CVE-2017-7269 and abandonware

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE-2017-7269 and abandonware

Art Manion
Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269

What are the assignment rules for abandonware (or unsupportedware)?

Is the vendor CNA primarily responsible, if one exists?

Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, JPCERT/CC?


 - Art
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2017-7269 and abandonware

Landfield, Kent B
From my perspective... I would like it to be the vendor CNA if one still exists.  If the vendor refuses or is no longer in business, then next up would be to go to a secondary CNA such as you list.

I would hope the vendor would want to issue that themselves even if the product is EOL.  There is concern in various circles that this type of acknowledgement from the vendor on an EOL’ed product could cause some liability on that vendor. Abandonware is going to become more and more of a problem with the new emerging device landscape.  Who owns the problems they create?

This is actually a great conversation for the Board to have.

---
Kent Landfield
+1.817.637.8026

On 3/30/17, 8:52 AM, "[hidden email] on behalf of Art Manion" <[hidden email] on behalf of [hidden email]> wrote:

    Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?
   
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
   
    What are the assignment rules for abandonware (or unsupportedware)?
   
    Is the vendor CNA primarily responsible, if one exists?
   
    Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, JPCERT/CC?
   
   
     - Art
   

Reply | Threaded
Open this post in threaded view
|

RE: CVE-2017-7269 and abandonware

Coffin, Chris
I agree with Kent's perspective on this.

In this specific case, the discoverer contacted the CNA and received a case number. However, they were told that the unsupported/obsolete product was outside the scope of the CNA.

> What are the assignment rules for abandonware (or unsupportedware)?

As Kent mentioned, this would be a good Board discussion and we could drive to a specific CNA rule that covers this situation. Does anyone disagree with Kent's perspective?

> Is the vendor CNA primarily responsible, if one exists?

Yes. We should always give them the opportunity and redirect to them first if they exist. If they refuse, then a next available CNA could be contacted. One item for the Board discussion, as the backup CNA how would we verify that this conversation took place.


Chris

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Thursday, March 30, 2017 9:33 AM
To: Art Manion <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE-2017-7269 and abandonware

From my perspective... I would like it to be the vendor CNA if one still exists.  If the vendor refuses or is no longer in business, then next up would be to go to a secondary CNA such as you list.

I would hope the vendor would want to issue that themselves even if the product is EOL.  There is concern in various circles that this type of acknowledgement from the vendor on an EOL’ed product could cause some liability on that vendor. Abandonware is going to become more and more of a problem with the new emerging device landscape.  Who owns the problems they create?

This is actually a great conversation for the Board to have.

---
Kent Landfield
+1.817.637.8026

On 3/30/17, 8:52 AM, "[hidden email] on behalf of Art Manion" <[hidden email] on behalf of [hidden email]> wrote:

    Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?
   
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
   
    What are the assignment rules for abandonware (or unsupportedware)?
   
    Is the vendor CNA primarily responsible, if one exists?
   
    Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, JPCERT/CC?
   
   
     - Art
   

Reply | Threaded
Open this post in threaded view
|

Re: CVE-2017-7269 and abandonware

Kurt Seifried
I know for a fact we have Linux that is 10 years out of support (EoL) and still in use, and if there was a flaw specific to that (and not newer versions) I would still CVE it so at least people are aware of the flaws existence. And like G.I. Joe says "knowing is half the battle". 

On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <[hidden email]> wrote:
I agree with Kent's perspective on this.

In this specific case, the discoverer contacted the CNA and received a case number. However, they were told that the unsupported/obsolete product was outside the scope of the CNA.

> What are the assignment rules for abandonware (or unsupportedware)?

As Kent mentioned, this would be a good Board discussion and we could drive to a specific CNA rule that covers this situation. Does anyone disagree with Kent's perspective?

> Is the vendor CNA primarily responsible, if one exists?

Yes. We should always give them the opportunity and redirect to them first if they exist. If they refuse, then a next available CNA could be contacted. One item for the Board discussion, as the backup CNA how would we verify that this conversation took place.


Chris

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Landfield, Kent B
Sent: Thursday, March 30, 2017 9:33 AM
To: Art Manion <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE-2017-7269 and abandonware

From my perspective... I would like it to be the vendor CNA if one still exists.  If the vendor refuses or is no longer in business, then next up would be to go to a secondary CNA such as you list.

