upcoming intel issue

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

upcoming intel issue

Kurt Seifried-2
So the thing that's in the news, assuming it has CVEs, can we make sure they are populated to the CVE database asap, and if Intel does not do we have a plan B (e.g. MITRE writes them up?). 

Also in general I think we should probably figure out some guidelines for these high visibility issues, e.g. encourage the original CNA to get them into the database asap, and have a plan B in case they don't (e.g. MITRE or someone else with info writes them up? first come first served? trusted parties only? or?). 

--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Landfield, Kent

They are being done by Intel.  Publishing pending shortly.

 

On your second question, you have hit one of my sore points…  I am a vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE creating CVEs for my company’s issues except my PSIRT team.  Vendors need to be given the first opportunity and only if they officially have stated they are not going to issue an appropriate CVE in a clear and precise way, should anyone ever get in the way of their alerting their customers through an established advisory process.  There is NO first-come-first-served with an authorized CVE CNAs.  Period.

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

 

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

 

From: <[hidden email]> on behalf of Kurt Seifried <[hidden email]>
Date: Wednesday, January 3, 2018 at 2:01 PM
To: cve-editorial-board-list <[hidden email]>
Subject: upcoming intel issue

 

So the thing that's in the news, assuming it has CVEs, can we make sure they are populated to the CVE database asap, and if Intel does not do we have a plan B (e.g. MITRE writes them up?). 

 

Also in general I think we should probably figure out some guidelines for these high visibility issues, e.g. encourage the original CNA to get them into the database asap, and have a plan B in case they don't (e.g. MITRE or someone else with info writes them up? first come first served? trusted parties only? or?). 

 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Art Manion
In reply to this post by Kurt Seifried-2
On 1/3/18 3:00 PM, Kurt Seifried wrote:
> So the thing that's in the news, assuming it has CVEs, can we make sure they are populated to the CVE database asap, and if Intel does not do we have a plan B (e.g. MITRE writes them up?).
>
> Also in general I think we should probably figure out some guidelines for these high visibility issues, e.g. encourage the original CNA to get them into the database asap, and have a plan B in case they don't (e.g. MITRE or someone else with info writes them up? first come first served? trusted parties only? or?).

Indirectly related, I'd concede that this is a hardware vulnerability, even if patches are coming from operating system vendors.

  - Art
Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

jericho
In reply to this post by Landfield, Kent
On Wed, 3 Jan 2018, Landfield, Kent wrote:

: On your second question, you have hit one of my sore points?  I am a
: vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE
: creating CVEs for my company?s issues except my PSIRT team.  Vendors
: need to be given the first opportunity and only if they officially have
: stated they are not going to issue an appropriate CVE in a clear and
: precise way, should anyone ever get in the way of their alerting their
: customers through an established advisory process.  There is NO
: first-come-first-served with an authorized CVE CNAs.  Period.

First, I understand your point completely and appreciate it. Second,
devil's advocate:

The first 24 hours of news coverage had the same bit; "Intel has not
responded to our request for comment". The Wired article published about
half an hour ago is the first I have seen to quote someone from Intel.
Meanwhile, Apple already patched via workaround in macOS over a month ago,
Linux patches have been public for some time, etc. A single article I have
seen has given this vuln a name (Chipzilla), meaning the last 24+ hours
this has been "the Intel bug" to some, "the Linux Kernel vulnerability" to
others. Since CVE was designed in part to give a single unique identifier,
it's worth discussing if high-profile issues w/o public vendor / CNA
reference should use a different assignment process.

Thoughts?

Brian
Reply | Threaded
Open this post in threaded view
|

RE: upcoming intel issue

Millar, Thomas
It seems to me that it would help if the coordinators working across vendors to address this kind of issue would have an expectation of a reserved CVE.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of jericho
Sent: Wednesday, January 3, 2018 16:57
To: Landfield, Kent <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue
Importance: High

On Wed, 3 Jan 2018, Landfield, Kent wrote:

: On your second question, you have hit one of my sore points?  I am a
: vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE
: creating CVEs for my company?s issues except my PSIRT team.  Vendors
: need to be given the first opportunity and only if they officially have
: stated they are not going to issue an appropriate CVE in a clear and
: precise way, should anyone ever get in the way of their alerting their
: customers through an established advisory process.  There is NO
: first-come-first-served with an authorized CVE CNAs.  Period.

