Microsoft CNA assignment issues for April

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Microsoft CNA assignment issues for April

jericho
All,

Microsoft has assigned a single CVE to cover "all April Adobe Flash
updates" apparently:

https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments

    April Flash Security Update 2017-3447

Which links to
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.

Further, there is a single ID to cover "defense-in-depth" updates for a
product:

    Defense-in-Depth Update for Microsoft Office 2017-2605

Which links to
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605

I am fairly confident that 2017-3447 is not a proper assignment and does
not follow the CNA guidelines, about assigning IDs to another vendor's
products (and that vendor happens to be a CNA themselves). We've seen this
done in the past with Oracle as well.

I'd also be surprised if a single ID assignment for multiple
defense-in-depth enhancements meets the criteria of a CVE ID, since DiD
enhancements generally do not mean there is a crossing of privilege
boundaries, and therefore not vulnerabilities.

Could Microsoft and MITRE chime in on these please?

Brian
Reply | Threaded
Open this post in threaded view
|

RE: Microsoft CNA assignment issues for April

Elizabeth Scott
There is an error on the page and we are working to resolve that as soon as possible

Thanks,
  Elizabeth

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of jericho
Sent: Tuesday, April 11, 2017 11:35 AM
To: CVE Editorial Board <[hidden email]>
Subject: Microsoft CNA assignment issues for April
Importance: High

All,

Microsoft has assigned a single CVE to cover "all April Adobe Flash updates" apparently:

https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Facknowledgments&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=DnwwK%2BOpQGzS%2F17hjuq3h9xumC7unQQ3qXkhhz0Zm6k%3D&reserved=0

    April Flash Security Update 2017-3447

Which links to
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-3447&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=Yd0K6p2rV4xc92SlYIWG3IMSbjNY1Cs6JHwVubeTLBM%3D&reserved=0.

Further, there is a single ID to cover "defense-in-depth" updates for a
product:

    Defense-in-Depth Update for Microsoft Office 2017-2605

Which links to
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-2605&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=J2OKKHb77Etk4i8eu%2BCQ7lQsNqH9EpgXwSPRAUvNdP0%3D&reserved=0

I am fairly confident that 2017-3447 is not a proper assignment and does not follow the CNA guidelines, about assigning IDs to another vendor's products (and that vendor happens to be a CNA themselves). We've seen this done in the past with Oracle as well.

I'd also be surprised if a single ID assignment for multiple defense-in-depth enhancements meets the criteria of a CVE ID, since DiD enhancements generally do not mean there is a crossing of privilege boundaries, and therefore not vulnerabilities.

Could Microsoft and MITRE chime in on these please?

Brian
Reply | Threaded
Open this post in threaded view
|

RE: Microsoft CNA assignment issues for April

jericho
Microsoft, any update?

RBS has received one customer support ticket asking about the 2017-3447
assignment, suggesting that we made a mistake. Obviously, I find that
offensive given that I was likely the first to point out Microsoft's
mistake in this assignment.

Between the 'rollup' assignment, Microsoft likely stepping on RedHat's
pool to assign the 2017-2605 ID, and entirely changing the way Microsoft
delivers advisory information, which made many of your customers
scramble... I believe it is pretty clear where the errors originate.

This is very clearly a big issue in the world of disclosure, specifically
related to CVE ID assignment. This has a real-world impact on multiple
companies, two that I am directly involved in, and a third via support
ticket. I am sure I will wake up to additional support tickets via one of
those roles, essentially asking the same question re: 2017-2605 and/or
2017-3447.

Brian


On Tue, 11 Apr 2017, Elizabeth Scott wrote:

: There is an error on the page and we are working to resolve that as soon as possible
:
: Thanks,
:   Elizabeth
:
: -----Original Message-----
: From: [hidden email] [mailto:[hidden email]] On Behalf Of jericho
: Sent: Tuesday, April 11, 2017 11:35 AM
: To: CVE Editorial Board <[hidden email]>
: Subject: Microsoft CNA assignment issues for April
: Importance: High
:
: All,
:
: Microsoft has assigned a single CVE to cover "all April Adobe Flash updates" apparently:
:
: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Facknowledgments&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=DnwwK%2BOpQGzS%2F17hjuq3h9xumC7unQQ3qXkhhz0Zm6k%3D&reserved=0
:
:     April Flash Security Update 2017-3447
:
: Which links to
: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-3447&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=Yd0K6p2rV4xc92SlYIWG3IMSbjNY1Cs6JHwVubeTLBM%3D&reserved=0.
:
: Further, there is a single ID to cover "defense-in-depth" updates for a
: product:
:
:     Defense-in-Depth Update for Microsoft Office 2017-2605
:
: Which links to
: https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.cve.mitre.org%2Fcgi-bin%2Fcvename.cgi%3Fname%3D2017-2605&data=02%7C01%7Cbethsco%40MICROSOFT.COM%7Cc1b35f6aa74149f6e0e608d4810b0769%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636275331747906495&sdata=J2OKKHb77Etk4i8eu%2BCQ7lQsNqH9EpgXwSPRAUvNdP0%3D&reserved=0
:
: I am fairly confident that 2017-3447 is not a proper assignment and does not follow the CNA guidelines, about assigning IDs to another vendor's products (and that vendor happens to be a CNA themselves). We've seen this done in the past with Oracle as well.
:
: I'd also be surprised if a single ID assignment for multiple defense-in-depth enhancements meets the criteria of a CVE ID, since DiD enhancements generally do not mean there is a crossing of privilege boundaries, and therefore not vulnerabilities.
:
: Could Microsoft and MITRE chime in on these please?
:
: Brian
:
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft CNA assignment issues for April

