Upload
yoko-santana
View
39
Download
0
Embed Size (px)
DESCRIPTION
Common Vulnerabilities and Exposures. Steve Christey Margie Zuk June 22, 2000. CVE. Context: The Vulnerability Life Cycle. Mailing lists, Newsgroups, Hacker sites. Start Here. Discovery. Incident Response Teams Incident Reports. Academic Study Advisories. Incident Handling. Analysis. - PowerPoint PPT Presentation
Citation preview
Common Vulnerabilities and Exposures
Steve Christey
Margie Zuk
June 22, 2000
Context: The Vulnerability Life Cycle
CVE
Discovery
•Mailing lists, Newsgroups, Hacker sites
Analysis•Academic Study•Advisories
Protection
•Vulnerability Assessment Tools
Collection•Databases•Newsletters
Detection•Intrusion Detection Systems
IncidentHandling
•Incident Response Teams•Incident Reports
Start Here
A Roadblock to Information Sharing:Same Problem, Different Names
Organization Name
CERT CA-96.06.cgi_example_code
CyberSafe Network: HTTP ‘phf’ Attack
ISS http-cgi-phf
AXENT phf CGI allows remote command execution
Bugtraq PHF Attacks – Fun and games for the whole family
BindView #107 – cgi-phf
Cisco #3200 – WWW phf attack
IBM ERS Vulnerability in NCSA/Apache Example Code
CERIAS http_escshellcmd
L-3 #180 HTTP Server CGI example code compromises http server
The Implications
Difficult to correlate data across multiple organizations and tools
- E.g. IDS and assessment tools
- E.g. security tools and fix information
- Incident information Difficult to conduct a detailed comparison of tools or
databases
- Vulnerabilities are counted differently
- Which is more comprehensive?
Common Vulnerabilities and Exposures (CVE):One Common Language
Name Description
CVE-1999-0003ToolTalk (rpc.ttdbserverd) buffer
overflow
CVE-1999-0006 Buffer overflow in qpopper
CVE-1999-0067 Shell metacharacters in phf
CVE-1999-0344Windows NT debug-level access
bug (a.k.a. Sechole)
Lists all publicly known security problems Assigns unique identifier to each problem Remains independent of multiple perspectives Is publicly open and shareable Community-wide effort via the CVE Editorial Board
Addressing Common Misconceptions of CVE
Not a full-fledged vulnerability database
- Simplicity avoids competition, limits debate
- Intended for use by vulnerability database maintainers Not a taxonomy or classification scheme Focuses on vulnerabilities instead of attacks
- Does not cover activities such as port mapping Not just “vulnerabilities” in the classical sense
- Definitions of “vulnerability” vary greatly
- “Exposure” covers a broader notion of “vulnerability” Competing vendors are working together to adopt CVE
CVE Editorial Board
Members from 25 different organizations including researchers, tool vendors, response teams, and end users
Mostly technical representatives Review and approve CVE entries Discuss issues related to CVE maintenance Monthly meetings (face-to-face or phone) Publicly viewable mailing list archives
Active Editorial Board Members(as of June 19, 2000)
Tool VendorsDavid Balenson - NAIAndy Balinsky - CiscoScott Blake - BindViewAndre Frech - ISSKent Landfield - info-ops.comJim Magdych - NAIDavid Mann - BindViewCraig Ozancin - AXENTPaul E. Proctor - CyberSafeMike Prosser - SymantecMarcus Ranum - NFRSteve Schall - Intrusion.comTom Stracener - HiverworldBill Wall - HarrisKevin Ziese - Cisco
Academic/EducationalMatt Bishop - UC Davis Computer Security LabPascal Meunier - Purdue University CERIASAlan Paller - SANS InstituteGene Spafford - Purdue University CERIAS
MITREDave Baker, Steve Christey, Bill Hill
Other Security AnalystsSteve Northcutt - SANSAdam Shostack - Zero-Knowledge SystemsStuart Staniford - Silicon Defense
Response TeamsKen Armstrong - CanCERTBill Fithen - CERT Coordination CenterScott Lawler - DOD-CERT
Network SecurityEric Cole - Vista ITKelly Cooper - GTE Internetworking
Information ProvidersRuss Cooper - NTBugtraqElias Levy - Bugtraq, Security FocusRon Nguyen - Ernst and YoungKen Williams - eSecurityOnline.com
OS VendorsDavid LeBlanc - Microsoft Casper Dik - Sun
CVE Enables Detailed Product Comparisons
CVEName
ToolA
ToolB
DB1
DB2
HackerSite
CVE-XXXX-0001 X X X
CVE-XXXX-0002 X X X
CVE-XXXX-0003 X X
CVE-XXXX-0004 X X X X
Using CVE from Advisories to IDSes
Do my systemshave theseproblems?