First, I understand your point completely and appreciate it. Second, devil's advocate:

The first 24 hours of news coverage had the same bit; "Intel has not responded to our request for comment". The Wired article published about half an hour ago is the first I have seen to quote someone from Intel.
Meanwhile, Apple already patched via workaround in macOS over a month ago, Linux patches have been public for some time, etc. A single article I have seen has given this vuln a name (Chipzilla), meaning the last 24+ hours this has been "the Intel bug" to some, "the Linux Kernel vulnerability" to others. Since CVE was designed in part to give a single unique identifier, it's worth discussing if high-profile issues w/o public vendor / CNA reference should use a different assignment process.

Thoughts?

Brian
Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Art Manion
In reply to this post by jericho
On 1/3/18 4:57 PM, jericho wrote:

> On Wed, 3 Jan 2018, Landfield, Kent wrote:
>
> : On your second question, you have hit one of my sore points?  I am a
> : vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE
> : creating CVEs for my company?s issues except my PSIRT team.  Vendors
> : need to be given the first opportunity and only if they officially have
> : stated they are not going to issue an appropriate CVE in a clear and
> : precise way, should anyone ever get in the way of their alerting their
> : customers through an established advisory process.  There is NO
> : first-come-first-served with an authorized CVE CNAs.  Period.
>
> First, I understand your point completely and appreciate it. Second,
> devil's advocate:
>
> The first 24 hours of news coverage had the same bit; "Intel has not
> responded to our request for comment". The Wired article published about
> half an hour ago is the first I have seen to quote someone from Intel.
> Meanwhile, Apple already patched via workaround in macOS over a month ago,
> Linux patches have been public for some time, etc. A single article I have
> seen has given this vuln a name (Chipzilla), meaning the last 24+ hours
> this has been "the Intel bug" to some, "the Linux Kernel vulnerability" to
> others. Since CVE was designed in part to give a single unique identifier,
> it's worth discussing if high-profile issues w/o public vendor / CNA
> reference should use a different assignment process.

Good discussion, but this is a tricky case.

There seem to be multiple attacks, one or more vulnerabilities, and different impacts depending on the hardware involved.

Yes, Intel (or any other vendor) should assign/populate CVE IDs for vendor-specific issues.

It's not clear that this is one (or more) Intel-specific issue.  My current understanding is that there is one "vulnerability" (some x86/x64 architectures map kernel address space in user space), a variety of side channel attacks, and the impact is considerably worse on some Intel CPUs (read kernel memory) than other CPUs (bypass KASLR).

So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?

I don't immediately know the guidance for a truly non-vendor-specific issue.  DWF, or MITRE, or a coordinator like CERT/CC?

  - Art
Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Art Manion
On 1/3/18 5:25 PM, Art Manion wrote:

> So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?

https://meltdownattack.com/

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

Not immediately populated, so not sure what the distinctions are.

  - Art
Reply | Threaded
Open this post in threaded view
|

RE: upcoming intel issue

Millar, Thomas
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Art Manion
Sent: Wednesday, January 3, 2018 17:51
To: jericho <[hidden email]>; Landfield, Kent <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

On 1/3/18 5:25 PM, Art Manion wrote:

> So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?

https://meltdownattack.com/

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

Not immediately populated, so not sure what the distinctions are.

  - Art
Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Kurt Seifried-2
So some challenges with this one:

1) it is multiple issues
2) it affects multiple vendors at the root cause level
2) it affects multiple vendors with workaround/fix (e.g.... all the OSs, sigh)

So yes it is correct to say that these 3 CVE's were from Intel's CNA and thus "owned" by Intel, but it's clear that literally every OS vendor on the planet that runs on x86 (and some others...) is going to need to deal with this, so from that perspective I think one could argue for more community "ownership" of the CVEs. 

I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of projects that are used by literally everyone), the best way I can/could think of to fix this was the JSON format with per vendor/product statements so everyone can have their own cake on their own table as it were. 

I also know MITRE has poked me in past for high visibility CVEs, and I generally agree with this, so perhaps some guidelines should be created, e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and more than 10 million affected instances should be high priority, or if it hits cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get it in quickly some other CNA is allowed to). 





