|
|
Subscribe / Log in / New account

Security

A new process for CVE assignment

By Jake Edge
March 8, 2017

In early February, the Common Vulnerabilities and Exposures (CVE) assignment team posted about some changes to the process of getting an ID for an open-source project to the oss-security mailing list. CVE IDs (or just "CVEs") are the standard identifier used for security vulnerabilities and the system has been run by the MITRE Corporation since its inception in 1999. Open-source projects have been getting their CVE IDs by way of the oss-security mailing list for a while now, but that is changing. A new web-based system has been created, but there are still a few wrinkles to iron out in the process.

The basic idea is for CVE requesters to use the new web form, which provides a way to submit a vulnerability description that can more quickly be added to the CVE database. That will help avoid the common, but completely useless ** RESERVED ** entry in the database for an already public vulnerability. As the posting put it:

To more efficiently assign and publish CVE IDs and to enable automation and data sharing within CVE operations, MITRE is changing the way it accepts CVE ID requests on the oss-security mailing list. Starting today, please direct CVE ID requests to this web form <https://cveform.mitre.org/>. Through this form, you can request a new CVE ID, update a CVE ID that was already assigned, and submit questions or feedback to the CVE Team.

[...] When you enter a vulnerability description on the web form, the CVE and description will typically be available on the NVD and CVE web sites at the same time or shortly after we email the CVE ID to you.

But Simon McVittie was concerned that the web form is not particularly well-suited for open-source projects. It is geared toward products from known vendors, rather than projects that are distributed by multiple "vendors":

For open source it seems impractical: for instance, I'm a maintainer of both D-Bus and ikiwiki, neither of which has any particular allegiance to any larger legal entity than the individual maintainers.

Once released, D-Bus is later packaged by Debian, Red Hat, etc., and ikiwiki is packaged in at least Debian and Fedora; but they are not the people issuing releases and do not have any special authority over the upstream project, so there's no particular reason why the upstream maintainers should say that any particular OS distribution is "our vendor".

Or do you expect the upstream maintainers of open source software that is packaged by at least one major distribution to choose one of those distributions arbitrarily, and claim they are the vendor for the purposes of your web form? If so, please make that more clear.

McVittie's complaint was echoed by others, but another concern was raised: oss-security is seen as the place to go for "a reasonably comprehensive and timely list of vulnerabilities for specific products", as Reid Priedhorsky put it. Kurt H. Maier concurred, saying that he would prefer "an alternate solution in place before the CVE system disappears behind an inscrutable web form". The worry is that the mailing list will no longer carry all of the useful information that it currently has. Beyond that, Debian security team member Moritz Muehlenhoff is worried that adding friction to the process of getting a CVE will result in fewer CVEs being requested:

Having CVEs assigned is of lesser importance, this was never primarily why we posted security vulnerabilities here. Obtaining CVE IDs caused little overhead on our side, but if that changes (and the announced changes sound like that), then there will simply be less CVE coverage I'm afraid.

Problems with the CVE system have been apparent for some time. Almost exactly a year ago, LWN looked at the problem. At the time, the Distributed Weakness Filing (DWF) project had just been announced by Kurt Seifried. DWF is meant to assist projects in getting CVE IDs, without needing to be affiliated with some larger product or vendor. In response to some complaints that MITRE's interests do not align well with the open-source world, Adam Caudill pointed out that DWF should neatly help solve many of the problems in the existing system:

Once it's completely up and running, DWF should address these issues. Researchers and organizations can easily become CNAs [CVE Numbering Authorities] under DWF, with assigned CVE blocks. For OSS, the process of getting a CVE (including pre-publication) should be much simpler than it has been, especially in recent years. It's not quite there yet, but Kurt [Seifried] and team have put a lot of effort into laying the groundwork for a much better solution than the ad-hoc "send an email and hope" process that we've become accustomed to.

The old system was far from perfect, as is the interim MITRE web form - hopefully with the help of the community, DWF will be able to provide a better process for all involved. For OSS, DWF is the solution we need to be focused on, and helping it to evolve to suit the needs of everyone.

