08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
AusCERT 2016: CVE and alternatives
1. CVE is logjammed, CNVD is
nearly as bad, and my heart
bleeds for the whole mess
David Jorm, console.to
2. Introduction: David Jorm
Software engineer for many years
Last 6 years focusing on security
Managed Red Hat's Java middleware security team
Now engineering manager for Console
I love finding new 0day and popping shells!
3. Outline
CVE purpose and history
CVE assignment theory and practice
MITRE's quality standards
Alternatives
Community takeover
Named vulnerabilities, next steps
4. CVE purpose
In the late 90s, there was no canonical identifier for
vulnerabilities
Plethora of vendor-specific identifiers
phf RCE (remember that?) was a good example of
the failure, with dozens of vendor identifiers
CVE aims to address these problems with a single
common identifier format
5. MITRE corporation
US non-profit handling various things for gov
Manages the national institute for standards and
technology (NIST)
National Cybersecurity FFRDC managed by MITRE
created and runs the CVE program
Remind you of anything?
6.
7. CVE history
In 2003, 29 organizations and 43 products
Today, >150 organizations and >300 products
In 2002 CVE was mandated for use by US
government
Format was CVE-YYYY-XXXX, not CVE-YYYY-XXXXX
to handle growth in assignments
8. CVE theory
CNAs delegated the authority to assign CVE IDs for
their own products and allocated blocks of IDs
MITRE acts as a catch-all CNA for other products
Contact a CNA with sufficient details to prove you
have a real issue
Use the assigned CVE when you publish details of
the vulnerbaility
15. MITRE's quality standards
Many people have highlighted difficulties and
endless delays getting CVEs assigned
MITRE has no SLA, and must maintain high quality
But never fear: “If anyone needs additional
confirmation that a request has indeed been
received and read, and that we are aware of it
remaining unanswered, sending directly to the cve-
assign@mitre.org address is the best option.”http://www.openwall.com/lists/oss-
security/2015/06/09/5
http://www.openwall.com/lists/oss-
security/2015/03/19/3
16. MITRE's quality standards
“Hypercube is a graph visualization tool for drawing
DOT (graphviz), GML, GraphML, GXL and simple
text-based graph representations as SVG and EPS
images. It comes with a Qt-based GUI application
and a Qt-independent commandline tool.
Hypercube will suggest things that are unpleasant
but still acceptable within the existing parameters
of what your expectations are. Hypercube uses a
simulated reaming algorithm to lay out the graph,
http://www.openwall.com/lists/oss-
security/2014/03/25/4
19. Community takeover
Kurt Seifried from Red Hat independently staged
the coup without me (reactionary!)
Distributed weakness filing (DWF)
Same basic system as CVE, but allows anyone to
become a naming authority
Identifiers namespaced by authority, so no need to
elect a trust root
20. Community takeover
Authorities now include HackerOne, NTPSec,
OpenSwitch, and CERT/CC
Limited uptake, but promising model
http://seclists.org/oss-sec/2016/q1/560
21. Named vulnerabilities
Useful for a canonical identifier if nothing else
Rkt Overloaded Flags Liability (ROFL):
http://davidjorm.blogspot.com.au/2015/05/auditin
g-go-applications-tls-hostname.html
What about the Grandstream phone issue
mentioned earlier? Surely it deserves a name and a
logo
23. Next steps
Rally around a community effort
Critical mass needed for real adoption
I think DWF is a good effort to back
Kurt is passionate and knows this problem space
well
No more national standards as de-facto
international standards