CVE - Semantic Scholar

1

3rd International Conference on COTS-Based Software Systems

Managing Vulnerabilities in Your Commercial-off-the-shelf (COTS) Systems Using an Industry Standards Effort (CVE)

Robert A. Martin [email protected] The MITRE Corporation 2 February 2004 The views expressed in this presentation are those of the authors and do not necessarily reflect the policies or position of The MITRE Corporation. Editorial graphics © 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003 Martin, used with permission. © 2003 The MITRE Corporation

2

Outline Background and Motivation The Vulnerability Babel Problem & A Solution Implementing CVE The Editorial Board and Advisory Council CVE Compatibility – Changing the Information Security Industry 0 Summary 0 0 0 0 0

3

Software problems with security implications are referred to as Vulnerabilities or Exposures 0 Vulnerabilities are security related software problems that could

directly allow serious damage 0 Examples: – phf, ToolTalk, Smurf, rpc.cmsd, etc. – Oracle XSQL servlet 1.0.3.0 and earlier allows remote attackers to execute arbitrary Java code by redirecting the XSQL server to another source via the xml-stylesheet parameter in the xslt stylesheet. [9 Jan 01 Georgi Guninski] 0 Exposures are security related software problems that could be

used as stepping stones for a successful attack 0 Examples: – Running finger, poor logging practices, etc.

4

Top Ten Vulnerability Types in CVE .

(covering 2361 of 3933* CVE issues publicized between 1 Jan 2000-13 Feb 2003 inclusive)

Buffer Overflow

872

Directory Traversal - dot dot268 DOS by malformed input240 176 Metachar Shell cmds 145 Cross-site Scripting

Unprotected Privileged 143 Op's 141 Symbolic Link Following 129 Information Leak 128 Cryptographic error

Format String119 * The “Types” of Other and Unknown represent 831vulnerabilities

5

Vulnerabilities Have Been Found in Almost Every Type of Software There Is Mail Servers 1st Up Mail Server All-Mail ALMail32 Avirt Mail Server Becky! Internet Mail CWMail Domino Mail Server Exchange Server Hotmail Internet Anywhere Mail Server ITHouse Mail Server Microsoft Exchange Pegasus Mail Sendmail Development Tools ActivePerl ClearCase ColdFusion CVS Flash Frontpage GNU Emacs JRun WebLogic Server Visual Basic Firewalls Firewall-1 Gauntlet Firewall PIX Firewall Raptor Firewall SOHO Firewall

Web servers & tools Apache Domino HTTP Server IIS NCSA Web Server WebTrends Log Analyzer Internet AFS Apache BIND CGI Cron IMAP Routers 3220-H DSL Router 650-ST ISDN Router Ascend Routers Cisco Routers R-series routers Network Applications AllCommerce Calendar Server BackOffice Meeting Maker NetMeeting DBMSs Access DB2 Universal Database FileMaker Pro MSQL Oracle

Desktop Applications Acrobat Clip Art Excel FrameMaker Internet Explorer Napster client Notes Client Novell client Office Outlook PowerPoint Project Quake R5 Client StarOffice Timbuktu Pro Word Works Workshop Security Software ACE/Server BlackICE Certificate Server CProxy Server DiskGuard ETrust Intrusion Detection GateKeeper InterScan VirusWall Kerberos 5 Norton AntiVirus PGP Server SiteMinder Tripwire

Operating Systems AIX BeOS BSD/OS DG/UX FreeBSD HP-UX IRIX Linux MacOS Runtime for Java Mandrake Linux MPE/iX NetWare OpenBSD Palm OS Red Hat Security-Enhanced Linux Solaris SunOS Ultrix Windows 2000 Windows 95 Windows 98 Windows ME Windows NT Windows XP Others Ethernet Device Drivers Cajun P550 Series Firmware GNAT Box Firmware IC9 Print Server Firmware VoIP Phone CP-7960 VPN 3000 Concentrator ZIP 100 MB Drive Sample of Vulnerabilities Announced in 1999- 2002

6

Many Motivations for Getting on top of Vulnerabilities http://www.theregister.co.uk/content/53/24244.html http://www.cert.org/advisories/CA-2003-04.html based on 2002 actual reported incidents

http://www.baselinemag.com/article/0,3658,s=1867&a=23195,00.asp

http://www.eweek.com/article/0,3658,s=701&a=23193,00.asp

7

Outline Background and Motivation The Vulnerability Babel Problem & A Solution Implementing CVE The Editorial Board and Advisory Council CVE Compatibility – Changing the Information Security Industry 0 Summary 0 0 0 0 0

8

Difficult to Integrate Information on Vulnerabilities and Exposures Security Advisories

Priority Lists

? Vulnerability Scanners

? Research

? ? ? ?

