Common Vulnerabilities and Exposures

Steve Christey

Margie Zuk

June 22, 2000

Context: The Vulnerability Life Cycle

CVE

Discovery

•Mailing lists, Newsgroups, Hacker sites

Analysis•Academic Study•Advisories

Protection

•Vulnerability Assessment Tools

Collection•Databases•Newsletters

Detection•Intrusion Detection Systems

IncidentHandling

•Incident Response Teams•Incident Reports

Start Here

A Roadblock to Information Sharing:Same Problem, Different Names

Organization Name

CERT CA-96.06.cgi_example_code

CyberSafe Network: HTTP ‘phf’ Attack

ISS http-cgi-phf

AXENT phf CGI allows remote command execution

Bugtraq PHF Attacks – Fun and games for the whole family

BindView #107 – cgi-phf

Cisco #3200 – WWW phf attack

IBM ERS Vulnerability in NCSA/Apache Example Code

CERIAS http_escshellcmd

L-3 #180 HTTP Server CGI example code compromises http server

The Implications

Difficult to correlate data across multiple organizations and tools

- E.g. IDS and assessment tools

- E.g. security tools and fix information

- Incident information Difficult to conduct a detailed comparison of tools or

databases

- Vulnerabilities are counted differently

- Which is more comprehensive?

Common Vulnerabilities and Exposures (CVE):One Common Language

Name Description

CVE-1999-0003ToolTalk (rpc.ttdbserverd) buffer

overflow

CVE-1999-0006 Buffer overflow in qpopper

CVE-1999-0067 Shell metacharacters in phf

CVE-1999-0344Windows NT debug-level access

bug (a.k.a. Sechole)

Lists all publicly known security problems Assigns unique identifier to each problem Remains independent of multiple perspectives Is publicly open and shareable Community-wide effort via the CVE Editorial Board

Addressing Common Misconceptions of CVE

Not a full-fledged vulnerability database

- Simplicity avoids competition, limits debate

- Intended for use by vulnerability database maintainers Not a taxonomy or classification scheme Focuses on vulnerabilities instead of attacks

- Does not cover activities such as port mapping Not just “vulnerabilities” in the classical sense

- Definitions of “vulnerability” vary greatly

- “Exposure” covers a broader notion of “vulnerability” Competing vendors are working together to adopt CVE

CVE Editorial Board

Members from 25 different organizations including researchers, tool vendors, response teams, and end users

Mostly technical representatives Review and approve CVE entries Discuss issues related to CVE maintenance Monthly meetings (face-to-face or phone) Publicly viewable mailing list archives

Active Editorial Board Members(as of June 19, 2000)

Tool VendorsDavid Balenson - NAIAndy Balinsky - CiscoScott Blake - BindViewAndre Frech - ISSKent Landfield - info-ops.comJim Magdych - NAIDavid Mann - BindViewCraig Ozancin - AXENTPaul E. Proctor - CyberSafeMike Prosser - SymantecMarcus Ranum - NFRSteve Schall - Intrusion.comTom Stracener - HiverworldBill Wall - HarrisKevin Ziese - Cisco

Academic/EducationalMatt Bishop - UC Davis Computer Security LabPascal Meunier - Purdue University CERIASAlan Paller - SANS InstituteGene Spafford - Purdue University CERIAS

MITREDave Baker, Steve Christey, Bill Hill

Other Security AnalystsSteve Northcutt - SANSAdam Shostack - Zero-Knowledge SystemsStuart Staniford - Silicon Defense

Response TeamsKen Armstrong - CanCERTBill Fithen - CERT Coordination CenterScott Lawler - DOD-CERT

Network SecurityEric Cole - Vista ITKelly Cooper - GTE Internetworking

Information ProvidersRuss Cooper - NTBugtraqElias Levy - Bugtraq, Security FocusRon Nguyen - Ernst and YoungKen Williams - eSecurityOnline.com

OS VendorsDavid LeBlanc - Microsoft Casper Dik - Sun

CVE Enables Detailed Product Comparisons

CVEName

ToolA

ToolB

DB1

DB2

HackerSite

CVE-XXXX-0001 X X X

CVE-XXXX-0002 X X X

CVE-XXXX-0003 X X

CVE-XXXX-0004 X X X X

Using CVE from Advisories to IDSes

Do my systemshave theseproblems?

Which toolstest for these

problems?Tool 1CVE-1CVE-2CVE-3

Tool 2

CVE-3CVE-4

Does my IDShave the

signatures?

