An overview of the problems with the CVE assignment process, and a call to arms for adoption of alternatives such as DWF.

1. CVE is logjammed, CNVD is
nearly as bad, and my heart
bleeds for the whole mess
David Jorm, console.to

2. Introduction: David Jorm
 Software engineer for many years
 Last 6 years focusing on security
 Managed Red Hat's Java middleware security team
 Now engineering manager for Console
 I love finding new 0day and popping shells!

3. Outline
 CVE purpose and history
 CVE assignment theory and practice
 MITRE's quality standards
 Alternatives
 Community takeover
 Named vulnerabilities, next steps

4. CVE purpose
 In the late 90s, there was no canonical identifier for
vulnerabilities
 Plethora of vendor-specific identifiers
 phf RCE (remember that?) was a good example of
the failure, with dozens of vendor identifiers
 CVE aims to address these problems with a single
common identifier format

5. MITRE corporation
 US non-profit handling various things for gov
 Manages the national institute for standards and
technology (NIST)
 National Cybersecurity FFRDC managed by MITRE
created and runs the CVE program
 Remind you of anything?

7. CVE history
 In 2003, 29 organizations and 43 products
 Today, >150 organizations and >300 products
 In 2002 CVE was mandated for use by US
government
 Format was CVE-YYYY-XXXX, not CVE-YYYY-XXXXX
to handle growth in assignments

8. CVE theory
 CNAs delegated the authority to assign CVE IDs for
their own products and allocated blocks of IDs
 MITRE acts as a catch-all CNA for other products
 Contact a CNA with sufficient details to prove you
have a real issue
 Use the assigned CVE when you publish details of
the vulnerbaility

9. CVE practice

10. CVE practice

11. CVE practice

12. CVE practice

13. CVE practice
http://davidjorm.blogspot.com.au/2015/07/101-ways-to-pwn-
phone.html

14. CVE practice

15. MITRE's quality standards
 Many people have highlighted difficulties and
endless delays getting CVEs assigned
 MITRE has no SLA, and must maintain high quality
 But never fear: “If anyone needs additional
confirmation that a request has indeed been
received and read, and that we are aware of it
remaining unanswered, sending directly to the cve-
assign@mitre.org address is the best option.”http://www.openwall.com/lists/oss-
security/2015/06/09/5
http://www.openwall.com/lists/oss-
security/2015/03/19/3

16. MITRE's quality standards
 “Hypercube is a graph visualization tool for drawing
DOT (graphviz), GML, GraphML, GXL and simple
text-based graph representations as SVG and EPS
images. It comes with a Qt-based GUI application
and a Qt-independent commandline tool.
Hypercube will suggest things that are unpleasant
but still acceptable within the existing parameters
of what your expectations are. Hypercube uses a
simulated reaming algorithm to lay out the graph,
http://www.openwall.com/lists/oss-
security/2014/03/25/4

17. MITRE's quality standards
Two day turnaround time!

18. Alternatives

19. Community takeover
 Kurt Seifried from Red Hat independently staged
the coup without me (reactionary!)
 Distributed weakness filing (DWF)
 Same basic system as CVE, but allows anyone to
become a naming authority
 Identifiers namespaced by authority, so no need to
elect a trust root

20. Community takeover
 Authorities now include HackerOne, NTPSec,
OpenSwitch, and CERT/CC
 Limited uptake, but promising model
 http://seclists.org/oss-sec/2016/q1/560

21. Named vulnerabilities
 Useful for a canonical identifier if nothing else
 Rkt Overloaded Flags Liability (ROFL):
http://davidjorm.blogspot.com.au/2015/05/auditin
g-go-applications-tls-hostname.html
 What about the Grandstream phone issue
mentioned earlier? Surely it deserves a name and a
logo

22. Named vulnerabilities
 Introducing pwhened (phwned.com)

23. Next steps
 Rally around a community effort
 Critical mass needed for real adoption
 I think DWF is a good effort to back
 Kurt is passionate and knows this problem space
well
 No more national standards as de-facto
international standards

24. Questions?
djorm@console.to | @djorm