? ?

?? ?? ?? ? ? ? ? ? ? ?? ? ?? ?? ?? ?? ?? ? ? ? ? ? ? Vulnerability Web Sites & Databases

Software Vendor Patches

Intrusion Detection Systems

?? Incident Response & Reporting

9

Finding and sharing vulnerability information has The adoption of CVE Names by the Security been difficult: isThe Same Problem, Different Names Community starting to address this problem O rganization N am e

CERT C yberSafe ISS AXENT B ugtraq B indV iew C isco IB M E R S C E R IA S NAI

C A -96.06.cgi_exam ple_code N etw ork: H T T P ‘phf’ A ttack http-cgi-phf phf C G I allow s rem o te co m m and execution P H F A ttacks – F un and gam es for the w hole fam ily #107 – cgi-phf #3200 – W W W phf attack V ulnerability in N C S A /A pache E xam ple C ode http_escshellcm d #10004 - W W W phf check

Along with newcaused rule, “Whoever finds it, gets finds a CVEit,name Which hasthe been by the rule, “Whoever namesforit”it”

10

The CVE List provides a path for integrating information on Vulnerabilities and Exposures Security Advisories

Priority Lists

Vulnerability Scanners

Software Vendor Patches

1999-0067

Intrusion Detection Systems

Incident Response & Reporting

Research

Vulnerability Web Sites & Databases

11

FBI/SANS Institute 2001, 2002 & 2003 Top Twenty use CVEs …one part of bringing CVE to policy

Unix

CVE-names Windows

Notes For Readers: CVE Numbers

You’ll find references to CVE (Common Vulnerabilities and Exposures) numbers accompanying each vulnerability. You may also see CAN numbers. CAN numbers are candidates for CVE entries that are not yet fully verified. For more data on the award-winning CVE project, see http://cve.mitre.org.

http://www.sans.org/top20/

12

Outline: Background and Motivation The Vulnerability Babel Problem & A Solution Implementing CVE The Editorial Board and Advisory Council CVE Compatibility – Changing the Information Security Industry 0 Summary 0 0 0 0 0

13

The Common Vulnerabilities and Exposures (CVE) Initiative by MITRE focused on developing a list that provides common names for publicly known information security vulnerabilities and exposures. 0 Key tenets – One name for one vulnerability or exposure – One standardized description for each vulnerability or exposure – Existence as a dictionary rather than a database – Publicly accessible for review or download from the Internet – Industry participation in open forum (editorial board) 0 The CVE list and information about the CVE effort are available on the CVE web site at [cve.mitre.org]

64 49 ~1 u 5 0 ni - 5 qu 00 e ne CV w En /m a on m th es

0 An international security community activity led

14

The CVE Strategy 4. Establish CVE in vendor fix-it sites and update mechanisms

Commercial S/W Products

Unreviewed

Update and Fix Sites & Update Mechanisms

Bugtraqs, Mailing lists, Hacker sites

Discovery

Policy

Reviewed Advisories CERT, CIAC, Vendor advisories

1. Inject Candidate numbers into advisories

Security Products Scanners, Intrusion Detection, Vulnerability Databases

2. Establish CVE at security product level in order to ...

time

Methodologies Purchasing Requirements Education

3. … enable CVE to permeate the policy level.

15

Where the CVE Items Come From

AXENT, BindView, Harris, Cisco, CERIAS

Vulnerability

Legacy Submissions ~ pre-1999

Hiverworld, SecurityFocus, ISS, NAI, Symantec, Nessus

Databases

Alerts & Advisories w/candidates 20–70 per/month

New Submissions 150–300 per/month

CVE Content Team

Zero Day Public Vulnerabilities

New Public Vulnerabilities

ISS, SecurityFocus, Neohapsis, NIPC CyberNotes

Items with Unique CVE Names

~6449 Yes

Yes

Yes

Editorial Board

16

CVE Growth Unique CVE Names

Status (as of January 8, 2004)