On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <[hidden email]> wrote:
https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Art Manion
Sent: Wednesday, January 3, 2018 17:51
To: jericho <[hidden email]>; Landfield, Kent <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

On 1/3/18 5:25 PM, Art Manion wrote:

> So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?

https://meltdownattack.com/

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

Not immediately populated, so not sure what the distinctions are.

  - Art



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: upcoming intel issue

Coffin, Chris

Agree that this is worthy of a discussion, special handling, and probably some documented guidelines. One thought is that the CNA should identify issues that affect other vendors and notify/coordinate where appropriate, or at the very least contact their parent CNA so that they can share the reserved CVE ID and some limited bit of detail.

 

It used to be the case that MITRE handled issue like this once public, though we have moved away from that in the past few years.

 

Regards,

 

Chris

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, January 3, 2018 5:35 PM
To: Millar, Thomas <[hidden email]>
Cc: Art Manion <[hidden email]>; jericho <[hidden email]>; Landfield, Kent <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

 

So some challenges with this one:

 

1) it is multiple issues

2) it affects multiple vendors at the root cause level

2) it affects multiple vendors with workaround/fix (e.g.... all the OSs, sigh)

 

So yes it is correct to say that these 3 CVE's were from Intel's CNA and thus "owned" by Intel, but it's clear that literally every OS vendor on the planet that runs on x86 (and some others...) is going to need to deal with this, so from that perspective I think one could argue for more community "ownership" of the CVEs. 

 

I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of projects that are used by literally everyone), the best way I can/could think of to fix this was the JSON format with per vendor/product statements so everyone can have their own cake on their own table as it were. 

 

I also know MITRE has poked me in past for high visibility CVEs, and I generally agree with this, so perhaps some guidelines should be created, e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and more than 10 million affected instances should be high priority, or if it hits cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get it in quickly some other CNA is allowed to). 

 

 

 

 

 

On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <[hidden email]> wrote:

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Art Manion
Sent: Wednesday, January 3, 2018 17:51
To: jericho <[hidden email]>; Landfield, Kent <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

On 1/3/18 5:25 PM, Art Manion wrote:

> So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?

https://meltdownattack.com/

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

Not immediately populated, so not sure what the distinctions are.

  - Art



 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: upcoming intel issue

Millar, Thomas
Yes to all that.



Tom Millar, US-CERT

Sent from +1-202-631-1915
https://www.us-cert.gov
 

From: Coffin, Chris
Sent: Wednesday, January 03, 2018 11:46:59 PM
To: Kurt Seifried; Millar, Thomas
Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
Subject: RE: upcoming intel issue

Agree that this is worthy of a discussion, special handling, and probably some documented guidelines. One thought is that the CNA should identify issues that affect other vendors and notify/coordinate where appropriate, or at the very least contact their parent CNA so that they can share the reserved CVE ID and some limited bit of detail.

 

It used to be the case that MITRE handled issue like this once public, though we have moved away from that in the past few years.

 

Regards,

 

Chris

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Kurt Seifried
Sent: Wednesday, January 3, 2018 5:35 PM
To: Millar, Thomas <[hidden email]>
Cc: Art Manion <[hidden email]>; jericho <[hidden email]>; Landfield, Kent <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

 

So some challenges with this one:

 

1) it is multiple issues

2) it affects multiple vendors at the root cause level

2) it affects multiple vendors with workaround/fix (e.g.... all the OSs, sigh)

 

So yes it is correct to say that these 3 CVE's were from Intel's CNA and thus "owned" by Intel, but it's clear that literally every OS vendor on the planet that runs on x86 (and some others...) is going to need to deal with this, so from that perspective I think one could argue for more community "ownership" of the CVEs. 

 

I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of projects that are used by literally everyone), the best way I can/could think of to fix this was the JSON format with per vendor/product statements so everyone can have their own cake on their own table as it were. 

 

I also know MITRE has poked me in past for high visibility CVEs, and I generally agree with this, so perhaps some guidelines should be created, e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and more than 10 million affected instances should be high priority, or if it hits cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get it in quickly some other CNA is allowed to). 

 

 

 

 

 

On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <[hidden email]> wrote:

https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Art Manion
Sent: Wednesday, January 3, 2018 17:51
To: jericho <[hidden email]>; Landfield, Kent <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

On 1/3/18 5:25 PM, Art Manion wrote:

> So first, what is the vulnerability (or vulnerabilities) -- things that warrant a CVE ID, and second who is responsible for assigning IDs?

https://meltdownattack.com/

CVE-2017-5715 CVE-2017-5753 CVE-2017-5754

Not immediately populated, so not sure what the distinctions are.

