CVE - Mitre - Common Vulnerabilities and Exposures
Download
Report
Transcript CVE - Mitre - Common Vulnerabilities and Exposures
The Development of a
Common Vulnerability
Enumeration Vulnerabilities
and Exposures List
Steven M. Christey
David W. Baker
William H. Hill
David E. Mann
The MITRE Corporation
Outline
Description
Examples
Applications to IDS
Activities
Editorial Board
What is the CVE (Common Vulnerabilities and
Exposures List)?
A list of common information systems security problems (but
CISSP was taken)
Vulnerabilities
Problems that are universally thought of as
“vulnerabilities” in any security policy
- Software flaws that could directly allow serious damage
- phf, ToolTalk, Smurf, rpc.cmsd, etc.
Exposures
Problems that are sometimes thought of as
“vulnerabilities” in some security policies
- Stepping stones for a successful attack
- Running finger, poor logging practices, etc.
-
-
CVE Goals
Enumerate all publicly known problems
Assign a standard, unique name to each problem
Exist independently of multiple perspectives
Be publicly open and shareable, without distribution
restrictions
Why the CVE?
Provide common language for referring to problems
Facilitate data sharing between
- IDSes
- Assessment tools
- Vulnerability databases
- Academic research
- Incident response teams
Foster better communication across the community
Get better tools that interoperate across multiple vendors
Sample CVE Entries
Name
Description
CVE-1999-0003
ToolTalk (rpc.ttdbserverd) buffer
overflow
CVE-1999-0006
Buffer overflow in qpopper
CVE-1999-0067
Shell metacharacters in phf
CVE-1999-0344
Windows NT debug-level access
bug (a.k.a. Sechole)
Sample CVE Mapping
CVE
Tool
Name
A
CVE-XXXX-0001
X
CVE-XXXX-0002
X
Tool
B
X
DB
1
X
X
CVE-XXXX-0003
CVE-XXXX-0004
X
X
DB
2
X
Hacker
Site
X
X
X
X
CVE for IDS
Standard name for vulnerability-related attacks
Interoperability
- Multi-vendor compatibility
- Correlate with assessment tool results to reduce false
positives
- Share incident data
Consistency of reports
IDS comparisons
- Accuracy, coverage, performance
Common attack list
DARPA CIDF and IETF IDWG
CVE from Vulnerability Assessment to IDS
Do my systems
have these
problems?
Popular
Attacks
CVE-1
CVE-2
CVE-3
CVE-4
Which tools
test for these
problems?
Tool 1
CVE-1
CVE-2
CVE-3
Does my IDS
have the
signatures?
IDS
CVE-1
CVE-3
CVE-4
Tool 2
CVE-3
CVE-4
I can’t detect exploits
of CVE-2 - how well
does Tool 1 check for it?
CVE from Attacks to Incident Recovery
I detected
an attack on CVE-3.
Did my assessment
say my system
has the problem?
Tool 2
CVE-3 Tool 1
CVE-4CVE-1
CVE-2
CVE-3
YES
Public
Databases
Clean up
Close the hole CVE-2
CVE-3
Advisories
Report the
CVE-1
incident
CVE-2
NO
CVE-3
Don’t send an alarm
But the attack succeeded!
Tell your vendor
Go to YES
CVE Timeline
“Towards a Common Enumeration of Vulnerabilities,” 2nd
CERIAS Workshop on Vulnerability Databases (January 1999)
Initial creation of Draft CVE (Feb-April 1999)
663 vulnerabilities
Data derived from security tools, hacker site, advisories
Formation of Editorial Board (April-May 1999)
Validation of Draft CVE (May-Sept 1999)
Creation of validation process (May-Sept 1999)
Discussion of high-level CVE content (July-Sept 1999)
Public release (Real Soon Now)
-
The CVE Editorial Board
Experts from more than 15 security-related organizations
- Researchers, security tool vendors, mailing list
moderators, vulnerability database owners, response
teams, system administrators, security analysts
Mailing list discussions
- Validation and voting for individual CVE entries
- High-level content decisions
Meetings
Face-to-Face
- Teleconference
Membership on an as-needed or as-recommended basis
-
Bringing New Entries into the CVE
Assignment
- Candidate number CAN-1999-XXXX to distinguish from
validated CVE entry
Candidate Numbering Authority (CNA) reduces “noise”
Proposal
- Announcement and discussion
- Voting: Accept, Modify, Reject, Recast, Reviewing
Modification
Interim Decision
Final Decision
- CVE name(s) assigned if candidate is accepted
Publication
-