IDS

CVE-1CVE-3CVE-4

I can’t detect exploitsof CVE-2 - how well

does Tool 1 check for it?

CVE-1CVE-2CVE-3CVE-4

PopularAttacks

Using CVE from Attacks to Incident Recovery

I detectedan attack on CVE-3.Did my assessment

say my systemhas the problem?

Tool 2

CVE-3CVE-4

Tool 1CVE-1CVE-2CVE-3

YES

Clean upClose the hole

Report theincident

Tell your assessment vendorGo to YES

NO

Don’t send an alarm

But the attack succeeded!

PublicDatabases

CVE-2CVE-3Advisories

CVE-1CVE-2CVE-3

CVE Compatibility

Ensures that a tool or database can “speak CVE” and correlate data with other CVE-compatible products

Requirements

- Find items by CVE name (CVE searchable)

- Include CVE name in output for each item (CVE output)

- Provide MITRE with database items that are not in CVE yet

- Good faith effort to keep mappings accurate 25 organizations have declared their intentions to make their

products CVE compatible

Organizations Working Toward CVE Compatibility

- Advanced Research Corp.

- Alliance Qualité Logiciel

- AXENT

- BindView

- CERIAS/Purdue University

- CERT

- Cisco

- CyberSafe

- Cyrano

- Ernst and Young

- Harris Corp.

- Hiverworld, Inc.

- Intrusion.com

- Internet Security Systems

- Nessus Project

- Network Associates

- Network Security Wizards

- NIST

- NTBugtraq

- SANS Institute

- Security Focus - Bugtraq

- Symantec (L-3)

- UC Davis

- White Hats

- World Wide Digital Security

* CVE already being used in a product=

*

*

**

**

*

*

***

***

Adding New Entries to CVE

Board member submits raw information to MITRE Submissions are grouped, refined, and proposed back to the Board as

candidates

- Form: CAN-YYYY-NNNN

- Strong likelihood of becoming CVE-YYYY-NNNN Not a guarantee

- Delicate balance between timeliness and accuracy Board reviews and votes on candidates

- Accept, modify, recast, reject, reviewing If approved, the candidate becomes a CVE entry Entry is included in a subsequent CVE version

- Published on CVE web site Entries may later be modified or deprecated

Stages of Security Information in CVE

Submissions•Raw information•Obtained from MITRE, Board members, and other data feeds•Combined and refined

Candidates•Placed in clusters•Proposed to Editorial Board•Accepted or rejected•Backmap tells submitters what candidates were assigned to their submissions

Entries•Added to CVE list•Submissions, candidates removed from the “pool”•Published in an official CVE version

…..…..

…..

…..

…..

…..

…..

…..

CAN-2000-0001

CAN-2000-0002

CAN-2000-0003

CVE-2000-0001

CVE-2000-0003

Back-map

<REJECTED>

Content Decisions Explicit guidelines for content of CVE entries

- Ensure consistency within CVE

- Provide “lessons learned” for researchers Three basic types

- Inclusion What goes into CVE? What doesn’t, and why? Example: weak encryption, bugs in beta code

- Level of Abstraction Example: default passwords, or multiple bugs in the same

application - one or many entries?

- Format Example: what goes into a CVE description?

Challenge: what to do with incomplete information?

The CVE Strategy

UnreviewedBugtraqs, Mailing lists, Hacker sites

Reviewed Advisories CERT, CIAC,Vendor advisories

Discovery

time

Policy

MethodologiesPurchasing RequirementsEducation

Scanners, Intrusion Detection, Vulnerability Databases

Products

2. Establish CVE at product level in order to...

3. … enable CVE to permeatethe policy level.

1. Inject Candidatenumbers into advisories

CVE Status as of June 2000

Latest CVE version: 20000602

- 700 entries 722 additional candidates being reviewed by Editorial Board Received vulnerability databases from 10 organizations

- Will help create more legacy candidates

- Processing 10,000 submissions (database items) May produce over 1000 additional candidates?

Candidate numbers used in 5 security advisories CVE names included in Top Internet Security Threats list Editorial Board discussing content decisions

- Affects ~300 candidates

Future Directions

Add more entries to CVE

- Goal: 1000 entries by September 2000

- Add entries for all 1999, 2000 advisories Add more candidates

- Goals: 1000 new candidates by September 2000 Cover 80% of items in each participating tool or database Use CVE identifiers in advisories, newsletters, etc. Use CVE in deeper product analysis Work with users and vendors to establish CVE as a de

facto standard

For More Information

http://cve.mitre.org