[ Date Prev ][Date Next][ Thread Prev ][Thread Next][ Date Index ][ Thread Index ]

RE: CVE-2017-7269 and abandonware

To : Art Manion < amanion@cert.org >, Kurt Seifried < kseifried@redhat.com >
Subject : RE: CVE-2017-7269 and abandonware
From : "Coffin, Chris" < ccoffin@mitre.org >
Date : Thu, 30 Mar 2017 16:22:00 +0000
Accept-language : en-US
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Cc : "Landfield, Kent B" < kent.b.landfield@intel.com >, cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Delivery-date : Thu Mar 30 12:58:37 2017
In-reply-to : < 709a6c64-df99-599a-b2e5-ecc641d5b519@cert.org >
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < 61d7bb21-5632-b826-b289-661d0fd27209@cert.org > < 8B39937B-A236-48D9-90D8-673A5EA26850@intel.com > < MWHPR09MB1485A8FC0D3BE96D12A38E3DA1340@MWHPR09MB1485.namprd09.prod.outlook.com > <CANO=Ty0VuR9Y_MAOCMQWNDMSUxjZWh3O_mg18z8q_kXC2WM9FQ@mail.gmail.com> < 709a6c64-df99-599a-b2e5-ecc641d5b519@cert.org >
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput : 1:2
Thread-index : AQHSqV2XpjxUjhP9s0GOJLWurlJnsKGtcnCAgAAA8MCAABYeAIAAAVaAgAAA2cA=
Thread-topic : CVE-2017-7269 and abandonware

> Yes, cases like this should get CVE IDs.  My question was who assigns
> them, so CNA rules/guidance.

Page 5 of the current CNA rules state:
"In cases where requests or issues cannot be resolved by a given CNA,
the issues are escalated to the next higher level CNA."

We may want to provide examples of the kinds of issues that might cause
escalations, but I think this would cover it.


> So the vendor CNA did not issue an ID, then the MITRE CNA did?

Yes.


> Requestor explicitly asks vendor CNA for an ID, vendor explicitly
> says no or does not respond in a reasonable period of time, requestor
> has email evidence to support this exchange?

This sounds reasonable to me, though I figured others might want to
discuss this a bit further.


> And like G.I. Joe says "knowing is half the battle".

Still bummed I never got the aircraft carrier toy as a kid. :-)
http://www.yojoe.com/vehicles/85/ussflagg/


Chris


-----Original Message-----
From: Art Manion [mailto:amanion@cert.org]
Sent: Thursday, March 30, 2017 11:01 AM
To: Kurt Seifried <kseifried@redhat.com>; Coffin, Chris
<ccoffin@mitre.org>
Cc: Landfield, Kent B <kent.b.landfield@intel.com>;
cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE-2017-7269 and abandonware

On 2017-03-30 11:55, Kurt Seifried wrote:

> I know for a fact we have Linux that is 10 years out of support (EoL)
> and still in use, and if there was a flaw specific to that (and not
> newer versions) I would still CVE it so at least people are aware of
> the flaws existence. And like G.I. Joe says "knowing is half the
> battle".

Yes, cases like this should get CVE IDs.  My question was who assigns
them, so CNA rules/guidance.

> On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <ccoffin@mitre.org
> <mailto:ccoffin@mitre.org>> wrote:
>
>     I agree with Kent's perspective on this.

Me too.

>     In this specific case, the discoverer contacted the CNA and
> received
>     a case number. However, they were told that the
> unsupported/obsolete
>     product was outside the scope of the CNA.

So the vendor CNA did not issue an ID, then the MITRE CNA did?

>     > Is the vendor CNA primarily responsible, if one exists?
>
>     Yes. We should always give them the opportunity and redirect to
> them
>     first if they exist. If they refuse, then a next available CNA
> could
>     be contacted. One item for the Board discussion, as the backup CNA
>     how would we verify that this conversation took place.

Requestor explicitly asks vendor CNA for an ID, vendor explicitly says
no or does not respond in a reasonable period of time, requestor has
email evidence to support this exchange?

 - Art

References :
- CVE-2017-7269 and abandonware
  - From: Art Manion <amanion@cert.org>
- Re: CVE-2017-7269 and abandonware
  - From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- RE: CVE-2017-7269 and abandonware
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CVE-2017-7269 and abandonware
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE-2017-7269 and abandonware
  - From: Art Manion <amanion@cert.org>

Prev by Date: Re: CVE-2017-7269 and abandonware
Previous by thread: Re: CVE-2017-7269 and abandonware
Index(es):
- Date
- Thread