Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 29 Oct 2012 19:45:24 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com, seth.arnold@...onical.com
Subject: Re: Strange CVE situation (at least one ID should
 come of this)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/29/2012 04:01 PM, Seth Arnold wrote:
> On Mon, Oct 29, 2012 at 02:01:24PM -0600, Kurt Seifried wrote:
>> So the first question I have is:
>> 
>> Q1) Do we need to audit software to prove that it is vulnerable?
>> Or is a statistical model enough? e.g. for PHP based web plugins,
>> not
> 
> I can't argue against the statistical model though it does rather
> reduce the value of CVE as naming a specific vulnerability if they
> start getting assigned for "eww this smells". There may be one
> easily exploitable remote root flaw, there may be thousands of
> reliability and information disclosure flaws, but hiding them all
> under one "old and stinky" CVE doesn't feel like a significant
> improvement.

Right but the problem is people aren't going to audit these stinky old
softwares to find CVE's, it's just not worth it mostly (what's the
incentive?).

>> We can assign a CVE with a description along the lines of
>> "Software X has not been actively maintained since release Y on
>> date Z. Software X is comprised of some stuff and built in
>> language Z which is known to commonly result in security flaws
>> (possibly list what kind, e.g. XSS/buffer overflow, etc.)." Maybe
>> start with a generic cut off date of say 5 years, and start
>> listing stuff as people find/notice them. If a program ever comes
>> back into maintenance and release a new version then the old CVE
>> would be there as a warning, and moving forwards people would be
>> able to make a much more informed choice.
> 
> To turn this on its head: qmail is an MTA (historically trouble)
> written in C (historically trouble) and has not had a stable
> release in 14 years (going strictly by Wikipedia).
> 
> But I do not think qmail deserves a CVE simply by this basis.

Hence the model. You take things into account like what language was
used, what the software does, it's track record, and the person/team
writing it and so on. In this case DJB has a pretty good track record,
so statistically speaking qmail is on the safer side and probably
doesn't need a CVE anytime soon. This isn't simple "if release >=5
years assign cve=true" =).

>> In effect this would be a blacklist/greylist of software, and by
>> using CVE it would be able to piggy back on the existing CVE
>> ecosystem (no better word to use), e.g. scanners would pick up
>> the old versions and
> 
> I'll grant that the CVE ecosystem is large and potentially very
> powerful Force For Good, if deployed this way.
> 
> But when a consumer asks, "Is CVE-2013-F00F fixed?" and the answer
> is "one guy put together three releases the last two months, fixing
> one bug each", what _is_ the answer? "Yes" because there is a
> responsive maintainer? Or "No" because probability dictates there
> is likely more cruft yet to be found? Or "No" because two months is
> insufficient data to draw a conclusion?

1) I suspect we'll be assigning this to very dead software so I think
it's highly unlikely that any updates ever got shipped.
2) if it happens it's basically "fixed" by the new release. but again
I seriously doubt we'll run into this anytime soon.

>> I realize this looks a LOT like feature creep with respect to
>> CVE, but I think it falls into the definition of a vulnerability
>> closely enough that it makes sense/won't result in a huge mess. I
>> can of course see
> 
> I like the specificity of today's CVE.

Me too. But this is already being heavily eroded by firms like Oracle:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=unknown

The reality is we already have hundreds of CVE entries with absolutely
no significant details other than a product name and version and vague
terms as whether or not Confidentiality/Accessibility/Integrity might
be affected.

> I also think your idea has merit -- there is too much never-loved 
> software out there -- but I don't think CVE is the correct lever
> to attack it.

The problem is we have this ecosystem of CVE software from scanners
like Nessus to firms like iDefense/iSIGHT. Using CVE would quickly
give this old and problematic software problems high visibility, CVE is:

"International in scope and free for public use, CVE is a dictionary
of publicly known information security vulnerabilities and exposures."

> Thanks



- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQjzE0AAoJEBYNRVNeJnmTJgYQAKuzMgE0SzGasPfkkXl/hQ8o
+GJnYkHo7Tpuc6Hd+HdUOju36sV3CvTUY+eq0iIGgfgPq3IZq7ahfvSbD5UnXpA8
T8CggpKX3IJEA4KZkFyDnFgeReurVsCBUOu7Kj1/2ZDX5uigiBuqfr7LdcfxjXtI
ZAw7NrlDdyyGJveP0ZIjFCRCOlbzMnfcjFWJwUnRNTy198iaAm1P/MtsHuB90ofz
jPxBYe1Rk31o9MJ8BqaPzGoNVZER6wQQLVCvim/KRv5uwDQ7EMRaXnOFsND1RXzF
AucHf0L7RAhj/GlUd03uZeXyE2s7UNrHRCOqgRk6x/KBcQ48mDYVVB1a7K8bjEmx
f6ah/W4h67N5MIhZwqhKKe3tBw2zxoMNNosYPKGjs98UFW41nFPsrBdk1/19NNaT
zed0ltqeaaqSYeECgLZsfwxXGjnLcgXVMnmnSMf3K5+QEbkp8y6EzpXiCa5HwULA
UJIWEo3LdZemEtSwOpTBxoOw1IfPatrJ+nuAF9azKHVc8cuyFeht2t25BtJHJWx+
n3vjlwZenQPESS5xWaJhMyLA10Xskka0Or8tcpYiDNNRgYabGAlpwmpBI+ODld59
wQbZoGDHkKOHzUpIPa1tvbGsgsUjUZ9w17DlYPM9SxKEYCabK2jL7D+AIX2K7tRe
6PAygxkj8mJQ+mEit295
=s5+Q
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.