[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: CNA Rules Announcement

To : Chandan Nandakumaraiah < cbn@juniper.net >
Subject : Re: CNA Rules Announcement
From : jericho < jericho@attrition.org >
Date : Sat, 8 Oct 2016 23:41:41 -0500
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;mitre.org; dkim=none (message not signed) header.d=none;
Cc : cve-cna-list < cve-cna-list@lists.mitre.org >, cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Delivery-date : Mon Oct 10 08:02:31 2016
Importance : high
In-reply-to : <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net>
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com > < alpine.LNX.2.00.1610071348180.22653@forced.attrition.org > <21d6a5ec-f1ab-cc13-d159-4fef3991bbca@juniper.net> < alpine.LNX.2.00.1610071921490.22653@forced.attrition.org > <aa36938b-cd80-a602-ec4c-8ad9633298ee@juniper.net>
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput : 1:2
User-agent : Alpine 2.00 (LNX 1167 2008-08-23)

On Fri, 7 Oct 2016, Chandan Nandakumaraiah wrote:

: > Moving forward sure, but retroactively trying to enforce that for
an issue
: > that is already abstracted to some degree does not work.
:
: Agreed. We need a statement or rule on the interaction between new
: assignments and assignments based on previous rules.

Also need to be careful if we unilaterally change the abstraction rules
for CVE if it breaks from a 16 year history.

: > Not sure every scanner does that. There is a lot of value in having
a
: > per-vendor finding in that case, else that single finding will come
with a
: > list of 250+ advisories that are not easily distinguished from each
other,
: > that carry the solution.
:
: We can not solve that problem by assigning 250+ different CVEs for a
: common vulnerability. That would be like going back to pre-CVE era,
: isn't it?

No. Pre-CVE there was BID (for 6 months) and X-Force (for 2 years),
neither of which really faces these kind of protocol vulns. There are
merits of each abstraction method and we should weigh the pros and cons
looking forward, not back.

: What if the product-vendor being scanned had never produced an
advisory
: or fix for the 'POODLE for TLS' issue? Which of the many CVEs should
the
: scanner use to reference that unique issue?

If they do it right, they don't reference a CVE in that case. That is
perhaps the most critically dangerous notion the board, or anyone in
security, could have; that you *must* have a CVE for it to be a valid
security issue or that an issue without a CVE is some kind of weird
thing,
when it absolutely is not. In fact, that is the norm [1] for many
companies.

Brian

[1]
http://www.csoonline.com/article/3122460/techology-business/over-6000-vulnerabilities-went-unassigned-by-mitres-cve-project-in-2015.html

References :
- CNA Rules Announcement
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CNA Rules Announcement
  - From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
  - From: jericho <jericho@attrition.org>

Prev by Date: Re: CNA Rules Announcement
Next by Date: Re: CNA Rules Announcement
Previous by thread: Re: CNA Rules Announcement
Next by thread: RE: CNA Rules Announcement
Index(es):
- Date
- Thread