Concerns about CVE coverage shrinking - direct impact to researchers/companies

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Concerns about CVE coverage shrinking - direct impact to researchers/companies

Kurt Seifried
So I've now heard from several security researchers that they are unable to get CVEs for issues that need CVEs (e.g. widely used hardware/software with flaws that have real world impacts and need to be properly tracked. This has definitely resulted in issues being publicized with no CVE that then makes it much harder to track and deal with these issues.

I'm also worryingly hearing about people that may have given up asking for CVEs and publicizing their work at all, but of course cannot easily confirm this as I don't have any access on insight into what [hidden email] is actually doing/who they are talking to.

I finally was able to get a researcher willing to "go on the record" as it were, with thanks to Hanno Böck for stepping up. 

My main concern is this, if this tiered coverage (https://cve.mitre.org/cve/data_sources_product_coverage.html) is the new way forwards we will have significantly less CVE coverage in a time where security issues are literally exploding and becoming much more of a problem leading to a situation where I fear that CVE will not be as useful anymore. As CVE is the cornerstone of our industry for identifying vulnerabilities and making it much easier to track and search for them I think it's critical that we re-examine this tier'ed coverage policy that Mitre arbitrarily decided to enact (there was a brief discussion at https://cve.mitre.org/data/board/archives/2016-01/msg00015.html with some concerns raised and not really addressed). 


---------- Forwarded message ----------
From: Hanno Böck <[hidden email]>
Date: Fri, Mar 4, 2016 at 10:35 AM
Subject: Fw: CVE request: nonce reuse in GCM implementation of Radware Load balancers
To: Kurt Seifried <[hidden email]>


This was the issue I requested a CVE for:
https://kb.radware.com/Questions/SecurityAdvisory/Public/Security-Advisory-Explicit-Initialization-Vector-f

(And currently I'd apprechiate if you don't make a big buzz out of this
issue, because we're preparing a paper on it by the end of march where
we'll disclose a bunch of similar issues)

Begin forwarded message:

Date: Thu, 11 Feb 2016 02:58:06 +0000
From: CVE ID Requests <[hidden email]>
To: Hanno Böck <[hidden email]>
Cc: CVE ID Requests <[hidden email]>
Subject: RE: CVE request: nonce reuse in GCM implementation of Radware
Load balancers


Thank you for your request.

Your request is outside the scope of CVE's published priorities. As
such, it will not be assigned a CVE-ID by MITRE or another CVE CNA at
this time.

CVE-ID assignments are made according to the priorities published at
http://cve.mitre.org/cve/data_sources_product_coverage.html. Processing
of CVE-ID requests for non-prioritized products can occur at any time,
but the CVE-ID assignments may be delayed.

If you feel that our assessment is in error, or that the product or
products in question should be included within the CVE published
priorities, please provide MITRE with your justification(s).

--
CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]


--
Hanno Böck
https://hboeck.de/

mail/jabber: [hidden email]
GPG: BBB51E42



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]

attachment0 (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

Art Manion
On 2016-03-04 13:24, Kurt Seifried wrote:
> So I've now heard from several security researchers that they are unable
> to get CVEs for issues that need CVEs (e.g. widely used
> hardware/software with flaws that have real world impacts and need to be
> properly tracked. This has definitely resulted in issues being
> publicized with no CVE that then makes it much harder to track and deal
> with these issues.

I think it's been said on this list previously -- these are two separate
activities:

1. Assigning IDs

2. Analysis, deconfliction, write-up

Binding these together results in delay, because #2 takes considerably
more calendar time and effort.  Another result is a limited but fairly
high quality set of entries (once #2 is complete).

I share Kurt's concern that CVE is not meeting a researcher/disclosure
use case of having IDs for vulnerabilities, and that the community will
at some point stop bothering with CVE.

I'm not sure how bad such an outcome would be, or what impact that would
have on CVE.

 - Art
Reply | Threaded
Open this post in threaded view
|

RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies

Mike Prosser
While it would have an impact for sure on our community, I think the biggest impact would be on customers since CVEs have become a Vulnerability Name when calling support with concerns....rather than just a common tracking reference.  

-Mike
Symantec Software Security Group


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Art Manion
Sent: Friday, March 04, 2016 1:08 PM
To: Kurt Seifried <[hidden email]>; cve-editorial-board-list <[hidden email]>; oss-security <[hidden email]>
Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

On 2016-03-04 13:24, Kurt Seifried wrote:
> So I've now heard from several security researchers that they are
> unable to get CVEs for issues that need CVEs (e.g. widely used
> hardware/software with flaws that have real world impacts and need to
> be properly tracked. This has definitely resulted in issues being
> publicized with no CVE that then makes it much harder to track and
> deal with these issues.

I think it's been said on this list previously -- these are two separate
activities:

1. Assigning IDs

2. Analysis, deconfliction, write-up

Binding these together results in delay, because #2 takes considerably more calendar time and effort.  Another result is a limited but fairly high quality set of entries (once #2 is complete).

I share Kurt's concern that CVE is not meeting a researcher/disclosure use case of having IDs for vulnerabilities, and that the community will at some point stop bothering with CVE.

I'm not sure how bad such an outcome would be, or what impact that would have on CVE.

 - Art