the development of a common vulnerability enumeration vulnerabilities and exposures list steven m....
TRANSCRIPT
The Development of a Common Vulnerability
Enumeration Vulnerabilities and Exposures List
Steven M. Christey
David W. Baker
William H. Hill
David E. Mann
The MITRE Corporation
Outline
Description Examples Applications to IDS Activities Editorial Board
What is the CVE (Common Vulnerabilities and Exposures List)?
A list of common information systems security problems (but CISSP was taken)
Vulnerabilities
- Problems that are universally thought of as “vulnerabilities” in any security policy
- Software flaws that could directly allow serious damage
- phf, ToolTalk, Smurf, rpc.cmsd, etc. Exposures
- Problems that are sometimes thought of as “vulnerabilities” in some security policies
- Stepping stones for a successful attack
- Running finger, poor logging practices, etc.
CVE Goals
Enumerate all publicly known problems Assign a standard, unique name to each problem Exist independently of multiple perspectives Be publicly open and shareable, without distribution
restrictions
Why the CVE?
Provide common language for referring to problems Facilitate data sharing between
- IDSes
- Assessment tools
- Vulnerability databases
- Academic research
- Incident response teams Foster better communication across the community Get better tools that interoperate across multiple vendors
Sample CVE Entries
Name Description
CVE-1999-0003ToolTalk (rpc.ttdbserverd) buffer
overflow
CVE-1999-0006 Buffer overflow in qpopper
CVE-1999-0067 Shell metacharacters in phf
CVE-1999-0344Windows NT debug-level access
bug (a.k.a. Sechole)
Sample CVE Mapping
CVEName
ToolA
ToolB
DB1
DB2
HackerSite
CVE-XXXX-0001 X X X
CVE-XXXX-0002 X X X
CVE-XXXX-0003 X X
CVE-XXXX-0004 X X X X
CVE for IDS
Standard name for vulnerability-related attacks Interoperability
- Multi-vendor compatibility
- Correlate with assessment tool results to reduce false positives
- Share incident data Consistency of reports IDS comparisons
- Accuracy, coverage, performance Common attack list DARPA CIDF and IETF IDWG
CVE from Vulnerability Assessment to IDS
Do my systemshave theseproblems?
Which toolstest for these
problems?Tool 1CVE-1CVE-2CVE-3
Tool 2
CVE-3CVE-4
Does my IDShave the
signatures?
IDS
CVE-1CVE-3CVE-4
I can’t detect exploitsof CVE-2 - how well
does Tool 1 check for it?
CVE-1CVE-2CVE-3CVE-4
PopularAttacks
CVE from Attacks to Incident Recovery
I detectedan attack on CVE-3.Did my assessment
say my systemhas the problem?
Tool 2
CVE-3CVE-4
Tool 1CVE-1CVE-2CVE-3
YES
Clean upClose the hole
Report theincident
Tell your vendorGo to YES
NO
Don’t send an alarm
But the attack succeeded!
PublicDatabasesCVE-2CVE-3Advisories
CVE-1CVE-2CVE-3
CVE Timeline
“Towards a Common Enumeration of Vulnerabilities,” 2nd CERIAS Workshop on Vulnerability Databases (January 1999)
Initial creation of Draft CVE (Feb-April 1999)
- 663 vulnerabilities
- Data derived from security tools, hacker site, advisories Formation of Editorial Board (April-May 1999) Validation of Draft CVE (May-Sept 1999) Creation of validation process (May-Sept 1999) Discussion of high-level CVE content (July-Sept 1999) Public release (Real Soon Now)
The CVE Editorial Board
Experts from more than 15 security-related organizations
- Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts
Mailing list discussions
- Validation and voting for individual CVE entries
- High-level content decisions Meetings
- Face-to-Face
- Teleconference Membership on an as-needed or as-recommended basis
Bringing New Entries into the CVE
Assignment
- Candidate number CAN-1999-XXXX to distinguish from validated CVE entry
- Candidate Numbering Authority (CNA) reduces “noise” Proposal
- Announcement and discussion
- Voting: Accept, Modify, Reject, Recast, Reviewing Modification Interim Decision Final Decision
- CVE name(s) assigned if candidate is accepted Publication