• 6449 unique CVE names

17

Many organizations are reserving CVE names and using them in their alerts and advisories

(as of 1 October 2003)

To-date, CVE names have been included in 1096 advisories from: • ISS X-Force • Rain Forest Puppy • BindView • CERT/CC • COMPAQ • Ernst & Young • CISCO • NSFOCUS • VIGILANTe.com • SecurityFocus • Caldera • EnGarde Secure Linux • Mandrake Linux • Foundstone • iDEFENSE • Symantec • Beyond Security Ltd • Digital Defense Inc. • The OpenPKG Project • The FreeBSD Project

• IBM • @stake • NAI • SGI • Microsoft • eEye • Rapid 7 • Sanctum • Corsaire • Red Hat • Cert-IST • Alcatel • Debian • Apple • HP • DHS/NIPC • KDE e. V. • Core-ST • Gentoo Linux

http://www.redhat.com/support/errata/RHSA-2001-150.html

assigned CVE Name 2001-0869 to this issue.

18


19

CVE Editorial Board 0 Includes mostly technical

0 0 0 0

representatives from 35 different organizations including researchers, tool vendors, response teams, and end users Reviews and approves CVE entries Discusses issues related to CVE maintenance Holds monthly meetings (face-to-face or phone) Maintains publicly viewable mailing list archives [cve.mitre.org/board/archives] [cve.mitre.org/board/boardmembers.html]

20

CVE Editorial Board

21

CVE Senior Advisory Council Objectives and Roles ...The CVE Council is established to ensure that the CVE program receives the sponsorship, including funding and guidance, required to maximize the effectiveness of this program ...

Council Roles 0 Act as a catalyst for CVE and related activities. 0 Assure funding for the core CVE activity over the

0 0 0 0 0

long term including outreach to Government organizations and agencies. Discuss community needs and possible new CVE services. Promote the adoption of CVE at the strategic level. Business planning & prioritization. Discuss CVE and related security policy implications for the Federal Government. Identify CVE related materials & resources for use by Government CIOs and senior managers.

22

CVE Senior Advisory Council Members Co-Chairs: 0 John Gilligan, CIO of the USAF, and Co-chair of the

Architecture/Interoperability Committee of the CIO Council 0 Sallie McDonald, Department of Homeland Security (DHS) Director of Outreach for Infrastructure Protection

0 0 0 0 0 0 0 0

Participating Organizations 0 Internal Revenue Service Dept. of Health and Human Services National Institute of Stds and Technology 0 Dept. of the Treasury 0 Dept. of Energy Critical Infrastructure Assurance Office National Infrastructure Protection Center 0 Dept. of Labor 0 Dept. of Homeland Security Office of Management and Budget 0 National Security Agency Defense Information Systems Agency 0 Air Force National Aeronautics and Space Admin. 0 Intelligence Community Assisstant Secretary of Defense/C3I

U.S. Department of Health and Human Services

23


24

What does CVE-compatible mean? … How do I become CVE-compatible? 0 CVE-compatible means that a tool, database, web site, or security service

can “speak CVE” and correlate data with other CVE-compatible items 0 CVE-compatible means it meets the following requirements:

– Can find items by CVE name (CVE searchable) – Includes CVE name in output for each item (CVE output) – Explains the CVE functionality in their item’s documentation (CVE documentation) – Provides MITRE with “vulnerability” item mappings to validate the accuracy of the product or services CVE entries – Makes a good faith effort to keep mappings accurate

[cve.mitre.org/compatible/process.html] [cve.mitre.org/compatible/requirements.html]

25

Examples of CVE-compatible items: The ICAT Metabase 08.13.01 Government Computer News

CVE-names

http://icat.nist.gov

26

Timeline of CVE Compatibility Declarations (as of 13 January 2004)

97

143

39

Now at 143 products and services from 97 organizations

27

Where CVE-compatible Items Have Come From and Where the New Ones Are Coming From +4, 14

+6

+4, 5

7 Organizations, 12 Items

2 Organization, 2 Items


+2, 2 +1, 1

+4, 14 4 Organizations, 5 Items

+29, 59

1 Organization, 1 Item

+1, 1




+1, 7 +3, 3

+1, 2



+1, 5 2 Organizations, 2 Items


+1, 1 1 Organization, 2 Items 1 Organization, 2 Items

+2, 2



• 143 CVE-compatible products from 97 groups. • 128 more from these and 60 others in “the works”.

