[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: Should be a CVE?

To : "Waltermire, David A. (Fed)" < david.waltermire@nist.gov >, "Millar, Thomas" < Thomas.Millar@hq.dhs.gov >, Kurt Seifried < kurt@seifried.org >, Art Manion < amanion@cert.org >, Kent Landfield < bitwatcher@gmail.com >
Subject : RE: Should be a CVE?
From : "Coffin, Chris" < ccoffin@mitre.org >
Date : Wed, 13 Sep 2017 13:15:38 +0000
Accept-language : en-US
Authentication-results : spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Cc : cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >
Delivery-date : Wed Sep 13 09:37:29 2017
In-reply-to : < dk3ixt85odid5m994b4viu7b.1505255500279@email.android.com >
List-help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < CY4PR09MB14953DFC3F3EB1910B66DEDCF0690@CY4PR09MB1495.namprd09.prod.outlook.com > < 88597820-8f62-2437-521c-8bcc87041cac@cert.org >,<CABqVa39fj0BY8CMnv0GnZvGOuu=Ad+f_KmD159SQK8=Y5uV7YQ@mail.gmail.com>,<7748E4BAEC3B964387F3535351DCBA1F01153DCF9C@D2ASEPREA010> < dk3ixt85odid5m994b4viu7b.1505255500279@email.android.com >
Sender : < owner-cve-editorial-board-list@lists.mitre.org >
Spamdiagnosticmetadata : 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput : 1:2
Thread-index : AdMr+xKdVI7ZMURKTvWrOLZub/VO9AABsnmAAAOgMQAAAChigAABemjRAB5yOHA=
Thread-topic : Should be a CVE?

My ability to install/upgrade/downgrade to any software versions does not get a CVE ID, even if what I'm moving to has known CVD IDs.

Completely agree with Art on this. Based on the current information, the “install/upgrade/downgrade to any software” issue is not a vulnerability on its own and should not have a CVE ID assigned.

Intel/MITRE should reject the new CVE and update the original. Is this correct?

Yes. I believe that this is the most appropriate way to handle the situation. We will be reaching out to our Intel CNA contact for additional information, unless Kent chimes in sooner. J

Chris C

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, September 12, 2017 5:32 PM
To: Millar, Thomas <Thomas.Millar@hq.dhs.gov>; Kurt Seifried <kurt@seifried.org>; Art Manion <amanion@cert.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: Should be a CVE?

This makes sense. So if this is the case, Intel/MITRE should reject the new CVE and update the original. Is this correct?

Dave

-------- Original Message --------
From: "Millar, Thomas" < Thomas.Millar@hq.dhs.gov >
Date: Tue, September 12, 2017 5:49 PM -0400
To: Kurt Seifried < kurt@seifried.org >, Art Manion < amanion@cert.org >
CC: "Waltermire, David A. (Fed)" < david.waltermire@nist.gov >, cve-editorial-board-list@lists.mitre.org
Subject: RE: Should be a CVE?

It should probably be an update to the previous SA & CVE by Intel. The two particular 3XXX firmware versions are not safe, despite what the original advisory stated.

Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov

From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Kurt Seifried
Sent: Tuesday, September 12, 2017 10:44:52 PM
To: Art Manion
Cc: Waltermire, David A. (Fed); cve-editorial-board-list@lists.mitre.org
Subject: Re: Should be a CVE?

I'm not clear, the CVE ID, was it assigned because people are NOT supposed to be able to upgrade or something?

By this logic every vendor would need a CVE ID for every software package that can be updated to a version that has a flaw introduced in a later version (so like uhh.. all of them basically).

On Tue, Sep 12, 2017 at 2:01 PM, Art Manion < amanion@cert.org > wrote:

On 2017-09-12 15:19, Waltermire, David A. (Fed) wrote:
> Looking at the following, it appears that a CVE was issued for the potential that someone might upgrade software to a vulnerable version, which has another CVE. I don't think this should qualify as a CVE, given the actual vulnerability already has one.
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5698
>
> Should this CVE be rejected?

I think it should be rejected.

Version A1 has vulnerability V1, version B1 has vulnerability V2, V1 and V2 are documented (have CVE IDs), the ability to change from V1 to V2 does not warrant a CVE ID.

My ability to install/upgrade/downgrade to any software versions does not get a CVE ID, even if what I'm moving to has known CVD IDs.

Intel is welcome to release an advisory, upgrading and being newly/differently vulnerable is unexpected, which goes to the core of many vulnerability/security issues. But no CVE ID.

- Art

Kurt Seifried
kurt@seifried.org

Follow-Ups :
- Re: Should be a CVE?
  - From: Art Manion <amanion@cert.org>

References :
- Should be a CVE?
  - From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
- Re: Should be a CVE?
  - From: Art Manion <amanion@cert.org>
- Re: Should be a CVE?
  - From: Kurt Seifried <kurt@seifried.org>
- RE: Should be a CVE?
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- RE: Should be a CVE?
  - From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>

Prev by Date: RE: Should be a CVE?
Next by Date: Required information for CVE entry submissions
Previous by thread: RE: Should be a CVE?
Next by thread: Re: Should be a CVE?
Index(es):
- Date
- Thread