetSecure Technology, Inc.Penta Security Systems, Inc.SecureSoft, Inc.Wins Technet Co., Ltd.

9 Items9 Items

SecurityWatch.Com

1 Item1 Item

Where CVE-compatible Items Have Come From

+1, 7+1, 7

+1, 1+1, 1

and Where the New Ones Are Coming From

5 Items5 Items

Alliance Qualité LogicielCert-ISTINTRANODE Software TechnologiesINTRINsecThe Nessus Project

+2, 2+2, 2

(as of 25 June 2002)

E-Soft Inc.

1 Item1 Item

EsCERT-UPC

1 Item1 Item

N-Stalker, Inc.

1 Item

China National Computer Software & Technology Service CorporationFuJian RongJi Software Development Company,LtdNSFOCUS Information Technology Co., LtdTsinghua UnisNet Ltd.Venus Information Technology Inc.

9 Items9 Items

+1, 1+1, 1

+1, 5+1, 5

+3, 3+3, 3

+2, 2+2, 2+13, 30+13, 30

+1, 1+1, 1

+2, 2+2, 2

+2, 2+2, 2

+1+1

MITRE

40

Timeline of CVE Compatibility Declarations(as of 18 June 2002)

Oc

tob

er-

19

99

No

ve

mb

er-

19

99

De

ce

mb

er-

19

99

Ja

nu

ary

-20

00

Fe

bru

ary

-20

00

Ma

rch

-20

00

Ap

ril-

20

00

Ma

y-2

00

0

Ju

ne

-20

00

Ju

ly-2

00

0

Au

gu

st-

20

00

Se

pte

mb

er-

20

00

Oc

tob

er-

20

00

No

ve

mb

er-

20

00

De

ce

mb

er-

20

00

Ja

nu

ary

-20

01

Fe

bru

ary

-20

01

Ma

rch

-20

01

Ap

ril-

20

01

Ma

y-2

00

1

Ju

ne

-20

01

Ju

ly-2

00

1

Au

gu

st-

20

01

Se

pte

mb

er-

20

01

Oc

tob

er-

20

01

No

ve

mb

er-

20

01

De

ce

mb

er-

20

01

Ja

nu

ary

-20

02

Fe

bru

ary

-20

02

Ma

rch

-20

02

Ap

ril-

20

02

Ma

y-2

00

2

Ju

ne

-20

02

Ju

ly 2

00

20

10

20

30

40

50

60

70

80

90

100

Now at 92 products and services from 61 organizations

MITRE

41

Several Parts of the Federal Government Have Called for the Use of CVE and CVE-Compatible products

.

http://www.acq.osd.mil/dsb/tfreports.htmhttp://csrc.nist.gov/publications/drafts/Use_of_the_CVE.PDF

Furthermore, preference should be given to products that are Compatible with the Common Vulnerabilities and Exposures (CVE) list.

Federal departments and agencies should…1. give substantial consideration to ... [CVE-compatible] products and services.2. periodically monitor their systems for applicable vulnerabilities listed in ... CVE3. use [CVE] in their descriptions and communications of vulnerabilities

MITRE

42



MITRE

43

Challenge: Improving the Naming Scheme

0 Some benefits with the current naming scheme– Compact– Candidate/entry status encoded within the name– Most CAN-YYYY-NNNN will become CVE-YYYY-NNNN– Removes debate about what a “good” name is

0 Some issues– Changing a CAN to a CVE incurs maintenance costs– Differences not obvious to casual users– Year segment can be misunderstood as year of discovery– Name is not atomic in most search engines, thus difficult to find– Maximum 10,000 candidates per year (CAN-10K problem)

0 Once public, names must not disappear without explanation– Deprecated entries, rejected candidates... even typos– Mappings from old to new names

Any change to the CVE naming scheme will impact many users.

MITRE

44

Managing the Scope of the CVE List

0 What issues should be included?– Exposures (CD:DEFINITION)

= e.g., running finger= Highly controversial topic before CVE was even public

– Beta software (CD:EX-BETA)– Online services / ASPs (CD:EX-ONLINE-SVC)– Client-side DoS (CD:EX-CLIENT-DOS)– Vague vendor advisories (CD:VAGUE)

0 Malicious code (viruses, Trojans)0 Configuration problems

– Challenges in abstraction= Default passwords: 1 CVE, or hundreds?

