再保险:定义什么是CVE值得下载/安装和容器

> - - - - - - - - - - - >从原始信息:owner-cve-editorial-board-list@lists.mitre.org [mailto: owner-cve -莫尼耶> editorial-board-list@lists.mitre.org]代表帕斯卡>发送:星期三,6月15日2016 >中午的12点:常见的漏洞和风险敞口< cve@mitre.org >;cve-editorial - > board-list < cve-editorial-board-list@lists.mitre.org > >主题:Re:定义什么是CVE值得>下载/安装和容器> > >我有困难有一些语句:> >“如果CVE的起源ID请求似乎无关的党>写代码,然后(有时但不是100%的时间)CVE ID >请求被拒绝建议和供应商商量。”>>It can be very difficult to "consult with the vendor". It's much, much >easier to just disclose the vulnerability without a CVE. I'm afraid >that the above policy is a strong incentive against using CVE >identifiers. > >Also, I'm confused by the paragraph with the ASUS example as it seems >to >contradict the preceding one. > >Pascal Pascal - Keep in mind that these statements were all made in the context of reports that a product uses an http: URL to reach executable code, and then executes that code. We currently do not want 100% of these reports to receive CVE IDs, and thus this situation is a special case. The "CVE ID request is rejected with a suggestion to consult with the vendor" outcome is not a universal CVE ID assignment practice; it only applies in a special case. The rationale for not assigning CVE IDs to 100% is discussed in Kurt's 2016-06-06 message, e.g., "Documents mentioning what this is doing and that it is dangerous." For example, within a specific product, use of an http: URL to reach executable code may be documented, intentional, and unavoidable. One scenario is that the code is owned by a third party who operates only an http server, not an https server, and there may be no way to achieve desired product functionality without accepting the risk and proceeding with the http download. There are other relevant scenarios as well. This leaves the question of what is an appropriate timeframe for allowing the affected vendor to respond in these cases. For example,http://www.symantec.com/security/OIS_Guidelines%20for%20responsible%20disclosure.pdf建议10天左右收到,等等。我们觉得华硕的例子是符合2016-06-07的其他消息。http://teletext.zaibatsutel.net/post/145370716258/deadupdate-or-how-i-learned-to-stop-worrying-and有一个时间轴部分显示一个尝试与供应商协商发生一个多月的时间,最终结果的“供应商没有回应。”When there is no input from the vendor, only the CNA is involved in the decision about whether the product has a vulnerable behavior that CVE consumers may wish to track. The CVE Team >On 06/07/2016 11:14 PM, Common Vulnerabilities & Exposures wrote: >> Kurt – >> >> As you are well aware, CVE assignment is never an exact science. The >following is a description of our current practice: >> >> >> · The question of whether it is "software acting exactly as >> it is designed" >depends on who sends the CVE ID request. For example, it is plausible >for a >vendor's server to offer the same executable code (or update service) >through both HTTP and HTTPS, and the URL hardcoded into a client-side >product was -- by design -- supposed to start with https, but it >started with >http by accident. Thus, if it is a vendor-initiated request for a CVE >ID to tag a >required security update for their customers, then the CVE ID request >is >always accepted. >> >> · If the origin of the CVE ID request seems unrelated to the >> party that >wrote the code, then (sometimes but not 100% of the time) the CVE ID >request is rejected with a suggestion to consult with the vendor. >> >> · It would be hard to achieve 100% rejections, even if a CNA >> wanted to, >because the person sending the CVE ID request may neglect to mention, >or >may be unwilling to mention, the precise nature of the problem. A large >fraction of the population believes that it is always a vulnerability >for any >product to continuously make requests for executable code over >unencrypted