  - Art



 

--

Kurt Seifried
[hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Kurt Seifried
Just a note at least one of my emails got bounced by mcafee's system
as spam. Not sure if anyone else's system ate it.

On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas <[hidden email]> wrote:

> Yes to all that.
>
>
>
> Tom Millar, US-CERT
>
> Sent from +1-202-631-1915
> https://www.us-cert.gov
>
> ________________________________
> From: Coffin, Chris
> Sent: Wednesday, January 03, 2018 11:46:59 PM
> To: Kurt Seifried; Millar, Thomas
> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
> Subject: RE: upcoming intel issue
>
> Agree that this is worthy of a discussion, special handling, and probably
> some documented guidelines. One thought is that the CNA should identify
> issues that affect other vendors and notify/coordinate where appropriate, or
> at the very least contact their parent CNA so that they can share the
> reserved CVE ID and some limited bit of detail.
>
>
>
> It used to be the case that MITRE handled issue like this once public,
> though we have moved away from that in the past few years.
>
>
>
> Regards,
>
>
>
> Chris
>
>
>
>
>
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Kurt
> Seifried
> Sent: Wednesday, January 3, 2018 5:35 PM
> To: Millar, Thomas <[hidden email]>
> Cc: Art Manion <[hidden email]>; jericho <[hidden email]>;
> Landfield, Kent <[hidden email]>; cve-editorial-board-list
> <[hidden email]>
> Subject: Re: upcoming intel issue
>
>
>
> So some challenges with this one:
>
>
>
> 1) it is multiple issues
>
> 2) it affects multiple vendors at the root cause level
>
> 2) it affects multiple vendors with workaround/fix (e.g.... all the OSs,
> sigh)
>
>
>
> So yes it is correct to say that these 3 CVE's were from Intel's CNA and
> thus "owned" by Intel, but it's clear that literally every OS vendor on the
> planet that runs on x86 (and some others...) is going to need to deal with
> this, so from that perspective I think one could argue for more community
> "ownership" of the CVEs.
>
>
>
> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of
> projects that are used by literally everyone), the best way I can/could
> think of to fix this was the JSON format with per vendor/product statements
> so everyone can have their own cake on their own table as it were.
>
>
>
> I also know MITRE has poked me in past for high visibility CVEs, and I
> generally agree with this, so perhaps some guidelines should be created,
> e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and
> more than 10 million affected instances should be high priority, or if it
> hits cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get
> it in quickly some other CNA is allowed to).
>
>
>
>
>
>
>
>
>
>
>
> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <[hidden email]>
> wrote:
>
> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>
> -----Original Message-----
> From: [hidden email]
> [mailto:[hidden email]] On Behalf Of Art
> Manion
> Sent: Wednesday, January 3, 2018 17:51
> To: jericho <[hidden email]>; Landfield, Kent
> <[hidden email]>
> Cc: cve-editorial-board-list <[hidden email]>
> Subject: Re: upcoming intel issue
>
> On 1/3/18 5:25 PM, Art Manion wrote:
>
>> So first, what is the vulnerability (or vulnerabilities) -- things that
>> warrant a CVE ID, and second who is responsible for assigning IDs?
>
> https://meltdownattack.com/
>
> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>
> Not immediately populated, so not sure what the distinctions are.
>
>   - Art
>
>
>
>
>
> --
>
> Kurt Seifried
> [hidden email]



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Landfield, Kent
Interesting... I seem to be getting them.

