Re: Re: CVE's for SSLv2 support

[Steve Grubb <sgrubb () redhat com>]

On Tuesday, March 01, 2016 09:16:05 PM Kurt Seifried wrote:
> On Tue, Mar 1, 2016 at 9:03 PM, Bob Beck <beck () openbsd org> wrote:
> > While you certainly won't see me defending SSLv2 (I think we were the
> > first to delete it outright)
> > there are many other things that currently fall into that category..
> > I'm agreeing with your sentiment
> > but if you are to consider usage of SSLv2 as CVE worthy, then you will
> > need to do the same for SSH version 1,
> > among other things.   So while I certainly appreciate and even agree
> > with your sentiment, it seems rather timed
> > politically based on a decision made by one implementaiton of SSL/TLS
> > that reflects a decision made by most other
> > implementations long ago.   So far from me to say what CVE's should
> > and shouldn't be used for and issued for, but
> > if this is the road we're going down can I please have permission to
> > use your above quoted paragraph
> > with s/SSLv2/SSH V1/g to request a CVE for *usage or support* of SSH
> > version 1? You said it perfectly.
>
> I would be totally fine with that, SSH protocol v1 is long overdue for
> "needs to be taken out back and shot along with whoever enabled it by
> default". From OpenSSH's sshd_config:
>
> # The default requires explicit activation of protocol 1
>
> I think that says it all.

I'm not entirely sure that CVE is the right vehicle to express the issue. 
Exploitation of this would be an attacker uses code to exploit a poor 
implementation or design problem. There are code weaknesses tracked by CWE, 
vulnerabilities in implementations tracked by CVE, and attacks tracked by 
CAPEC. They reference each other as follows CAPEC->CVE->CWE.

Maybe a CWE somewhere in this category is what you are after:
https://cwe.mitre.org/data/definitions/958.html

-Steve