HTTP, with no other integrity protection, and execute code >whenever a response is received. Because that much is obvious in their >world >view, their vulnerability description may focus on other details, such >as file- >format manipulation, etc. >> >> · Our prevailing opinion is that, for this >> HTTP/executable-code scenario, >the best a CNA can do is assign CVE IDs in cases where they believe CVE >consumers want those IDs to exist. If the requester sends a credible >description of high exploitation likelihood, and there is no >counterclaim from >the vendor itself that this is "software acting exactly as it is >designed," then it >qualifies for a CVE ID. >> >> This matches what happened for ASUS (the vendor refused to respond at >all). If another requester does not describe exploitation likelihood >or asserts >that there is essentially no exploitation likelihood, and there is no >clarification >from the vendor, then the request can be rejected on the "software >acting >exactly as it is designed" grounds. >> >> In other words, existence of a CVE ID should depend a little less on >> a >comprehensive theory of what a vulnerability is, and depend a little >more on >judgment about whether the ID will help real-life organizations with >risk >management. This requires a little more work from the CNA, but makes >CVE >more useful than with either the 100% accept or 100% reject options. >> >> Regards, >> >> The CVE Team >> >> >> >> >> From: owner-cve-editorial-board-list@lists.mitre.org >> [mailto: owner-cve -代表Kurt Seifried > > > editorial-board-list@lists.mitre.org]发送:周一,6月6日下午2016 12:18 > >:cve-editorial-board-list > > < cve-editorial-board-list@lists.mitre.org > > >主题:定义有什么CVE值得下载/安装容器> >和> > > > >我看过经典的“反暴力极端主义是一个安全漏洞,> > >安全漏洞是跨越信任边界”。> > > >这显然是开放的,各种各样的解释,例如我们> > >密码都同意一个秘密与硬编码的密码是一个CVE后门,>但>什么应用程序,有一个默认的密码,然后被迫>修改>一旦你登录吗?什么应用程序,必须暴露在网络>(引入种族攻击者可能会在第一)?>一般>我们有一个好主意的界限的密码>(记录?>多变?有一个现实的安全的方法来部署这个产品?)。> > > >首先一个小故事:我的儿子玩"我很多,所以我要> > >一个服务器设置它们。我发现了一些软件,设置当然是恼人的(有些>奇怪>依赖性没有包装在我平台的选择)。所以我> >“嘿,让我们找到一个集装箱码头工人!”,幸运的是有几个:> > > >https://github.com/5t111111/docker-pocketmine->议员/团/主/ Dockerfile > > > >你会注意它的线:> > > >运行cd PocketMine-MP & & wget - q - o - >http://cdn.pocketmine.net/installer.sh| bash - s -β- v > > > >这是一个幻想的方式说“去>http://cdn.pocketmine.net/installer.sh并运行它”幸运的是这是由早先>略>减轻用户pocketmine > > > > > > > >声明这意味着该命令运行作为一个用户,而不是根。> > > github的快速搜索显示:> > > > >https://github.com/search?utf8=%E2%9C%93&q=RUN + bash + wget + + http&ty>体育= Code&ref = searchresults > > > >,例如显示:> > > >https://github.com/wyvernnot/docker-minecraft-pe->服务器/团/主/ Dockerfile > > > >不降级到用户,而是运行脚本作为> >根。所以>点我们在沙地上画一条线为“下载随机的东西和>运行>”作为CVE值得吗?我的想法:> > > >让它少CVE值得:> > > > 1)文档提及这是做什么,这是危险的> > 2)下调少特权用户> > 3)使用HTTPS服务内容> > 4)使用一个众所周知/信任网站服务内容> > > > > >更CVE值得:> > > > 1)没有文档/提到它是做什么> > 2)以特权用户身份运行命令(如根)> > 3)使用HTTP下载内容(和没有端到端> >签署/支票)> > 4)使用基本随机服务器没有人听说过> > 5)广泛应用(例如集装箱在码头工人> >注册表中)> > > >例如Dockerfile Nginx: > > > >https://github.com/nginxinc/docker-> nginx /团/ 11 fc019b2be3ad51ba5d097b1857a099c4056213 /主流/高山/ D > ockerfile > > > > TL;博士:他们GPG密钥指纹作为env变量> > Dockerfile: > > > > env GPG_KEYS B0F4253373F8F6F510D42178520A9993A1C052F8 > > > >他们后来下载键和使用它来验证nginx tarball > > >下载:> > > > & & GPG——keyserver ha.pool.sks-keyservers.net < > >http://ha.pool.sks-> keyservers.net >——recv-keys " $ GPG_KEYS " \ > > & & gpg——批量验证nginx.tar.gz。asc nginx.tar。广州\ > > > >所以他们肯定是想做正确的事(我需要这个> > >确认会在构建错误如果键不能使用/错>键>服务/ asc签名是坏的)假设它能够正常工作(一个> >错误触发码头工人建立中止)那么这显然是安全的,没有> > CVE需要。> > > >但大多数容器没有做这样的事情,即使是> >关闭,我>怀疑我们需要开始分配CVE看起来像很多流行> >容器Dockerfiles很没有安全感,他们如何构建软件。> > > > > > > > > > > > Kurt Seifried——红帽产品安全——云> > PGP A90B F995 7350 148 f 66高炉7554 160 d 4553 5 e26 7993 > >红帽产品安全联系:> secalert@redhat.com <mailto: secalert@redhat.com> > >