Kent Landfield
[hidden email]
+1.817.637.8026

> On Jan 3, 2018, at 8:28 PM, Kurt Seifried <[hidden email]> wrote:
>
> Just a note at least one of my emails got bounced by mcafee's system
> as spam. Not sure if anyone else's system ate it.
>
>> On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas <[hidden email]> wrote:
>> Yes to all that.
>>
>>
>>
>> Tom Millar, US-CERT
>>
>> Sent from +1-202-631-1915
>> https://www.us-cert.gov
>>
>> ________________________________
>> From: Coffin, Chris
>> Sent: Wednesday, January 03, 2018 11:46:59 PM
>> To: Kurt Seifried; Millar, Thomas
>> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
>> Subject: RE: upcoming intel issue
>>
>> Agree that this is worthy of a discussion, special handling, and probably
>> some documented guidelines. One thought is that the CNA should identify
>> issues that affect other vendors and notify/coordinate where appropriate, or
>> at the very least contact their parent CNA so that they can share the
>> reserved CVE ID and some limited bit of detail.
>>
>>
>>
>> It used to be the case that MITRE handled issue like this once public,
>> though we have moved away from that in the past few years.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Chris
>>
>>
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Kurt
>> Seifried
>> Sent: Wednesday, January 3, 2018 5:35 PM
>> To: Millar, Thomas <[hidden email]>
>> Cc: Art Manion <[hidden email]>; jericho <[hidden email]>;
>> Landfield, Kent <[hidden email]>; cve-editorial-board-list
>> <[hidden email]>
>> Subject: Re: upcoming intel issue
>>
>>
>>
>> So some challenges with this one:
>>
>>
>>
>> 1) it is multiple issues
>>
>> 2) it affects multiple vendors at the root cause level
>>
>> 2) it affects multiple vendors with workaround/fix (e.g.... all the OSs,
>> sigh)
>>
>>
>>
>> So yes it is correct to say that these 3 CVE's were from Intel's CNA and
>> thus "owned" by Intel, but it's clear that literally every OS vendor on the
>> planet that runs on x86 (and some others...) is going to need to deal with
>> this, so from that perspective I think one could argue for more community
>> "ownership" of the CVEs.
>>
>>
>>
>> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of
>> projects that are used by literally everyone), the best way I can/could
>> think of to fix this was the JSON format with per vendor/product statements
>> so everyone can have their own cake on their own table as it were.
>>
>>
>>
>> I also know MITRE has poked me in past for high visibility CVEs, and I
>> generally agree with this, so perhaps some guidelines should be created,
>> e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and
>> more than 10 million affected instances should be high priority, or if it
>> hits cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get
>> it in quickly some other CNA is allowed to).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <[hidden email]>
>> wrote:
>>
>> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of Art
>> Manion
>> Sent: Wednesday, January 3, 2018 17:51
>> To: jericho <[hidden email]>; Landfield, Kent
>> <[hidden email]>
>> Cc: cve-editorial-board-list <[hidden email]>
>> Subject: Re: upcoming intel issue
>>
>>> On 1/3/18 5:25 PM, Art Manion wrote:
>>>
>>> So first, what is the vulnerability (or vulnerabilities) -- things that
>>> warrant a CVE ID, and second who is responsible for assigning IDs?
>>
>> https://meltdownattack.com/
>>
>> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>>
>> Not immediately populated, so not sure what the distinctions are.
>>
>>  - Art
>>
>>
>>
>>
>>
>> --
>>
>> Kurt Seifried
>> [hidden email]
>
>
>
> --
>
> Kurt Seifried -- Red Hat -- Product Security -- Cloud
> PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: upcoming intel issue

Coffin, Chris
I also received an undeliverable for Kent's McAfee address yesterday.

The Intel CNA provided the details and the CVEs were added to the master list this morning.

http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Chris

-----Original Message-----
From: Landfield, Kent [mailto:[hidden email]]
Sent: Wednesday, January 3, 2018 8:31 PM
To: Kurt Seifried <[hidden email]>
Cc: Millar, Thomas <[hidden email]>; Coffin, Chris <[hidden email]>; Kurt Seifried <[hidden email]>; Art Manion <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

Interesting... I seem to be getting them.

