Transcript BriefingTitleHere

Common Vulnerabilities
and Exposures (CVE)
September 29, 1999
Pete Tasker
Margie Zuk
Steve Christey, Dave Mann
Bill Hill, Dave Baker
Where Does CVE Fit?
Before CVE:
Same Problem, Different Names
Organization Name
CERT
CyberSafe
ISS
AXENT
Bugtraq
BindView
Cisco
IBM ERS
CERIAS
L-3
CA-96.06.cgi_example_code
Network: HTTP ‘phf’ Attack
http-cgi-phf
phf CGI allows remote command execution
PHF Attacks – Fun and games for the whole family
#107 – cgi-phf
#3200 – WWW phf attack
Vulnerability in NCSA/Apache Example Code
http_escshellcmd
#180 HTTP Server CGI example code compromises http server
After CVE:
One Common Language
Description
Name
ToolTalk (rpc.ttdbserverd)
buffer overflow
Buffer overflow in in qpopper
CVE-1999-0003
CGI phf program allows remote
command execution
Windows NT debug-level access
bug (a.k.a. Sechole)
CVE-1999-0067
CVE-1999-0006
CVE-1999-0344
How was CVE Developed?
From Tools and Vulnerability Mappings
CVE
Name
CVE-XXXX-0001
Tool
A
X
Tool
B
X
DB
1
CVE-XXXX-0002
X
X
X
CVE-XXXX-0003
CVE-XXXX-0004
X
X
DB
2
X
Hacker
Site
X
X
X
X
Who Developed CVE?
The CVE Editorial Board
Tool Vendors
Andy Balinsky - Cisco
Scott Blake - Bindview
Natalie Brader - L-3 Security
Rob Clyde - AXENT
Andre Frech - ISS
Kent Landfield - NFR
Craig Ozancin - AXENT
Paul E. Proctor - CyberSafe
Mike Prosser - L-3 Security
Steve Snapp - CyberSafe
Bill Wall - Harris
Kevin Ziese - Cisco
MITRE
Steve Christey (Chair)
Bill Hill
David Mann
Dave Baker
Response Teams
Bill Fithen - CERT Coordination Center/
Carnegie Mellon University
Academic/Educational
Matt Bishop - UC Davis Computer Security Lab
Alan Paller - SANS Institute
Gene Spafford - Purdue University CERIAS
Pascal Meunier - Purdue University CERIAS
Network Security
Kelly Cooper - GTE Internet
Other Security Analysts
Russ Cooper - NTBugtraq
Marc Dacier - IBM
Elias Levy - Bugtraq, Security Focus
Steve Northcutt - OSD/BMDO
Adam Shostack - Zero-Knowledge Sys
Stuart Staniford-Chen - Silicon Defense
What are the Benefits of CVE?
 Provides common language for referring to problems
 Facilitates data sharing among
- Intrusion Detection Systems (IDSes)
- Assessment tools
- Vulnerability databases
- Researchers
- Incident response teams
 Will lead to improved security tools
- More comprehensive, better comparisons, interoperable
- Indications and warning systems
 Will spark further innovations
- Focal point for discussing critical database content
issues (e.g. configuration problems)
What’s Next for CVE?
 SANS Network Security Conference (Oct. 6)
- Training for 1000 system administrators
- Jeffrey Hunker (NSC) keynote
- Intrusion detection live exercise (IDnet)
- Booth with editorial board members & demo
 National Information Systems Security Conference (Oct. 19)
- Two booths:
with NIAP and with vendors
 Editorial Board works through resolution of remaining
naming issues
 Enhancements provided to the CVE web site to make it more
useful
 Expand CVE impact and community through outreach
- Add other vendor
tools, vulnerability sites, applications
CVE: Fostering Better Protection
through Better Information Sharing
Additional Detail
CVE Timeline
 “Towards a Common Enumeration of Vulnerabilities,” 2nd
CERIAS Workshop on Vulnerability Databases (January 1999)
 Initial creation of Draft CVE (Feb-April 1999)
- 663 vulnerabilities
- Data derived from security tools, hacker site, advisories
 Formation of Editorial Board (April-May 1999)
 Validation of Draft CVE (May-Sept 1999)
 Creation of validation process (May-Sept 1999)
 Discussion of high-level CVE content (July-ongoing 1999)
 Public release (September 1999)
The CVE Editorial Board
 Experts from more than 19 security-related organizations
- Researchers, security tool vendors, mailing list
moderators, vulnerability database owners, response
teams, system administrators, security analysts
 Mailing list discussions
- Validation and voting for individual CVE entries
- High-level content decisions
 Meetings
- Face-to-Face
- Teleconference
 Membership on an as-needed or as-recommended basis
Bringing New Entries into the CVE
 Assignment
- Candidate number CAN-1999-XXXX to distinguish from
-
validated CVE entry
Candidate Numbering Authority (CNA) reduces “noise”
 Proposal
- Announcement and discussion
- Voting: Accept, Modify, Reject, Recast, Reviewing
 Modification
 Interim Decision
 Final Decision
- CVE name(s) assigned if candidate is accepted
 Publication on CVE web site