auscert 2016: cve and alternatives

CVE is logjammed, CNVD is nearly as bad, and my heart bleeds for the whole mess

David Jorm, console.to

Introduction: David Jorm Software engineer for many years Last 6 years focusing on security Managed Red Hat's Java middleware security team Now engineering manager for Console I love finding new 0day and popping shells!

Outline CVE purpose and history CVE assignment theory and practice MITRE's quality standards Alternatives Community takeover Named vulnerabilities, next steps

CVE purpose In the late 90s, there was no canonical identifier for

vulnerabilities Plethora of vendor-specific identifiers phf RCE (remember that?) was a good example of

the failure, with dozens of vendor identifiers CVE aims to address these problems with a single

common identifier format

MITRE corporation US non-profit handling various things for gov Manages the national institute for standards and

technology (NIST) National Cybersecurity FFRDC managed by MITRE

created and runs the CVE program Remind you of anything?

CVE history In 2003, 29 organizations and 43 products Today, >150 organizations and >300 products In 2002 CVE was mandated for use by US

government Format was CVE-YYYY-XXXX, not CVE-YYYY-XXXXX

to handle growth in assignments

CVE theory CNAs delegated the authority to assign CVE IDs for

their own products and allocated blocks of IDs MITRE acts as a catch-all CNA for other products Contact a CNA with sufficient details to prove you

have a real issue Use the assigned CVE when you publish details of

the vulnerbaility

CVE practice

CVE practice

CVE practice

CVE practice

CVE practice

http://davidjorm.blogspot.com.au/2015/07/101-ways-to-pwn-

phone.html

CVE practice

MITRE's quality standards Many people have highlighted difficulties and

endless delays getting CVEs assigned MITRE has no SLA, and must maintain high quality But never fear: “If anyone needs additional

confirmation that a request has indeed been received and read, and that we are aware of it remaining unanswered, sending directly to the cve-assign@mitre.org address is the best option.”http://www.openwall.com/lists/oss-

security/2015/06/09/5

http://www.openwall.com/lists/oss-

security/2015/03/19/3

MITRE's quality standards “Hypercube is a graph visualization tool for drawing

DOT (graphviz), GML, GraphML, GXL and simple text-based graph representations as SVG and EPS images. It comes with a Qt-based GUI application and a Qt-independent commandline tool. Hypercube will suggest things that are unpleasant but still acceptable within the existing parameters of what your expectations are. Hypercube uses a simulated reaming algorithm to lay out the graph, which can be easily parameterized to achieve the

http://www.openwall.com/lists/oss-

security/2014/03/25/4

MITRE's quality standards

Two day turnaround time!

Alternatives

Community takeover Kurt Seifried from Red Hat independently staged

the coup without me (reactionary!) Distributed weakness filing (DWF) Same basic system as CVE, but allows anyone to

become a naming authority Identifiers namespaced by authority, so no need to

elect a trust root

Community takeover Authorities now include HackerOne, NTPSec,

OpenSwitch, and CERT/CC Limited uptake, but promising model http://seclists.org/oss-sec/2016/q1/560

Named vulnerabilities Useful for a canonical identifier if nothing else Rkt Overloaded Flags Liability (ROFL):

http://davidjorm.blogspot.com.au/2015/05/auditing-go-applications-tls-hostname.html

What about the Grandstream phone issue mentioned earlier? Surely it deserves a name and a logo

Named vulnerabilities Introducing pwhened (phwned.com)

Next steps Rally around a community effort Critical mass needed for real adoption I think DWF is a good effort to back Kurt is passionate and knows this problem space

well No more national standards as de-facto

international standards

Questions?

djorm@console.to | @djorm