jericho
In reply to this post by jericho
MITRE,

Now that we've had a week to digest this, we have seen dozens of
mainstream news articles use 2017-3447 and 2017-2605 specifically as CVE
identifiers. Has MITRE determined if these are a collision, or if they can
and will be REJECTed in advance?

I exchanged several emails with MSRC last week about this, and it
concluded with them saying they would pass along my feedback and
suggestion to use a more distinct ID scheme. Hopefully, we'll see
something different for May.

Brian

On Tue, 11 Apr 2017, jericho wrote:

: All,
:
: Microsoft has assigned a single CVE to cover "all April Adobe Flash updates"
: apparently:
:
: https://portal.msrc.microsoft.com/en-us/security-guidance/acknowledgments
:
:    April Flash Security Update 2017-3447
:
: Which links to https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-3447.
:
: Further, there is a single ID to cover "defense-in-depth" updates for a
: product:
:
:    Defense-in-Depth Update for Microsoft Office 2017-2605
:
: Which links to
: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2605
:
: I am fairly confident that 2017-3447 is not a proper assignment and does not
: follow the CNA guidelines, about assigning IDs to another vendor's products
: (and that vendor happens to be a CNA themselves). We've seen this done in the
: past with Oracle as well.
:
: I'd also be surprised if a single ID assignment for multiple defense-in-depth
: enhancements meets the criteria of a CVE ID, since DiD enhancements generally
: do not mean there is a crossing of privilege boundaries, and therefore not
: vulnerabilities.
:
: Could Microsoft and MITRE chime in on these please?
:
: Brian
:
Reply | Threaded
Open this post in threaded view
|

Re: Microsoft CNA assignment issues for April

Adinolfi, Daniel R

I apologize for the delay in the update. I had it drafted, but I never hit send.

 

We confirmed that CVE-2017-3447 has not been assigned by Oracle. It has been rejected.

 

Microsoft has updated their Security Update Guide <https://portal.msrc.microsoft.com/> such that:

What was 2017-3347 is now ADV170005.

What was 2017-2605 is now ADV170004.

 

We haven't see a response from the folks at Jenkins. But if Red Hat can please send us an update for the CVE entry for CVE-2017-2605 so we can publish it, we can add a note to that entry indicating the error to reduce further confusion.

 

Thanks.

 

-Dan

 

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Wednesday, April 19, 2017 at 20:39
To: cve-editorial-board-list <[hidden email]>
Subject: Re: Microsoft CNA assignment issues for April

 

MITRE,

 

Now that we've had a week to digest this, we have seen dozens of

mainstream news articles use 2017-3447 and 2017-2605 specifically as CVE

identifiers. Has MITRE determined if these are a collision, or if they can

and will be REJECTed in advance?

 

I exchanged several emails with MSRC last week about this, and it

concluded with them saying they would pass along my feedback and

suggestion to use a more distinct ID scheme. Hopefully, we'll see

something different for May.

 

Brian

 

On Tue, 11 Apr 2017, jericho wrote:

 

: All,

:

: Microsoft has assigned a single CVE to cover "all April Adobe Flash updates"

: apparently:

:

:

:    April Flash Security Update           2017-3447

:

:

: Further, there is a single ID to cover "defense-in-depth" updates for a

: product:

:

:    Defense-in-Depth Update for Microsoft Office      2017-2605

:

: Which links to

:

: I am fairly confident that 2017-3447 is not a proper assignment and does not

: follow the CNA guidelines, about assigning IDs to another vendor's products

: (and that vendor happens to be a CNA themselves). We've seen this done in the

: past with Oracle as well.

:

: I'd also be surprised if a single ID assignment for multiple defense-in-depth

: enhancements meets the criteria of a CVE ID, since DiD enhancements generally

: do not mean there is a crossing of privilege boundaries, and therefore not

: vulnerabilities.

:

: Could Microsoft and MITRE chime in on these please?

:

: Brian

: