[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: Should be a CVE? 

On 2017-09-25 18:02, Skinner, Chad wrote:
> Art,
>       Should I assume silence as consent and re-submit with the
> changed wording?

That would be my recommendation.

 - Art


> -----Original Message-----
> From: Art Manion [mailto:amanion@cert.org]
> Sent: Monday, September 18, 2017 3:07 PM
> To: Coffin, Chris <ccoffin@mitre.org>; Waltermire, David A. (Fed)
> <david.waltermire@nist.gov>; Millar, Thomas
> <Thomas.Millar@hq.dhs.gov>; Kurt Seifried <kurt@seifried.org>; Kent
> Landfield <bitwatcher@gmail.com>
> Cc: cve-editorial-board-list
> <cve-editorial-board-list@lists.mitre.org>; Skinner, Chad
> <chad.skinner@intel.com>; Latif, Magid <magid.latif@intel.com>;
> Landfield, Kent B <kent.b.landfield@intel.com>; Kidby, Brian
> <brian.kidby@intel.com>
> Subject: Re: Should be a CVE?
>
> I had an offline conversation with Intel, posting the following on
> their behalf.
>
>
> There seem to have been some conversations regarding this CVE that
> look to be tied to my lack of mentioning "anti-rollback" bypass.
> I've updated the description to better add this, thoughts?
>
> [CVEID]: CVE-2017-5698
> [PRODUCT]:Intel® Active Management Technology, Intel® Standard
> Manageability, and Intel® Small Business Technology [VERSION]:version
> 11.0.25.3001 and 11.0.26.3000 [PROBLEMTYPE]:Escalation of Privilege
> [REFERENCES]:https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00082&languageid=en-fr
> [DESCRIPTION]: Intel® Active Management Technology, Intel® Standard
> Manageability, and Intel® Small Business Technology firmware versions
> 11.0.25.3001 and 11.0.26.3000 anti-rollback will not prevent
> upgrading to firmware version 11.6.x.1xxx which is vulnerable to
> CVE-2017-5689 and can be performed by a local user with
> administrative privileges.
>
> BTW - I used "escalation of privilege" due to the second CVE, can't
> figure out what to call it otherwise.
>
>
> My (Art's) take is that the anti-rollback feature has the
> vulnerability -- it fails at it's stated security purpose.
>
> I don't know what the constraints on [PROBLEMTYPE] are at the moment,
> any valid CWE?
>
> Maybe CWE-837: Improper Enforcement of a Single, Unique Action?
>
> http://cwe.mitre.org/data/definitions/837.html
>
> Or leave blank if no good match?
>
>   - Art
>
>
>
>
>
>
>
> On 9/13/17 9:15 AM, Coffin, Chris wrote:
>>   * My ability to install/upgrade/downgrade to any software versions
>> does not get a CVE ID, even if what I'm moving to has known CVD IDs.
>>
>> Completely agree with Art on this. Based on the current information,
>> the "install/upgrade/downgrade to any software" issue is not a
>> vulnerability on its own and should not have a CVE ID assigned.
>>
>>   * Intel/MITRE should reject the new CVE and update the original.
>> Is this correct?
>>
>> Yes. I believe that this is the most appropriate way to handle the
>> situation. We will be reaching out to our Intel CNA contact for
>> additional information, unless Kent chimes in sooner. J
>>
>> Chris C
>>
>> *From:*owner-cve-editorial-board-list@lists.mitre.org
>> [mailto:owner-cve-editorial-board-list@lists.mitre.org] *On Behalf
>> Of
>> *Waltermire, David A. (Fed)
>> *Sent:* Tuesday, September 12, 2017 5:32 PM
>> *To:* Millar, Thomas <Thomas.Millar@hq.dhs.gov>; Kurt Seifried
>> <kurt@seifried.org>; Art Manion <amanion@cert.org>
>> *Cc:* cve-editorial-board-list
>> <cve-editorial-board-list@lists.mitre.org>
>> *Subject:* RE: Should be a CVE?
>>
>> This makes sense. So if this is the case, Intel/MITRE should reject
>> the new CVE and update the original. Is this correct?
>>
>> Dave
>>
>> -------- Original Message --------
>> From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov
>> <mailto:Thomas.Millar@hq.dhs.gov>>
>> Date: Tue, September 12, 2017 5:49 PM -0400
>> To: Kurt Seifried <kurt@seifried.org <mailto:kurt@seifried.org>>,
>> Art
>> Manion <amanion@cert.org <mailto:amanion@cert.org>>
>> CC: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov
>> <mailto:david.waltermire@nist.gov>>,
>> cve-editorial-board-list@lists.mitre.org
>> <mailto:cve-editorial-board-list@lists.mitre.org>
>> Subject: RE: Should be a CVE?
>>
>> It should probably be an update to the previous SA & CVE by Intel.
>> The two particular 3XXX firmware versions are not safe, despite what
>> the original advisory stated.
>>
>>
>>
>> Tom Millar, US-CERT
>>
>> Sent from +1-202-631-1915
>> https://www.us-cert.gov **
>>
>> **
>>
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------------------------------------------------------------------
>> ----------
>>
>> *From:*owner-cve-editorial-board-list@lists.mitre.org
>> <mailto:owner-cve-editorial-board-list@lists.mitre.org> on behalf of
>> Kurt Seifried
>> *Sent:* Tuesday, September 12, 2017 10:44:52 PM
>> *To:* Art Manion
>> *Cc:* Waltermire, David A. (Fed);
>> cve-editorial-board-list@lists.mitre.org
>> <mailto:cve-editorial-board-list@lists.mitre.org>
>> *Subject:* Re: Should be a CVE?
>>
>> I'm not clear, the CVE ID, was it assigned because people are NOT
>> supposed to be able to upgrade or something?
>>
>> By this logic every vendor would need a CVE ID for every software
>> package that can be updated to a version that has a flaw introduced
>> in a later version (so like uhh.. all of them basically).
>>
>> On Tue, Sep 12, 2017 at 2:01 PM, Art Manion <amanion@cert.org
>> <mailto:amanion@cert.org>> wrote:
>>
>>     On 2017-09-12 15:19, Waltermire, David A. (Fed) wrote:
>>      > Looking at the following, it appears that a CVE was issued
>> for the potential that someone might upgrade software to a
>> vulnerable version, which has another CVE. I don't think this should
>> qualify as a CVE, given the actual vulnerability already has one.
>>      >
>>      > https://cve.org/CVERecord?id=CVE-2017-5698
>>      >
>>      > Should this CVE be rejected?
>>
>>     I think it should be rejected.
>>
>>     Version A1 has vulnerability V1, version B1 has vulnerability
>> V2, V1 and V2 are documented (have CVE IDs), the ability to change
>> from V1 to V2 does not warrant a CVE ID.
>>
>>     My ability to install/upgrade/downgrade to any software versions
>> does not get a CVE ID, even if what I'm moving to has known CVD IDs.
>>
>>     Intel is welcome to release an advisory, upgrading and being
>> newly/differently vulnerable is unexpected, which goes to the core
>> of many vulnerability/security issues.  But no CVE ID.
>>
>>       - Art
>>
>>
>>
>> --
>>
>> Kurt Seifried
>> kurt@seifried.org <mailto:kurt@seifried.org>
>>
>
Page Last Updated or Reviewed: September 26, 2017