A Dictionary For Vulnerabilities

[InfoSec News <isn () c4i org>]

http://security.ziffdavis.com/article2/0,3973,1134336,00.asp

By Larry Seltzer 
June 23, 2003 

CVE gives users, vendors, and toolmakers a common vocabulary for
vulnerabilities. Unfortunately, the bad guys move quite a bit faster.

If you ever read security vulnerabilities you eventually run into a
notation looking like "CVE-2002-0947." This is a standard naming
convention for vulnerabilities called Common Vulnerabilities and
Exposures (CVE). CVE is administered by a company called Mitre, a
non-profit company that operates governmental research facilities and
other such cool things. In addition to hosting the CVE list, Mitre
acts as the editor for aspects of list development. But the most
important decisions are made by an editorial board with
representatives of security and software firms.

CVE is an important part of modern security efforts but it could be
more important. The main function of CVE is to provide
security-related programs a common naming set for vulnerabilities on
which they may operate. Security products, vulnerability scanners for
example, usually provide mappings to CVE names. For example, Netcraft
has a network vulnerability scanning service called Netcraft Network
Examination which provides mappings to CVE names for the
vulnerabilities it finds. The CVE site has a list of CVE-compatible
products, including an entry for Netcraft.
 
The CVE gets its initial reports from a variety of respectable
sources, including the SecurityFocus vulnerabilities list and the
Internet Security Systems monthly Security Alert Summary. These
sources are monitored by a group of Mitre analysts. When a new
vulnerability or exposure comes up it becomes a candidate for a CVE
entry and gets a CAN entry in the list, such as CAN-2003-9876.

What is an exposure as opposed to a vulnerability? A vulnerability is
a bug which results in a security problem; an exposure is a potential
security problem resulting from correct behavior. For example, many
operating systems and applications will come with default root/admin
passwords of "password" or just be blank. This is correct behavior,
but it's a potential source of trouble.

I can't figure out for sure from the CVE site how a candidate becomes
a candidate, and Mitre never got back to me. It looks like Mitre
analysts make these decisions on their own, which is perhaps the best
way to do it.

But the overly-formal structure of CVE keeps the data in the system
old, limiting the usefulness. It seems to take a while before
candidates are entered, and it can take months, seemingly ages, before
they formally enter the list. Consider the MS SQL Server Slammer worm:  
the vulnerability behind it is still listed as a candidate, although 3
members of the editorial board have voted to accept it. This is a very
old vulnerability.

In many ways the most recent vulnerabilities are the most important
ones, so if a vulnerability list is not reasonably up to date it's not
useful. CVE is pretty out of date. As a result, CVE-compatible
programs have to function without CVE names. In a sense this makes the
CVE names a redundant capability, but where they exist they do add to
the interoperability between security products of different vendors
and the ability of administrators to digest reports.

Unfortunately, the mapping of vulnerabilities between different tools
is not always very clean, even with CVE. Different tools address CVEs
differently; for instance, a vendor patch might address part of a CVE
or multiple CVEs. Testers might have to design one test for multiple
CVEs or multiple tests for one.

It's interesting to compare this with the informal naming system that
exists for viruses. Did you ever wonder how viruses get names like
"W32.Sobig.C@mm?" Part of it is a standard system showing the platform
and version, but the actual name part is created by researchers from
various vendors who exchange information with each other on mailing
lists as new outbreaks emerge. As with new elements and species,
usually the first researcher to find a virus gets to name it, usually
based on some string in or other characteristic of the virus. But if
Marconi and Tesla can simultaneously invent radio, surely it's
possible for two researchers to discover the same virus in the wild.  
Some have suggested that the antivirus industry needs a committee like
CVE to name viruses. I think the last thing we need is a way to slow
down virus research.

Security Supersite Editor Larry Seltzer has worked in and written
about the computer industry since 1983.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.