再保险:[技术]CD:模糊(模糊的供应商的描述漏洞)

第一件事在我脑海中出现在阅读CD:模糊的规范是“考虑源。”I have no problems when the vendor reports (even vague) issues with their systems. I doubt a vendor would be reporting problems that didn't exist, at least in their own systems. However, there are several pending items in CVE that are only cross-referenced by security tool references, or no references at all. Some of the latter category we have located in our database as items in competitor's scanning features, or (worse yet) unconfirmed/unreferenced issues that have been picked up by the SANS Top 20 list. I don't know if these items can be rounded up into CD:VAGUE or if there is another content decision affecting them, but there seem to be enough of them to define a CD:VAGUE EXCLUSION type. Andre --- Andre Frech X-Force Research Engineer Internet Security Systems (ISS) 6303 Barfield Road Atlanta, Georgia 30328-4233 Phone: 404-236-2927 Fax: 404-236-2624 Internet Security Systems -- The Power to Protect > -----Original Message----- > From: Steven M. Christey [mailto: coley@linus.mitre.org]>发送:周日,2002年2月17日,下午跑>:cve-editorial-board-list@lists.mitre.org >主题:[技术]CD:模糊(模糊的供应商的描述>漏洞)> > >这张CD,而新创建的、标识和试图解决一个>老问题。编辑委员会成员投票将引用> CD:模糊的“分析”部分候选人由这个CD。> > >影响-史蒂夫> > > * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > * * * * * * * * * * > CD:模糊(模糊的供应商的描述漏洞)> * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * > * * * * * * * * * * >类型:抽象,包含>最后更新:2月17日2002 > > CD:模糊的CVE内容决定,处理案件中>供应商发布安全公告或其他类型的警报,但>描述包含更少的细节比其他CVE >内容所需的决定。> > CD:只有模糊的CVE内容决定,可以影响>包含(一个问题应该包含在CVE吗?)和抽象>(我们如何区分密切相关的问题?)。> >模糊的警告或脆弱性报告有以下>高级影响CVE: > >——包含cd:一些编辑委员会成员认为,如果一个>问题是含糊地提到的,它没有足够的信息来>提供一个有用的描述,所以它不会在> CVE“应得的”。> >——抽象cd:当一个漏洞描述模糊,> >可以很难适用其他CVE内容决策来确定> (a) >问题是否复制现有的CVE候选人>和>条目,和(b)什么是正确的抽象级别。> >此外,候选人的模糊的描述增加了>映射CVE-compatible产品中的错误的风险,即> CVE-compatible供应商可能不小心地图中的一个问题>数据库CVE条目,因为这个问题完全匹配>条目的模糊描述。> >对供应商承认,也有偶尔的影响>及其对选举的影响。例如,一个候选人详细> Bugtraq后可能无法充分接受投票,因为董事会>成员不能复制这个问题,但可能会有不同的>候选人的模糊咨询地址>报道的问题。> >有证据表明不同的脆弱性信息来源>(数据库、警报摘要等)使用不同的方法>决定是否一个模糊的咨询解决相同的问题>是一个问题,详细报告。> > CD:模糊的、与其他内容的决策,有效地提供了这种差异>名称在脆弱的数据源。 > > > DESCRIPTION > ----------- > > Following is the description for CD:VAGUE. > > 1) If a vendor releases a vague report of a security problem, then > even though there is insufficient detail, the problem should be > included in CVE since (1) it is related to security (since the > vendor claims it is related to security), and (2) it is known to > be > real (since the vendor reported it). > > 2) Unless there is sufficient evidence that the vague advisory is > addressing the same issue as identified by another CVE item, it > should be distinguished from that item. > > > RATIONALES > ---------- > > INCLUSION: > > In several cases in the past, one or more Editorial Board members > have voted to REJECT or at least REVIEW a candidate because its > description was too vague, even when there was a vendor security > advisory > associated with it. > > However, the vendor is reporting on a problem that it believes has > security implications, and that system administrators should take > care of. Also, someone malicious may discover it in the future, or > already know about it. > > There is sufficient evidence that the problem is real, and the > vendor believes that it has security implications. Therefore it > should be included in CVE. > > > ABSTRACTION: > > It can be difficult to determine whether the vague advisory is a > duplicate of an existing CVE candidate or entry, which may have > more details. Sometimes, the vague advisory is released months or > sometimes years after more detailed reports have been reported. If > the advisory doesn't include information that (such as > cross-references) that clearly links the issue to other CVE items, > then it should be kept separated from the other CVE items, and the > possible relationship should be noted. > > Also, when several closely related issues have been discovered > before the vague advisory has been released, it is not clear > whether the > advisory addresses one, some, all, or none of the reported issues > > > > INCLUSION EXAMPLES > ------------------ > > CAN-2001-1061 shows that a vendor has fixed a problem that the > vendor claims is security-related, but there is insufficient > information for understanding why the issue is related to security. > > Candidate: CAN-2001-1061 > URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1061>建议:20020131 >分配:20020131 >类别:科幻小说>参考:AIXAPAR: IY22255 >参考:>网址:http://archives.neohapsis.com/archives/aix/2001-q3/0003.html> >脆弱性在未知版本的AIX lsmcode可能>相关用法错误。