+1, 1 +1, 1


(as of 12 January 2004)

28

With 2 Phases - A capability owner can: (a) Declare Intent (b) Declare Support for CVE Output (c) Declare Support for CVE Searchability (d) Declare both (e) Declare full compatibility by Submitting Compatibility Questionnaire (f) Submit Repository for evaluation of Mapping Accuracy

15 20 90 183 15

29

CVE compatibility provides a path for integrating information on Vulnerabilities and Exposures

CVE compatibility means that a tool or database can “speak CVE” and correlate data with other CVE-compatible products.

30

DoD 8500.2 IA Implementation Instruction gives preference to products supporting CVE & OVAL

Mission Assurance Category III Mission Assurance Category II Mission Assurance Category I

The following appears for all three Mission Assurance Categories of DOD systems:

VIVM-1 Vulnerability Management: A comprehensive vulnerability management process … automated vulnerability assessment or state management tools … regular internal and external assessments are conducted … For improved interoperability, preference is given to tools that express vulnerabilities in the Common Vulnerabilities and Exposures (CVE) naming convention and use the Open Vulnerability Assessment Language (OVAL) to test for the presence of vulnerabilities.

http://www.nstissc.gov/html/library.htm

31

National Institute of Standards and Technology (NIST): Policy on the Use of CVE and CVE-Compatible products

.

Federal departments and agencies should… 1. give substantial consideration to the acquisition and use of security-related IT products and services that are compatible with the CVE naming scheme. 2. periodically monitor their systems for applicable vulnerabilities listed in the CVE naming scheme. 3. use the CVE vulnerability naming scheme in their descriptions and communications of vulnerabilities

32

Example: CVE helping to make Detailed Product Comparisons

Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)

Network Computing Article “Vulnerability Assessment Scanners” (1/8/2001)

33

CVE is Even Being Used to to Compare and Contrast products … or the vulnerabilities they do or don’t find...

Tables from Network Computing Article “To Catch a THIEF” (8/20/2001)

by talking about the vulnerabilities they do or do not have...

Ad from SC Magazine (April 2002)

34


35

The CVE Strategy: Where are we? 4. Establish CVE in vendor fix-it sites and update mechanisms

Unreviewed Bugtraqs, Mailing lists, Hacker sites

• Adding CVE names broached with 14 groups.

Commercial S/W Products Update and Fix Sites & Update Mechanisms

Discovery Reviewed Advisories CERT, CIAC, Vendor advisories

(as of 12 January 2004)

Policy Security Products Scanners, Intrusion Detection, Vulnerability Databases

1. Inject CVE Names into advisories CVE names have been included in advisories from ISS X-Force, IBM, 2. Establish CVE at security Rain Forest Puppy, @stake, Microsoft, product level in order to ... BindView, NAI, CERT/CC, SGI, eEye, COMPAQ, Ernst & Young, CISCO, • 6449 Unique CVE Rapid 7, NSFOCUS, Sanctum, Alcatel, EnGarde Secure Linux, Caldera, Red Names. Hat, SecurityFocus, VIGILANTe.com, Cert-IST, Mandrake Linux, Debian, • 143 CVE-compatible Foundstone, Apple, iDEFENSE, HP, Symantec, DHS/NIPC, KDE e. V., products from 97 groups. Beyond Security Ltd, Digital Defense Inc., Core-ST, The OpenPKG Project, • 128 more from these and Corsaire, The FreeBSD Project, 60 others in “the works”. Gentoo Linux.

time

Methodologies Purchasing Requirements Education

3. … enable CVE to permeate the policy level.

• SANS / FBI Top 20 uses CVE names • Network Computing IDS & Scanner Comparisons included CVE • NIST Rec. 800-51calls for use of CVE • DoD 8500.2 calls for CVE compatibility • Network World IDS Comparison included CVE coverage

36

CVE email Lists Have an International Readership 27 April 2003

Representing ~ 4000 registered email subscribers - 51 to 212 registered (17 countries & 7 states) - 11 to 50 registered (25 countries & 13 states) - 1 to 10 registered (50 countries & 29 states)

37

CVE is even getting used by Hackers ! Some hackers are now supplying CVE names for the vulnerabilities that they find in the sites they hack into.

38

For More Information

S CVE web site

http://cve.mitre.org CONTACT INFO Robert A. Martin 781-271-3001 [email protected]