Transcript CVE - Mitre - Common Vulnerabilities and Exposures

The Development of a
Common Vulnerability
Enumeration Vulnerabilities
and Exposures List
Steven M. Christey
David W. Baker
William H. Hill
David E. Mann
The MITRE Corporation
Outline
 Description
 Examples
 Applications to IDS
 Activities
 Editorial Board
What is the CVE (Common Vulnerabilities and
Exposures List)?
 A list of common information systems security problems (but
CISSP was taken)
 Vulnerabilities
Problems that are universally thought of as
“vulnerabilities” in any security policy
- Software flaws that could directly allow serious damage
- phf, ToolTalk, Smurf, rpc.cmsd, etc.
 Exposures
Problems that are sometimes thought of as
“vulnerabilities” in some security policies
- Stepping stones for a successful attack
- Running finger, poor logging practices, etc.
-
-
CVE Goals
 Enumerate all publicly known problems
 Assign a standard, unique name to each problem
 Exist independently of multiple perspectives
 Be publicly open and shareable, without distribution
restrictions
Why the CVE?
 Provide common language for referring to problems
 Facilitate data sharing between
- IDSes
- Assessment tools
- Vulnerability databases
- Academic research
- Incident response teams
 Foster better communication across the community
 Get better tools that interoperate across multiple vendors
Sample CVE Entries
Name
Description
CVE-1999-0003
ToolTalk (rpc.ttdbserverd) buffer
overflow
CVE-1999-0006
Buffer overflow in qpopper
CVE-1999-0067
Shell metacharacters in phf
CVE-1999-0344
Windows NT debug-level access
bug (a.k.a. Sechole)
Sample CVE Mapping
CVE
Tool
Name
A
CVE-XXXX-0001
X
CVE-XXXX-0002
X
Tool
B
X
DB
1
X
X
CVE-XXXX-0003
CVE-XXXX-0004
X
X
DB
2
X
Hacker
Site
X
X
X
X
CVE for IDS
 Standard name for vulnerability-related attacks
 Interoperability
- Multi-vendor compatibility
- Correlate with assessment tool results to reduce false
positives
- Share incident data
 Consistency of reports
 IDS comparisons
- Accuracy, coverage, performance
 Common attack list
 DARPA CIDF and IETF IDWG
CVE from Vulnerability Assessment to IDS
Do my systems
have these
problems?
Popular
Attacks
CVE-1
CVE-2
CVE-3
CVE-4
Which tools
test for these
problems?
Tool 1
CVE-1
CVE-2
CVE-3
Does my IDS
have the
signatures?
IDS
CVE-1
CVE-3
CVE-4
Tool 2
CVE-3
CVE-4
I can’t detect exploits
of CVE-2 - how well
does Tool 1 check for it?
CVE from Attacks to Incident Recovery
I detected
an attack on CVE-3.
Did my assessment
say my system
has the problem?
Tool 2
CVE-3 Tool 1
CVE-4CVE-1
CVE-2
CVE-3
YES
Public
Databases
Clean up
Close the hole CVE-2
CVE-3
Advisories
Report the
CVE-1
incident
CVE-2
NO
CVE-3
Don’t send an alarm
But the attack succeeded!
Tell your vendor
Go to YES
CVE Timeline
 “Towards a Common Enumeration of Vulnerabilities,” 2nd
CERIAS Workshop on Vulnerability Databases (January 1999)
 Initial creation of Draft CVE (Feb-April 1999)
663 vulnerabilities
Data derived from security tools, hacker site, advisories
 Formation of Editorial Board (April-May 1999)
 Validation of Draft CVE (May-Sept 1999)
 Creation of validation process (May-Sept 1999)
 Discussion of high-level CVE content (July-Sept 1999)
 Public release (Real Soon Now)
-
The CVE Editorial Board
 Experts from more than 15 security-related organizations
- Researchers, security tool vendors, mailing list
moderators, vulnerability database owners, response
teams, system administrators, security analysts
 Mailing list discussions
- Validation and voting for individual CVE entries
- High-level content decisions
 Meetings
Face-to-Face
- Teleconference
 Membership on an as-needed or as-recommended basis
-
Bringing New Entries into the CVE
 Assignment
- Candidate number CAN-1999-XXXX to distinguish from
validated CVE entry
Candidate Numbering Authority (CNA) reduces “noise”
 Proposal
- Announcement and discussion
- Voting: Accept, Modify, Reject, Recast, Reviewing
 Modification
 Interim Decision
 Final Decision
- CVE name(s) assigned if candidate is accepted
 Publication
-