The CVE assignment team responded to the concerns that were brought up. It is clear that the team expects DWF to step up reasonably soon to manage CVEs and CNAs for open-source projects; the message pointed to some DWF documentation that describes how that will work. MITRE is also amenable to automatically posting the CVE assignments that it makes as a result of the web-form submissions to the oss-security list, which should help those using the list to track vulnerabilities. The team had envisioned that reporters would resend the assignment information to oss-security (and provided an example of that happening), but believes it can automate the process.

There may still be places where improvements are needed, though. There have been occurrences where CVE requests posted to the list were not given a CVE, but were still made public on the list. The web-based process could end up obscuring those reports, as Guido Berhoerster pointed out:

One significant advantage of monitoring this list was that requests were immediately visible and there are sometimes significant delays between a CVE request and the response from MITRE. Or in some cases requests were rejected with a rationale or did not receive a response at all -- with the web form such cases will now just disappear in a black hole.

There was fairly widespread support for automatically posting the CVE assignments (or even the raw form data from public vulnerabilities) to oss-security or another list. Alexander Peslyak (better known as "Solar Designer") suggested that MITRE should implement that, and various others in the thread agreed. Evidently, there are still some internal debates going on at MITRE about how to make that happen. The assignment team posted an update on that in mid-February. There is a concern that information about non-public vulnerabilities would need to be weeded out, so for now the status quo remains:

In general, there's a common case (the requester only provides a basic technical outline of the vulnerability and the commit URL) where implementation is easy. There are several corner cases where implementation is hard. The simple solution is to always ask the requester to make their own (correctly threaded) oss-security post that contains any or all of the response from MITRE. Until we have a better understanding of why that simple solution is incorrect, we are continuing to go with that simple solution.

The main benefit to the new assignment mechanism is in the reduction or even elimination of "RESERVED" entries for already public vulnerabilities that have been assigned CVEs. These are quite common today, so reducing those and replacing them with real information about the flaw is certainly to be welcomed. Once DWF comes fully on-line, it will likely make things even easier. But it appears that open-source security folks are not willing to let go of their oss-security forum and the vulnerability information it currently contains. It may take some tedious resending to make it all happen, but it seems like that will still be done.

Comments (2 posted)

Brief items

Security quotes of the week

Seriously your phone is like eleven billion times easier to infect than your TV is and you carry it everywhere. If the CIA want to spy on you, they'll do it via your phone. If you're paranoid enough to take the battery out of your phone before certain conversations, don't have those conversations in front of a TV with a microphone in it. But, uh, it's actually worse than that.

These days audio hardware usually consists of a very generic codec containing a bunch of digital→analogue converters, some analogue→digital converters and a bunch of io pins that can basically be wired up in arbitrary ways. Hardcoding the roles of these pins makes board layout more annoying and some people want more inputs than outputs and some people vice versa, so it's not uncommon for it to be possible to reconfigure an input as an output or vice versa. From software.

Anyone who's ever plugged a microphone into a speaker jack probably knows where I'm going with this. An attacker can "turn off" your TV, reconfigure the internal speaker output as an input and listen to you on your "microphoneless" TV. Have a nice day, and stop telling people that putting glue in their laptop microphone is any use unless you're telling them to disconnect the internal speakers as well.

Matthew Garrett

[...] there is a simple solution to the entire "smart TV as bug" category of concerns — don't buy those TVs, and if you have one, don't connect it to the Internet directly.

Don't associate it with your Wi-Fi network — don't plug it into your Ethernet.

Lauren Weinstein

In this paper, we demonstrate fine-grained software-based side-channel attacks from a malicious SGX [Software Guard Extensions] enclave targeting co-located enclaves. Our attack is the first malware running on real SGX hardware, abusing SGX protection features to conceal itself. Furthermore, we demonstrate our attack both in a native environment and across multiple Docker containers. We perform a Prime+Probe cache side-channel attack on a co-located SGX enclave running an up-to-date RSA implementation that uses a constant-time multiplication primitive. The attack works although in SGX enclaves there are no timers, no large pages, no physical addresses, and no shared memory. In a semi-synchronous attack, we extract 96% of an RSA private key from a single trace. We extract the full RSA private key in an automated attack from 11 traces within 5 minutes.
Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard

