Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue,  4 Nov 2014 04:39:09 -0500 (EST)
From: cve-assign@...re.org
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: strings / libbfd crasher

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Four of the main factors that affect libbfd CVE assignments are:

  1. existence of a "multi-session" use case
  2. discussion of exploitability of a specific attack vector
  3. likelihood of exploitability of classes of observed behavior
  4. actual or expected volume of distinct discoveries

We'll try to give an example of each of these.

1. existence of a "multi-session" use case

One situation in which libbfd code is executed is running the strings
program. We consider that a "single-session" use case. Unless
arbitrary code execution occurs, the principal impact of a crash is
that the strings program doesn't produce the desired output, and we
don't consider that to be within the scope of what "denial of service"
means. [Obviously there could be exceptions, e.g., the way in which
the libbfd code crashes causes especially severe resource consumption.
These exceptions are probably rare.]

If all known use cases for a library are single-session use cases,
then the existence of a crash is not sufficient for a CVE assignment.
Specifically, we would exclude any attack vector that is not thought
to lead to arbitrary code execution.

In the multi-session case, a "session" could be roughly defined as "a
persistent interface for interactive access to data from a single
source."

It's conceivable that libbfd code is incorporated into a multi-session
GUI malware forensics tool. For example, there could be a scenario in
which the malware analyst has 10 windows open, each showing a
carefully chosen point within one malware sample, along with
(possibly) data-entry windows containing analyst notes. Next, suppose
the analyst loads an 11th malware sample that triggers a libbfd bug.
Then, the entire forensics tool crashes, and all of the data and state
is irrecoverably lost (i.e., more than one "session" is abruptly
terminated). A denial of service has occurred, and ideally there would
be an associated CVE ID for that libbfd bug.

Currently, we don't happen to know of the existence of that type of a
multi-session program that relies on libbfd, and has that type of
outcome upon encountering a libbfd crash bug. If we did know of such a
program then, ideally, every crash bug would have an associated CVE
ID.

[They might not all have different CVE IDs. For example, we would
typically combine two observations that were both use-after-free
issues, affecting the same versions of GNU Binutils, and reported on
the same day by the same person.]


2. discussion of exploitability of a specific attack vector

This relates to what "is not thought to lead to arbitrary code
execution" means. If there's any credible statement about this type of
non-exploitability, then there typically isn't a CVE ID assignment.
Obviously, this is open to interpretation: a specific wording could be
used by one credible person to mean "writing an exploit is probably
impossible" and that same wording could be used by another credible
person to mean "it's possible to write an exploit program that
sometimes works, but it's prohibitively difficult to write a reliable
exploit program."


3. likelihood of exploitability of classes of observed behavior

Currently we think that the likelihood of exploitability is too low
for a libbfd NULL pointer dereference, and those cases are excluded
from CVE. We don't think that the likelihood of exploitability is
always too low for every libbfd out-of-bounds read. Either of these
could be revised based on better information about how libbfd
interacts with memory.


4. actual or expected volume of distinct discoveries

> From: Alexander Cherepanov <cherepan@...me.ru>
> Subject: Re: [oss-security] Re: strings / libbfd crasher
> Date: Mon, 03 Nov 2014 01:43:54 +0300

> Simple fuzzing of objdump with zzuf (not even afl) quickly gives out
> tens and hundreds of different cases of mentioned errors

Suppose there were hundreds of different cases: for example, 200
different people ran zzuf and found 200 unique ways to cause
out-of-bounds reads. Then, it would be unrealistic for us to provide
200 unique CVE IDs, even though that would match the currently
advertised per-discoverer level of abstraction for CVE. This does not
mean that any specific unanalyzed out-of-bounds read is ineligible for
a CVE ID: it just means that, as a practical matter, it is unlikely
that those 200 CVE IDs would ever be assigned.

In that situation, the level of abstraction of CVEs would probably be
reduced to the level of abstraction of vendor releases with fixes,
e,g., issues resolved in Binutils 2.26 would have a different CVE ID
than issues resolved in 2.27.

We're not able to offer a comprehensive set of guidelines such that,
even if there were an arbitrarily large number of findings satisfying
the guidelines, it is guaranteed that each finding would map to a CVE
ID that is anchored on the problem report rather than anchored on the
fix announcement.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUWJ02AAoJEKllVAevmvmseDEIALTyzs7kgLcf7Tc5kQS3ppNf
5w7iGJFmcWtP5N/LrEM0ZfPBtH4biT6VUo28ZbC4cX6zmZ0w9C3WvRGGDY+MCJHI
4wZefBjssqrXL0cyNape3YXjTwCEpXA7IOt0isX/38rUx5sLMsBUSrvdHlplnBtJ
v9zII+yvG0me53KUelNKWdqZaDCvFSL9qLtu+bptA8SPK9wYnRKYxsOZcq4UCqdW
/+bkZT4kUYVSw9slXdMw0vQucn0F2CjqjqYII/LAbeLVfiBwAKvzziImWwGSbwf8
xnC1kBlJhJTQAnRJtLN1eJwV05st3krr/a09ZwoHizQwQ/HpkDGCPV24VjVFbpc=
=3dwk
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.