CVE Board Meeting summary - 17FEB2021

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE Board Meeting summary - 17FEB2021

Jo E Bazar

Members of CVE Board in Attendance

Beverly Alvarez, AMD

Ken Armstrong, EWA-Canada, An Intertek Company

Tod Beardsley, Rapid7 

Chris Coffin, The MITRE Corporation (MITRE At-Large)

Jessica Colvin JPMorgan Chase

Mark Cox, Red Hat, Inc.

William Cox, Synopsys, Inc.

Patrick Emsweller, Cisco Systems, Inc.

Jay Gazlay, Cybersecurity and Infrastructure Security Agency (CISA)

Tim Keanini, Cisco Systems, Inc.

Kent Landfield, McAfee

Scott Lawler, LP3

Art Manion, CERT/CC (Software Engineering Institute, Carnegie Mellon University)

Pascal Meunier, CERIAS/Purdue University

Ken Munro, Pen Test Partners LLP

Tom Millar, Cybersecurity and Infrastructure Security Agency (CISA)

Kathleen Noble, Intel Corporation

Lisa Olson, Microsoft

Shannon Sabens, CrowdStrike

Takayuki Uchiyama, Panasonic Corporation

David Waltermire, National Institute of Standards and Technology (NIST)

Ken Williams, Broadcom Inc.

 

Members of MITRE CVE Team in Attendance

Jo Bazar

Kris Britton

Christine Deal

Jonathan Evans

Chris Levendis

09:00-09:05:     Introductions and Roll Call

09:05-10:35:     Open discussion items 

10:35-10:55:     Review of Action items (see attached excel file)

10:55-11:00:     Wrap-up

New Actions items from today’s Board Meeting

 

#

Action Item

Responsible Party

Status

Comments

02.17.01

Send poll to CVE Board Members about whether alternating meeting times are preferred.

Jo B. (MITRE)

Not Started

Assigned on 2/17/2021

02.17.02

Secretariat will initiate a vote about deemphasizing the spelled out acronym (Common Vulnerabilities and Exposures) (within the CVE Program), moving towards just using CVE.

Jo B. (MITRE)

Not Started

Assigned on 2/17/2021

02.17.03

Need to confirm trademark is for only CVE and excludes the Common Vulnerabilities and Exposures. (https://uspto.report/TM)

Jo B. (MITRE)

Completed

Trademark is only for CVE (Not spelled out acronym) https://uspto.report/TM/88932726

See attached Excel spreadsheet for open actions items from prior meetings (CVE Board Meeting 3Mar21– Agenda and Action items)