Comments (11 posted)

How Threat Modeling Helps Discover Security Vulnerabilities (Red Hat Security Blog)

Over at the Red Hat Security Blog, Hooman Broujerdi looks at threat modeling as a tool to help create more secure software. "Threat modeling is a systematic approach for developing resilient software. It identifies the security objective of the software, threats to it, and vulnerabilities in the application being developed. It will also provide insight into an attacker's perspective by looking into some of the entry and exit points that attackers are looking for in order to exploit the software. [...] Although threat modeling appears to have proven useful for eliminating security vulnerabilities, it seems to have added a challenge to the overall process due to the gap between security engineers and software developers. Because security engineers are usually not involved in the design and development of the software, it often becomes a time consuming effort to embark on brainstorming sessions with other engineers to understand the specific behavior, and define all system components of the software specifically as the application gets complex. [...] While it is important to model threats to a software application in the project life cycle, it is particularly important to threat model legacy software because there's a high chance that the software was originally developed without threat models and security in mind. This is a real challenge as legacy software tends to lack detailed documentation. This, specifically, is the case with open source projects where a lot of people contribute, adding notes and documents, but they may not be organized; consequently making threat modeling a difficult task."

Comments (none posted)

Security updates

Alert summary March 2, 2017 to March 8, 2017

Dist. ID Release Package Date
Arch Linux ASA-201703-1 curl 2017-03-03
CentOS CESA-2017:0388 C7 ipa 2017-03-03
CentOS CESA-2017:0386 C7 kernel 2017-03-06
CentOS CESA-2017:0396 C7 qemu-kvm 2017-03-03
Debian DLA-848-1 LTS freetype 2017-03-07
Debian DSA-3799-1 stable imagemagick 2017-03-01
Debian DSA-3800-1 stable libquicktime 2017-03-02
Debian DLA-846-1 LTS libzip-ruby 2017-03-06
Debian DLA-836-2 LTS munin 2017-03-03
Debian DSA-3794-2 stable munin 2017-03-02
Debian DSA-3794-3 stable munin 2017-03-03
Debian DLA-845-1 LTS qemu 2017-03-01
Debian DSA-3801-1 stable ruby-zip 2017-03-04
Debian DLA-847-1 LTS texlive-base 2017-03-08
Debian DSA-3803-1 stable texlive-base 2017-03-08
Debian DSA-3802-1 stable zabbix 2017-03-05
Fedora FEDORA-2017-d0c9bf9508 F24 bind99 2017-03-05
Fedora FEDORA-2017-96b7f4f53e F25 bind99 2017-03-05
Fedora FEDORA-2017-a513be0939 F24 cacti 2017-03-08
Fedora FEDORA-2017-8b0737b093 F25 cacti 2017-03-07
Fedora FEDORA-2017-b9ffa8b00f F25 canl-c 2017-03-07
Fedora FEDORA-2017-d62c8f91e4 F25 cxf 2017-03-02
Fedora FEDORA-2017-cc7249b821 F24 drupal7-metatag 2017-03-08
Fedora FEDORA-2017-c87bbae385 F25 drupal7-metatag 2017-03-08
