The Development of a Common Vulnerability

Enumeration Vulnerabilities and Exposures List

Steven M. Christey

David W. Baker

William H. Hill

David E. Mann

The MITRE Corporation

Outline

Description Examples Applications to IDS Activities Editorial Board

What is the CVE (Common Vulnerabilities and Exposures List)?

A list of common information systems security problems (but CISSP was taken)

Vulnerabilities

- Problems that are universally thought of as “vulnerabilities” in any security policy

- Software flaws that could directly allow serious damage

- phf, ToolTalk, Smurf, rpc.cmsd, etc. Exposures

- Problems that are sometimes thought of as “vulnerabilities” in some security policies

- Stepping stones for a successful attack

- Running finger, poor logging practices, etc.

CVE Goals

Enumerate all publicly known problems Assign a standard, unique name to each problem Exist independently of multiple perspectives Be publicly open and shareable, without distribution

restrictions

Why the CVE?

Provide common language for referring to problems Facilitate data sharing between

- IDSes

- Assessment tools

- Vulnerability databases

- Academic research

- Incident response teams Foster better communication across the community Get better tools that interoperate across multiple vendors

Sample CVE Entries

Name Description

CVE-1999-0003ToolTalk (rpc.ttdbserverd) buffer

overflow

CVE-1999-0006 Buffer overflow in qpopper

CVE-1999-0067 Shell metacharacters in phf

CVE-1999-0344Windows NT debug-level access

bug (a.k.a. Sechole)

Sample CVE Mapping

CVEName

ToolA

ToolB

DB1

DB2

HackerSite

CVE-XXXX-0001 X X X

CVE-XXXX-0002 X X X

CVE-XXXX-0003 X X

CVE-XXXX-0004 X X X X

CVE for IDS

Standard name for vulnerability-related attacks Interoperability

- Multi-vendor compatibility

- Correlate with assessment tool results to reduce false positives

- Share incident data Consistency of reports IDS comparisons

- Accuracy, coverage, performance Common attack list DARPA CIDF and IETF IDWG

CVE from Vulnerability Assessment to IDS

Do my systemshave theseproblems?

Which toolstest for these

problems?Tool 1CVE-1CVE-2CVE-3

Tool 2

CVE-3CVE-4

Does my IDShave the

signatures?

IDS

CVE-1CVE-3CVE-4

I can’t detect exploitsof CVE-2 - how well

does Tool 1 check for it?

CVE-1CVE-2CVE-3CVE-4

PopularAttacks

CVE from Attacks to Incident Recovery

I detectedan attack on CVE-3.Did my assessment

say my systemhas the problem?

Tool 2

CVE-3CVE-4

Tool 1CVE-1CVE-2CVE-3

YES

Clean upClose the hole

Report theincident

Tell your vendorGo to YES

NO

Don’t send an alarm

But the attack succeeded!

PublicDatabasesCVE-2CVE-3Advisories

CVE-1CVE-2CVE-3

CVE Timeline

“Towards a Common Enumeration of Vulnerabilities,” 2nd CERIAS Workshop on Vulnerability Databases (January 1999)

Initial creation of Draft CVE (Feb-April 1999)

- 663 vulnerabilities

- Data derived from security tools, hacker site, advisories Formation of Editorial Board (April-May 1999) Validation of Draft CVE (May-Sept 1999) Creation of validation process (May-Sept 1999) Discussion of high-level CVE content (July-Sept 1999) Public release (Real Soon Now)

The CVE Editorial Board

Experts from more than 15 security-related organizations

- Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts

Mailing list discussions

- Validation and voting for individual CVE entries

- High-level content decisions Meetings

- Face-to-Face

- Teleconference Membership on an as-needed or as-recommended basis

Bringing New Entries into the CVE

Assignment

- Candidate number CAN-1999-XXXX to distinguish from validated CVE entry

- Candidate Numbering Authority (CNA) reduces “noise” Proposal

- Announcement and discussion

- Voting: Accept, Modify, Reject, Recast, Reviewing Modification Interim Decision Final Decision

- CVE name(s) assigned if candidate is accepted Publication