– Blurry lines between policy, security, and environment0 Large-scale analyses, e.g. PROTOS0 Voting: how much confidence is needed for official CVE entries?0 Timeliness: Fast and noisy or slow and stable?0 Intrusion events that do not map to vulnerabilities

MITRE

45

Applicability of CVE to IDS

0 Vulnerabilities and exposures

0 System states

0 Atomic entities0 Easier to classify0 Tools less varied0 Similar levels of granularity0 Easier to match across tools

0 Many public databases

0 Known and provable vulnerabilities

0 Exploits, detects, decodes, anomalies, reconnaissance, probes, scans, malware...

0 Events

0 Hybrid entities0 Harder to classify0 Tools more varied0 Multiple levels of granularity0 Harder to match across tools

0 One public “database”

0 Bad cut-and-paste between signatures, scans for incorrect vulnerability reports

CVECVE IDSesIDSes

MITRE

46

CIEL (Common Intrusion Event List)

0 Standardize names for IDS events – Use lessons learned from CVE– Handle multiple levels of abstraction– Ease of use– Independent of the methods used to detect the event

0 Past Activities (2001)– Draft CIEL with almost 40 high-level entries created by MITRE

= Effectively a draft taxonomy= Too complex= Did not achieve exhaustiveness and mutual exclusiveness

0 CIEL Working Group– First meeting in March 2001– Part of the CVE Editorial Board– Structure, membership, and process TBD

0 Current CIEL– Names formed from attributes

MITRE

47

CVE in Incident Handling

0 Current Activity Summaries– Which vulnerabilities are being actively exploited?

0 Incident Reports– CVE clarifies which vulnerability was exploited

0 Simplifies data collection from multiple sources0 Share incident data across teams0 Share data across language barriers

MITRE

48

Responsible Disclosure and CVE: A Case Study

0 CVE analysis includes distinguishing between similar issues0 Reporters who reserve CVE candidates must follow good disclosure

practices to minimize errors

0 When reporter and vendor do not work closely together– Multiple CVE’s assigned to the same issue

= reporter describes symptom, vendor describes the problem– Inaccurate, incomplete, or unverified reports

0 When vendors do not acknowledge the vulnerability– Less likely that the Editorial Board will accept a candidate– Too resource-intensive to verify every report

0 When vendors do not include sufficient details in advisories– Can be difficult to tell which vulnerability was fixed– Change logs can be vague– Even credits aren’t always enough!– Source diffs (when available) may be insufficient

MITRE

49

UnreviewedBugtraqs, Mailing lists, Hacker sites

Reviewed Advisories CERT, CIAC,Vendor advisories

Discoverytime

Policy

MethodologiesPurchasing RequirementsEducation

Scanners, Intrusion Detection, Vulnerability Databases

Security Products

3. … enable CVE to permeate the policy level.

1. Inject CVE Names into advisories

Commercial S/W ProductsUpdate and Fix Sites &Update Mechanisms

4. Establish CVE in vendor fix-it sites and update mechanisms

The CVE Strategy

CVE names have been included in initial advisories from ISS X-Force, Rain Forest Puppy, IBM, @stake, BindView, CERT/CC, HP, SGI, COMPAQ, Microsoft, Ernst & Young, eEye, CISCO, Rapid 7, NSFOCUS, Sanctum, SecurityFocus, VIGILANTe, Red Hat, Apache, and Apple.

• SANS / FBI Top 20 uses CVE names• Network Computing IDS & Scanner

Comparisons included CVE• Draft NIST Rec. calls for use of CVE• DSB Report calls for CVE compatibility• Network World IDS Comparison

included CVE coverage

(as of 18 June 2002)

• Adding CVE names broached with 13 groups.

: Where are we?

• 2223 CVE Entries -- 2419 Candidates.

• 92 CVE-compatible products from 61 groups.

• 54 more from 27 others in “the works”.

2. Establish CVE at security product level in order to ...

MITRE

50

Progress in a Nutshell








ResearchResearch

400+ CANs Reserved400+ CANs Reserved

SANS Top 20SANS Top 20

CIELCIEL

Broached w/Broached w/13 vendors13 vendors

FIRSTFIRST

ICATICAT

CassandraCassandra

ScannerScannerComparisonsComparisons

MITRE

51

CVE web site http://cve.mitre.org

For More Information

MITRE

52

A Progress Report on the CVE Initiative Robert Martin Steven Christey David Baker The MITRE...

Documents

Transcript of A Progress Report on the CVE Initiative Robert Martin Steven Christey David Baker The MITRE...