Kent Landfield
[hidden email]
+1.817.637.8026

> On Jan 3, 2018, at 8:28 PM, Kurt Seifried <[hidden email]> wrote:
>
> Just a note at least one of my emails got bounced by mcafee's system
> as spam. Not sure if anyone else's system ate it.
>
>> On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas <[hidden email]> wrote:
>> Yes to all that.
>>
>>
>>
>> Tom Millar, US-CERT
>>
>> Sent from +1-202-631-1915
>> https://www.us-cert.gov
>>
>> ________________________________
>> From: Coffin, Chris
>> Sent: Wednesday, January 03, 2018 11:46:59 PM
>> To: Kurt Seifried; Millar, Thomas
>> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
>> Subject: RE: upcoming intel issue
>>
>> Agree that this is worthy of a discussion, special handling, and
>> probably some documented guidelines. One thought is that the CNA
>> should identify issues that affect other vendors and
>> notify/coordinate where appropriate, or at the very least contact
>> their parent CNA so that they can share the reserved CVE ID and some limited bit of detail.
>>
>>
>>
>> It used to be the case that MITRE handled issue like this once
>> public, though we have moved away from that in the past few years.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Chris
>>
>>
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of
>> Kurt Seifried
>> Sent: Wednesday, January 3, 2018 5:35 PM
>> To: Millar, Thomas <[hidden email]>
>> Cc: Art Manion <[hidden email]>; jericho <[hidden email]>;
>> Landfield, Kent <[hidden email]>; cve-editorial-board-list
>> <[hidden email]>
>> Subject: Re: upcoming intel issue
>>
>>
>>
>> So some challenges with this one:
>>
>>
>>
>> 1) it is multiple issues
>>
>> 2) it affects multiple vendors at the root cause level
>>
>> 2) it affects multiple vendors with workaround/fix (e.g.... all the
>> OSs,
>> sigh)
>>
>>
>>
>> So yes it is correct to say that these 3 CVE's were from Intel's CNA
>> and thus "owned" by Intel, but it's clear that literally every OS
>> vendor on the planet that runs on x86 (and some others...) is going
>> to need to deal with this, so from that perspective I think one could
>> argue for more community "ownership" of the CVEs.
>>
>>
>>
>> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc,
>> lots of projects that are used by literally everyone), the best way I
>> can/could think of to fix this was the JSON format with per
>> vendor/product statements so everyone can have their own cake on their own table as it were.
>>
>>
>>
>> I also know MITRE has poked me in past for high visibility CVEs, and
>> I generally agree with this, so perhaps some guidelines should be
>> created, e.g. around severity/popularity/impact (e.g. CVSS score of
>> 9.0 or higher and more than 10 million affected instances should be
>> high priority, or if it hits cnn.com AND the BBC AND Reuters... and
>> if the original CNA doesn't get it in quickly some other CNA is allowed to).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas
>> <[hidden email]>
>> wrote:
>>
>> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-mem
>> ory-with-side.html
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of
>> Art Manion
>> Sent: Wednesday, January 3, 2018 17:51
>> To: jericho <[hidden email]>; Landfield, Kent
>> <[hidden email]>
>> Cc: cve-editorial-board-list
>> <[hidden email]>
>> Subject: Re: upcoming intel issue
>>
>>> On 1/3/18 5:25 PM, Art Manion wrote:
>>>
>>> So first, what is the vulnerability (or vulnerabilities) -- things
>>> that warrant a CVE ID, and second who is responsible for assigning IDs?
>>
>> https://meltdownattack.com/
>>
>> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>>
>> Not immediately populated, so not sure what the distinctions are.
>>
>>  - Art
>>
>>
>>
>>
>>
>> --
>>
>> Kurt Seifried
>> [hidden email]
>
>
>
> --
>
> Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995
> 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security
> contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: upcoming intel issue

Art Manion
On 2018-01-04 09:06, Coffin, Chris wrote:

> The Intel CNA provided the details and the CVEs were added to the master list this morning.
>
> http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
> http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
> http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Thank you Intel CNA.

 - Art
Reply | Threaded
Open this post in threaded view
|

RE: upcoming intel issue

Coffin, Chris
In reply to this post by Coffin, Chris
Wrong urls... use these. 😊

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Chris

-----Original Message-----
From: Coffin, Chris
Sent: Thursday, January 4, 2018 8:07 AM
To: 'Landfield, Kent' <[hidden email]>; Kurt Seifried <[hidden email]>
Cc: Millar, Thomas <[hidden email]>; Kurt Seifried <[hidden email]>; Art Manion <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: upcoming intel issue

I also received an undeliverable for Kent's McAfee address yesterday.

The Intel CNA provided the details and the CVEs were added to the master list this morning.

http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
http://cvedev1.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5754

Chris

-----Original Message-----
From: Landfield, Kent [mailto:[hidden email]]
Sent: Wednesday, January 3, 2018 8:31 PM
To: Kurt Seifried <[hidden email]>
Cc: Millar, Thomas <[hidden email]>; Coffin, Chris <[hidden email]>; Kurt Seifried <[hidden email]>; Art Manion <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: upcoming intel issue

Interesting... I seem to be getting them.