Which toolstest for these
problems?Tool 1CVE-1CVE-2CVE-3
Tool 2
CVE-3CVE-4
Does my IDShave the
signatures?
IDS
CVE-1CVE-3CVE-4
I can’t detect exploitsof CVE-2 - how well
does Tool 1 check for it?
CVE-1CVE-2CVE-3CVE-4
PopularAttacks
Using CVE from Attacks to Incident Recovery
I detectedan attack on CVE-3.Did my assessment
say my systemhas the problem?
Tool 2
CVE-3CVE-4
Tool 1CVE-1CVE-2CVE-3
YES
Clean upClose the hole
Report theincident
Tell your assessment vendorGo to YES
NO
Don’t send an alarm
But the attack succeeded!
PublicDatabases
CVE-2CVE-3Advisories
CVE-1CVE-2CVE-3
CVE Compatibility
Ensures that a tool or database can “speak CVE” and correlate data with other CVE-compatible products
Requirements
- Find items by CVE name (CVE searchable)
- Include CVE name in output for each item (CVE output)
- Provide MITRE with database items that are not in CVE yet
- Good faith effort to keep mappings accurate 25 organizations have declared their intentions to make their
products CVE compatible
Organizations Working Toward CVE Compatibility
- Advanced Research Corp.
- Alliance Qualité Logiciel
- AXENT
- BindView
- CERIAS/Purdue University
- CERT
- Cisco
- CyberSafe
- Cyrano
- Ernst and Young
- Harris Corp.
- Hiverworld, Inc.
- Intrusion.com
- Internet Security Systems
- Nessus Project
- Network Associates
- Network Security Wizards
- NIST
- NTBugtraq
- SANS Institute
- Security Focus - Bugtraq
- Symantec (L-3)
- UC Davis
- White Hats
- World Wide Digital Security
* CVE already being used in a product=
*
*
**
**
*
*
***
***
Adding New Entries to CVE
Board member submits raw information to MITRE Submissions are grouped, refined, and proposed back to the Board as
candidates
- Form: CAN-YYYY-NNNN
- Strong likelihood of becoming CVE-YYYY-NNNN Not a guarantee
- Delicate balance between timeliness and accuracy Board reviews and votes on candidates
- Accept, modify, recast, reject, reviewing If approved, the candidate becomes a CVE entry Entry is included in a subsequent CVE version
- Published on CVE web site Entries may later be modified or deprecated
Stages of Security Information in CVE
Submissions•Raw information•Obtained from MITRE, Board members, and other data feeds•Combined and refined
Candidates•Placed in clusters•Proposed to Editorial Board•Accepted or rejected•Backmap tells submitters what candidates were assigned to their submissions
Entries•Added to CVE list•Submissions, candidates removed from the “pool”•Published in an official CVE version
…..…..
…..
…..
…..
…..
…..
…..
CAN-2000-0001
CAN-2000-0002
CAN-2000-0003
CVE-2000-0001
CVE-2000-0003
Back-map
<REJECTED>
Content Decisions Explicit guidelines for content of CVE entries
- Ensure consistency within CVE
- Provide “lessons learned” for researchers Three basic types
- Inclusion What goes into CVE? What doesn’t, and why? Example: weak encryption, bugs in beta code
- Level of Abstraction Example: default passwords, or multiple bugs in the same
application - one or many entries?
- Format Example: what goes into a CVE description?
Challenge: what to do with incomplete information?
The CVE Strategy
UnreviewedBugtraqs, Mailing lists, Hacker sites
Reviewed Advisories CERT, CIAC,Vendor advisories
Discovery
time
Policy
MethodologiesPurchasing RequirementsEducation
Scanners, Intrusion Detection, Vulnerability Databases
Products
2. Establish CVE at product level in order to...
3. … enable CVE to permeatethe policy level.
1. Inject Candidatenumbers into advisories
CVE Status as of June 2000
Latest CVE version: 20000602
- 700 entries 722 additional candidates being reviewed by Editorial Board Received vulnerability databases from 10 organizations
- Will help create more legacy candidates
- Processing 10,000 submissions (database items) May produce over 1000 additional candidates?
Candidate numbers used in 5 security advisories CVE names included in Top Internet Security Threats list Editorial Board discussing content decisions
- Affects ~300 candidates
Future Directions
Add more entries to CVE
- Goal: 1000 entries by September 2000
- Add entries for all 1999, 2000 advisories Add more candidates
- Goals: 1000 new candidates by September 2000 Cover 80% of items in each participating tool or database Use CVE identifiers in advisories, newsletters, etc. Use CVE in deeper product analysis Work with users and vendors to establish CVE as a de
facto standard
For More Information
http://cve.mitre.org