I would hope the vendor would want to issue that themselves even if the product is EOL.  There is concern in various circles that this type of acknowledgement from the vendor on an EOL’ed product could cause some liability on that vendor. Abandonware is going to become more and more of a problem with the new emerging device landscape.  Who owns the problems they create?

This is actually a great conversation for the Board to have.

---
Kent Landfield
<a href="tel:%2B1.817.637.8026" value="+18176378026">+1.817.637.8026

On 3/30/17, 8:52 AM, "[hidden email] on behalf of Art Manion" <[hidden email] on behalf of [hidden email]> wrote:

    Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?

      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269

    What are the assignment rules for abandonware (or unsupportedware)?

    Is the vendor CNA primarily responsible, if one exists?

    Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, JPCERT/CC?


     - Art





--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: CVE-2017-7269 and abandonware

Art Manion
On 2017-03-30 11:55, Kurt Seifried wrote:

> I know for a fact we have Linux that is 10 years out of support (EoL)
> and still in use, and if there was a flaw specific to that (and not
> newer versions) I would still CVE it so at least people are aware of the
> flaws existence. And like G.I. Joe says "knowing is half the battle".

Yes, cases like this should get CVE IDs.  My question was who assigns
them, so CNA rules/guidance.

> On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     I agree with Kent's perspective on this.

Me too.

>     In this specific case, the discoverer contacted the CNA and received
>     a case number. However, they were told that the unsupported/obsolete
>     product was outside the scope of the CNA.

So the vendor CNA did not issue an ID, then the MITRE CNA did?

>     > Is the vendor CNA primarily responsible, if one exists?
>
>     Yes. We should always give them the opportunity and redirect to them
>     first if they exist. If they refuse, then a next available CNA could
>     be contacted. One item for the Board discussion, as the backup CNA
>     how would we verify that this conversation took place.

Requestor explicitly asks vendor CNA for an ID, vendor explicitly says
no or does not respond in a reasonable period of time, requestor has
email evidence to support this exchange?

 - Art
Reply | Threaded
Open this post in threaded view
|

RE: CVE-2017-7269 and abandonware

Coffin, Chris
> Yes, cases like this should get CVE IDs.  My question was who assigns them, so CNA rules/guidance.

Page 5 of the current CNA rules state:
"In cases where requests or issues cannot be resolved by a given CNA, the issues are escalated to the next higher level CNA."

We may want to provide examples of the kinds of issues that might cause escalations, but I think this would cover it.


> So the vendor CNA did not issue an ID, then the MITRE CNA did?

Yes.


> Requestor explicitly asks vendor CNA for an ID, vendor explicitly says no or does not respond in a reasonable period of time, requestor has email evidence to support this exchange?

This sounds reasonable to me, though I figured others might want to discuss this a bit further.


> And like G.I. Joe says "knowing is half the battle".

Still bummed I never got the aircraft carrier toy as a kid. :-)
http://www.yojoe.com/vehicles/85/ussflagg/


Chris


-----Original Message-----
From: Art Manion [mailto:[hidden email]]
Sent: Thursday, March 30, 2017 11:01 AM
To: Kurt Seifried <[hidden email]>; Coffin, Chris <[hidden email]>
Cc: Landfield, Kent B <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE-2017-7269 and abandonware

On 2017-03-30 11:55, Kurt Seifried wrote:

> I know for a fact we have Linux that is 10 years out of support (EoL)
> and still in use, and if there was a flaw specific to that (and not
> newer versions) I would still CVE it so at least people are aware of
> the flaws existence. And like G.I. Joe says "knowing is half the battle".

Yes, cases like this should get CVE IDs.  My question was who assigns them, so CNA rules/guidance.

> On Thu, Mar 30, 2017 at 8:48 AM, Coffin, Chris <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     I agree with Kent's perspective on this.

Me too.

>     In this specific case, the discoverer contacted the CNA and received
>     a case number. However, they were told that the unsupported/obsolete
>     product was outside the scope of the CNA.

So the vendor CNA did not issue an ID, then the MITRE CNA did?

>     > Is the vendor CNA primarily responsible, if one exists?
>
>     Yes. We should always give them the opportunity and redirect to them
>     first if they exist. If they refuse, then a next available CNA could
>     be contacted. One item for the Board discussion, as the backup CNA
>     how would we verify that this conversation took place.

Requestor explicitly asks vendor CNA for an ID, vendor explicitly says no or does not respond in a reasonable period of time, requestor has email evidence to support this exchange?

 - Art