AusCERT 2016: CVE and alternatives
-
Upload
david-jorm -
Category
Technology
-
view
762 -
download
2
Transcript of AusCERT 2016: CVE and alternatives
CVE is logjammed, CNVD is nearly as bad, and my heart bleeds for the whole mess
David Jorm, console.to
Introduction: David Jorm Software engineer for many years Last 6 years focusing on security Managed Red Hat's Java middleware security team Now engineering manager for Console I love finding new 0day and popping shells!
Outline CVE purpose and history CVE assignment theory and practice MITRE's quality standards Alternatives Community takeover Named vulnerabilities, next steps
CVE purpose In the late 90s, there was no canonical identifier for
vulnerabilities Plethora of vendor-specific identifiers phf RCE (remember that?) was a good example of
the failure, with dozens of vendor identifiers CVE aims to address these problems with a single
common identifier format
MITRE corporation US non-profit handling various things for gov Manages the national institute for standards and
technology (NIST) National Cybersecurity FFRDC managed by MITRE
created and runs the CVE program Remind you of anything?
CVE history In 2003, 29 organizations and 43 products Today, >150 organizations and >300 products In 2002 CVE was mandated for use by US
government Format was CVE-YYYY-XXXX, not CVE-YYYY-XXXXX
to handle growth in assignments
CVE theory CNAs delegated the authority to assign CVE IDs for
their own products and allocated blocks of IDs MITRE acts as a catch-all CNA for other products Contact a CNA with sufficient details to prove you
have a real issue Use the assigned CVE when you publish details of
the vulnerbaility
CVE practice
CVE practice
CVE practice
CVE practice
CVE practice
http://davidjorm.blogspot.com.au/2015/07/101-ways-to-pwn-
phone.html
CVE practice
MITRE's quality standards Many people have highlighted difficulties and
endless delays getting CVEs assigned MITRE has no SLA, and must maintain high quality But never fear: “If anyone needs additional
confirmation that a request has indeed been received and read, and that we are aware of it remaining unanswered, sending directly to the [email protected] address is the best option.”http://www.openwall.com/lists/oss-
security/2015/06/09/5
http://www.openwall.com/lists/oss-
security/2015/03/19/3
MITRE's quality standards “Hypercube is a graph visualization tool for drawing
DOT (graphviz), GML, GraphML, GXL and simple text-based graph representations as SVG and EPS images. It comes with a Qt-based GUI application and a Qt-independent commandline tool. Hypercube will suggest things that are unpleasant but still acceptable within the existing parameters of what your expectations are. Hypercube uses a simulated reaming algorithm to lay out the graph, which can be easily parameterized to achieve the
http://www.openwall.com/lists/oss-
security/2014/03/25/4
MITRE's quality standards
Two day turnaround time!
Alternatives
Community takeover Kurt Seifried from Red Hat independently staged
the coup without me (reactionary!) Distributed weakness filing (DWF) Same basic system as CVE, but allows anyone to
become a naming authority Identifiers namespaced by authority, so no need to
elect a trust root
Community takeover Authorities now include HackerOne, NTPSec,
OpenSwitch, and CERT/CC Limited uptake, but promising model http://seclists.org/oss-sec/2016/q1/560
Named vulnerabilities Useful for a canonical identifier if nothing else Rkt Overloaded Flags Liability (ROFL):
http://davidjorm.blogspot.com.au/2015/05/auditing-go-applications-tls-hostname.html
What about the Grandstream phone issue mentioned earlier? Surely it deserves a name and a logo
Named vulnerabilities Introducing pwhened (phwned.com)
Next steps Rally around a community effort Critical mass needed for real adoption I think DWF is a good effort to back Kurt is passionate and knows this problem space
well No more national standards as de-facto
international standards
Questions?
[email protected] | @djorm