Kent Landfield
[hidden email]
+1.817.637.8026

> On Jan 3, 2018, at 8:28 PM, Kurt Seifried <[hidden email]> wrote:
>
> Just a note at least one of my emails got bounced by mcafee's system
> as spam. Not sure if anyone else's system ate it.
>
>> On Wed, Jan 3, 2018 at 4:53 PM, Millar, Thomas <[hidden email]> wrote:
>> Yes to all that.
>>
>>
>>
>> Tom Millar, US-CERT
>>
>> Sent from +1-202-631-1915
>> https://www.us-cert.gov
>>
>> ________________________________
>> From: Coffin, Chris
>> Sent: Wednesday, January 03, 2018 11:46:59 PM
>> To: Kurt Seifried; Millar, Thomas
>> Cc: Art Manion; Landfield, Kent; cve-editorial-board-list
>> Subject: RE: upcoming intel issue
>>
>> Agree that this is worthy of a discussion, special handling, and
>> probably some documented guidelines. One thought is that the CNA
>> should identify issues that affect other vendors and
>> notify/coordinate where appropriate, or at the very least contact
>> their parent CNA so that they can share the reserved CVE ID and some limited bit of detail.
>>
>>
>>
>> It used to be the case that MITRE handled issue like this once
>> public, though we have moved away from that in the past few years.
>>
>>
>>
>> Regards,
>>
>>
>>
>> Chris
>>
>>
>>
>>
>>
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of
>> Kurt Seifried
>> Sent: Wednesday, January 3, 2018 5:35 PM
>> To: Millar, Thomas <[hidden email]>
>> Cc: Art Manion <[hidden email]>; jericho <[hidden email]>;
>> Landfield, Kent <[hidden email]>; cve-editorial-board-list
>> <[hidden email]>
>> Subject: Re: upcoming intel issue
>>
>>
>>
>> So some challenges with this one:
>>
>>
>>
>> 1) it is multiple issues
>>
>> 2) it affects multiple vendors at the root cause level
>>
>> 2) it affects multiple vendors with workaround/fix (e.g.... all the
>> OSs,
>> sigh)
>>
>>
>>
>> So yes it is correct to say that these 3 CVE's were from Intel's CNA
>> and thus "owned" by Intel, but it's clear that literally every OS
>> vendor on the planet that runs on x86 (and some others...) is going
>> to need to deal with this, so from that perspective I think one could
>> argue for more community "ownership" of the CVEs.
>>
>>
>>
>> I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc,
>> lots of projects that are used by literally everyone), the best way I
>> can/could think of to fix this was the JSON format with per
>> vendor/product statements so everyone can have their own cake on their own table as it were.
>>
>>
>>
>> I also know MITRE has poked me in past for high visibility CVEs, and
>> I generally agree with this, so perhaps some guidelines should be
>> created, e.g. around severity/popularity/impact (e.g. CVSS score of
>> 9.0 or higher and more than 10 million affected instances should be
>> high priority, or if it hits cnn.com AND the BBC AND Reuters... and
>> if the original CNA doesn't get it in quickly some other CNA is allowed to).
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas
>> <[hidden email]>
>> wrote:
>>
>> https://googleprojectzero.blogspot.com/2018/01/reading-privileged-mem
>> ory-with-side.html
>>
>> -----Original Message-----
>> From: [hidden email]
>> [mailto:[hidden email]] On Behalf Of
>> Art Manion
>> Sent: Wednesday, January 3, 2018 17:51
>> To: jericho <[hidden email]>; Landfield, Kent
>> <[hidden email]>
>> Cc: cve-editorial-board-list
>> <[hidden email]>
>> Subject: Re: upcoming intel issue
>>
>>> On 1/3/18 5:25 PM, Art Manion wrote:
>>>
>>> So first, what is the vulnerability (or vulnerabilities) -- things
>>> that warrant a CVE ID, and second who is responsible for assigning IDs?
>>
>> https://meltdownattack.com/
>>
>> CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
>>
>> Not immediately populated, so not sure what the distinctions are.
>>
>>  - Art
>>
>>
>>
>>
>>
>> --
>>
>> Kurt Seifried
>> [hidden email]
>
>
>
> --
>
> Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995
> 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security
> contact: [hidden email]