Discussion Items

  • Working Group updates
  • AWG (Kris Britton, MITRE)
    • Record Submission and Upload Service (RSUS): Replace the Github submission service so that CNAs can submit CVE information directly to the database, without the need for manual review
      • Status [unchanged]
        • Requirements are being reviewed for accuracy and completeness
        • The API is posted on Github
      • Next milestone: When the requirements are reviewed and approved, a development schedule will be produced in next week or so.
    • ID Reservation (IDR) Service update: We have successfully distributed the first wave of the IDR credentials and to date, 59 CNAs (40%) have signed up for IDR, and 98 keys have been distributed. The second wave of credential distribution is underway.
  • QWG (David Waltermire, NIST)
    • Credit Guidelines
      • The QWG continued developing guidelines for including credits in a CVE Record
      • A CNA or ADP may credit a person, group, or organization in a CVE Record
      • CNAs must have the approval of the entity being credited unless the entity has a public article on the Internet that supports the credit
      • The credit text shall not include any text that violates the CVE code of conduct or content policies (e.g., foul language)
  • OCWG (Shannon Sabens, Crowdstrike)
    • Podcast Planning
      • The second podcast was recorded on February 16
      • Jo Bazar (MITRE) was moderator, and the focus of the podcast was MongoDB’s internal processes for managing CVEs. MongoDB team was Lena Smart, CISO (Chief Information Security Officer); Chris Sandulow, Deputy CISO; and Boris Sieklik, Director of Product Security
    • Research Working Group (RWG)
      • The kickoff meeting was held on February 16, and the group’s focus is on encouraging further researcher relationships, which is one of the CVE Board goals
      • The next step is to set up a meeting with OCWG members and select members from the research community to discuss this topic with a broader audience
  • SPWG (Kent Landfield, McAfee)
    • Continued discussions around defining the roles, responsibilities, and requirements for CNAs, CNAs of Last Resort, Root CNAs and Top-Level Root CNAs
      • Consensus was reached that the presentation is almost ready to move forward. A couple of changes were identified, and a soft copy of the presentation will be provided to the members for review and additional feedback. Discussion will continue at the next SPWG meeting.
    • Root Onboarding Guidance 
      • The root onboarding process is being finalized based on lessons learned from onboarding sessions with CISA-ICS and JP-CERT over the past few months
  • EU OPEN Tender 
    • Kent explained an Open tender was published by ENISA.
    • ENISA aims to procure supporting services to take stock of existing policies and good practices on Coordinated Vulnerability Disclosure (CVD), in the EU Member States and outside the EU, as well as taking stock of the existing national, regional and global vulnerability registers and databases, and the formats, metrics, procedures used in these registers and databases. This tender has two main objectives, 1) Stocktaking of vulnerability disclosure policies and good practices in the EU 2) Stocktaking of global, regional and national vulnerability databases and registers:
    • Kent is actively involved with this request and has attended a couple of meetings along with other Cybersecurity efforts. Kent will provide updates to the Board as the effort moves forward.
  • Docker Container issue (continued) - Jonathan Evans (MITRE)
    • The group continued their discussion about the docker container issue that was brought to MITRE’s attention by Jerry Gamblin, who documented his complaints in a blog: https://jerrygamblin.com/2020/12/17/cve-stuffing/
      1. Description of issue: Insecure defaults configuration for the admin password. The issue occurs because the base docker image was configured incorrect, and is used by other people, creating their own docker image.
    • Jonathan presented the following three discussion points to the CVE Board.
      1. Should publicly distributed Docker images be considered products per the CNA Rules?
        • Issue:
          • The rules intentionally use the vague term “product” so that it can cover “standards, application programming interfaces (APIs), and protocols.”
          • Docker images are not explicitly enumerated but could fall within the term “product.”
        • Points of View Gathered to Date:
          • Yes, there is significant utility in doing so, if the affected virtual images can be identified accurately. For example, virtual images can include code not distributed by other means.
      2. Should insecure default configuration (e.g., default password for the admin user) be considered a vulnerability?
        • Issue:
          • Configurations are not flaws
          • Users can resolve the issue themselves
        • Points of View Gathered to Date:
          • Configuration errors are user error and should not be considered vulns.
          • Slippery slope – Requires the assigner to determine what the security model is when there are often multiple interpretations.
          • For some products (e.g., Docker containers), users have expectations that the product is secure out of the box.
      3. Should inherited insecure defaults share the same CVE ID?
        • Issue:
          • It is not clear whether insecure defaults should be considered “code” for the purposes of 7.2.4a of the CNA Rules
          • 7.2.5a of the CNA Rules says that each instance should be given a separate ID because there is a secure method of using the functionality
        • Points of View Gathered to Date:
          • Containers should be treated like Linux distorts, one cve, big list of affected
          • Have multiple levels of assignment abstract with relationships between the records
          • The security models for the upstream and downstream products are different.  What is a vuln. in one may not be in the other so they need separate IDs
          • Images (and SaaS?) have different security models than traditional software so they should have their own exception in 7.2.5.
    • The group agreed that additional information was needed. MITRE will review current CVE ID assignments for default configurations and report findings to the Board.
  • Polling Results around CVE Program name
    • The group reviewed the CVE Program Name poll results. The CVE Program poll was sent to the CNA Discussion list with 70 CNAs responding to the poll. The poll included the following four questions:
      1. Without Googling, what does CVE stand for? 33% who answered thought “Enumeration” is in CVE.
      2. Do you care what CVE stands for? 20% who answered cared A LOT and the other did not care.
      3. What should CVE be named? 60% agreed the name should be something other than Exposures
      4. What is the impact to change the CVE name to your business? 70% said no impact and 9% said it would impact their business.
    • The group requested the Secretariat initiate a Vote about deemphasizing the whole name internally (within the CVE Program) moving towards just using CVE.

Board Decisions

N/A

Next CVE Board Meetings 

Open Discussion Items (to be discussed at future meetings)

See attached Excel spreadsheet (CVE Board Meeting 3Mar21– Agenda and Action items)

CVE Board Recordings

§  The CVE Board meeting recording archives are in transition to a new platform. Once the new platform is ready, the Board recordings will be readily available to CVE Board Members. Until then, to obtain a recording of a CVE Board Meeting, please reach out to Jo Bazar ([hidden email]).  


CVE_Board_Meeting 17 February 2021 FINAL.pdf (448K) Download Attachment