> > >分析- - - - - - - - - - - - - - - - - >供应商确认:是的>内容决定:模糊> > CD:模糊的状态,如果一个供应商发布一个模糊的安全> >问题的报告,尽管没有足够的细节,> >应该被包括在CVE问题。> > >全文AIXAPAR: IY22255说:> >文摘:安全:脆弱性LSMCODE > >问题描述:> >时客户不接受使用错误指定了一个无效的命令行选项> LSMCODE类型。> >问题结论:>检查从命令行提供的类型。如果>类型不支持,然后显示一个使用错误。> >从这个描述不清楚如何使用错误的缺乏>意味着一个漏洞。然而,IBM说,有一些>安全问题。> > >这是另一个例子的候选人。> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2000 - 0173 >网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2000 - 0173>最终决定:>阶段性裁决:>修改>提出:20000322 >分配:20000322 >类别:科幻小说>参考:上海合作组织:某人- 00.08 - >引用:网址:ftp://ftp.sco.com/sse/security_bulletins/sb - 00.08 a> >上海合作组织UnixWare 7.1中鳗鱼系统的脆弱性。x允许远程攻击者>导致拒绝服务。> >推断行动:- 2000 - 0173 SMC_REVIEW(3接受,2审查)> >当前投票:>接受(2)布莱克,科尔弗伦奇> >修改(1)无操作(4)Ozancin,勒布朗,普罗塞,墙>审核(2)征税,Christey > >选民的评论:>普罗塞>虽然上海合作组织报告的问题,太>没有信息>可以做出明智的决定。无法找到任何地方>。这是一个事件日志记录系统,因此一个> >假设有一种方法可以把日志和导致系统>停止,但没有>的方式确认这个有限的信息。> Christey >也许我们应该创建内容决定,说> CD: VAGUE-ACK,说>接受vendor-acknowledged是否合理的问题,没有提供任何>突出细节,作为在这个候选人以及几个>。>油菜>我研究这一点,你可以改变我的弗伦奇> >等待一个>接受> XF: sco-eels-dos > > > > >抽象例子- - - - - - - - - - - - - - - - - - - - > > - 2001 - 0935是一个模糊的Linux > wu-ftpd咨询相关问题。请分析部分。> > = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = >候选人:- 2001 - 0935 >提出:20020131 >分配:20020131 >参考:SUSE: SuSE-SA: 2001:043 >参考:>网址:http://www.suse.de/de/support/security/2001_043_wuftpd_txt.html> >脆弱性wu-ftpd 2.6.0,可能是早期版本,> >这是无关ftpglob可以- 2001 - 0550中描述的错误。分析> > > - - - - - - - - - - - - - - - - - >供应商确认:>内容决定:SF-LOC,模糊> >抽象:SUSE咨询>描述了ftpglob缓冲区溢出>(- 2001 - 0550),然后国家“几个星期前,一个内部> >源代码审计wu-ftpd 2.6.0由托马斯•原色哔叽SUSE安全>透露了一些其他安全相关的bug,是固定的。”It > provides no other details, so this problem should be > distinguished. > There are no other details, so the CVE description is vague. > > INCLUSION: CD:VAGUE suggests that when a vaguely worded advisory > is > posted by a vendor, that it should still be included in CVE > because > there is sufficient evidence that the problem is real (since it > came > from the vendor). > > > > The following candidate is an example of a vague description that > could apply to a number of potential products or vulnerabilities, > some of which may already have CVE names. In addition, other CVE > content decisions cannot be properly applied. > > > ====================================================== > Candidate: CAN-2001-0772 > URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0772>建议:20011012 >分配:20011012 >类别:科幻小说>参考:惠普:hpsbux0105 - 151 >参考:>网址:http://archives.neohapsis.com/archives/hp/2001-q2/0044.html>参考:XF: hpux-cde-bo(6585) >参考:网址:http://xforce.iss.net/static/6585.php在多个> > >缓冲区溢出和其他漏洞常见的桌面>环境(CDE)模块在hp - ux 10.10 11.11 >允许攻击者>引起拒绝服务和可能获得更多>特权。> > >分析- - - - - - - - - - - - - - - - - >供应商确认:是的咨询>内容决定:SF-EXEC, SF-LOC,抽象模糊> > /包含:>中有各种各样的漏洞CDE模块> >多年。惠普咨询并没有提供足够的细节来>知道惠普>是解决已知的漏洞还是新的。因此> >是可能的,这个项目重叠其他CVE条目或候选人。>咨询也暗示有其他类型的问题>除了缓冲区溢出。CD: SF-LOC建议>创建单独的>候选人对于每一个问题,但由于咨询不> >提供细节,它不能确定有多少候选人应该>创建。因此这个候选人显然是在一个比平常更高层次的抽象>。> > >当前投票:>接受(4)贝克,Foat,科尔,弗雷希>无操作(2)墙,阿姆斯特朗>回顾(1)Christey > >选民的评论:> Christey >有一些重叠可以- 2001 - 0551和> - 2001 - 0772。>可以- 2001 - 0551 > dtprintinfo描述一个特定的漏洞。惠普承认可以通过声明- 2001 - 0551 >,问题是固定在惠普:hpsbux0105 - 151 >是可以- 2001 - 0772。 But CAN-2001-0772 is a vague advisory > that identifies other vulnerabilities (and vulnerability > types) besides CAN-2001-0551. Perhaps CAN-2001-0772 should > be RECAST to "remove" the reference to dtprintinfo and > leave the other vague descriptions. CAN-2001-0772 and > CAN-2001-0551 are very good examples of the problems that > CVE faces in being consistent with respect to the level of > abstraction, as documented in the CD:SF-CODEBASE, CD:SF-LOC, > and CD:VAGUE content decisions.