Fedora FEDORA-2017-98f85533f0 F25 freeipa 2017-03-08
Fedora FEDORA-2017-a9e6a5c249 F24 gtk-vnc 2017-03-05
Fedora FEDORA-2016-93679a91df F24 jenkins 2017-03-05
Fedora FEDORA-2016-93679a91df F24 jenkins-remoting 2017-03-05
Fedora FEDORA-2017-53338ece0c F25 kdelibs 2017-03-05
Fedora FEDORA-2017-ad67543fc5 F24 kernel 2017-03-03
Fedora FEDORA-2017-d875ae8299 F25 kernel 2017-03-03
Fedora FEDORA-2017-f9ab92fa6c F25 kf5-kio 2017-03-05
Fedora FEDORA-2017-d068b54614 F24 libICE 2017-03-05
Fedora FEDORA-2017-c02eb668a7 F25 libICE 2017-03-03
Fedora FEDORA-2017-bcb1999e65 F24 libXdmcp 2017-03-05
Fedora FEDORA-2017-9a9328c159 F25 libXdmcp 2017-03-03
Fedora FEDORA-2017-5a6ed9d326 F25 libcacard 2017-03-03
Fedora FEDORA-2017-404f1a29fc F24 mingw-gtk-vnc 2017-03-08
Fedora FEDORA-2017-c3739273e5 F25 mingw-gtk-vnc 2017-03-08
Fedora FEDORA-2017-9a819664a6 F25 mupdf 2017-03-07
Fedora FEDORA-2017-fa4e441e03 F24 netpbm 2017-03-02
Fedora FEDORA-2017-f9f3a78148 F24 suricata 2017-03-08
Fedora FEDORA-2017-f3aac83a8f F25 suricata 2017-03-08
Fedora FEDORA-2017-e9171a0c00 F24 vim 2017-03-03
Fedora FEDORA-2017-8494d0142c F25 vim 2017-03-02
Fedora FEDORA-2017-1607a3a78e F24 xen 2017-03-08
Fedora FEDORA-2017-05e32fe278 F24 xrdp 2017-03-03
Mageia MGASA-2017-0070 5 ming 2017-03-03
Mageia MGASA-2017-0071 5 quagga 2017-03-03
Mageia MGASA-2017-0072 5 util-linux 2017-03-03
Mageia MGASA-2017-0069 5 webkit2 2017-03-02
openSUSE openSUSE-SU-2017:0587-1 42.1 42.2 ImageMagick 2017-03-02
openSUSE openSUSE-SU-2017:0620-1 42.1 42.2 bind 2017-03-07
openSUSE openSUSE-SU-2017:0621-1 42.1 42.2 munin 2017-03-07
openSUSE openSUSE-SU-2017:0618-1 42.2 mysql-community-server 2017-03-07
openSUSE openSUSE-SU-2017:0598-1 42.1 42.2 php5 2017-03-03
openSUSE openSUSE-SU-2017:0588-1 42.2 php7 2017-03-02
openSUSE openSUSE-SU-2017:0590-1 42.1 util-linux 2017-03-02
openSUSE openSUSE-SU-2017:0589-1 42.2 util-linux 2017-03-02
Oracle ELSA-2017-0388 OL7 ipa 2017-03-02
Oracle ELSA-2017-0386 OL7 kernel 2017-03-02
Oracle ELSA-2017-0386-1 OL7 kernel 2017-03-03
Oracle ELSA-2017-0454 OL5 kvm 2017-03-07
Oracle ELSA-2017-0396 OL7 qemu-kvm 2017-03-02
Red Hat RHSA-2017:0448-01 OSCP ansible and openshift-ansible 2017-03-06
Red Hat RHSA-2017:0388-01 EL7 ipa 2017-03-02
Red Hat RHSA-2017:0462-01 EL6 EL7 java-1.8.0-ibm 2017-03-08
Red Hat RHSA-2017:0365-01 EL6.2 kernel 2017-03-01
Red Hat RHSA-2017:0366-01 EL6.5 kernel 2017-03-01
Red Hat RHSA-2017:0386-01 EL7 kernel 2017-03-02
Red Hat RHSA-2017:0403-01 EL7.1 kernel 2017-03-02
Red Hat RHSA-2017:0387-01 EL7 kernel-rt 2017-03-02
Red Hat RHSA-2017:0402-01 MRG/EL6 kernel-rt 2017-03-02
Red Hat RHSA-2017:0454-01 EL5 kvm 2017-03-07
Red Hat RHSA-2017:0361-01 OSP8.0 openstack-puppet-modules 2017-03-01
Red Hat RHSA-2017:0359-01 OSP9.0 openstack-puppet-modules 2017-03-01
Red Hat RHSA-2017:0435-01 OSP9.0 python-oslo-middleware 2017-03-02
Red Hat RHSA-2017:0396-01 EL7 qemu-kvm 2017-03-02
Red Hat RHSA-2017:0444-02 Atomic Host 7 rpm-ostree and rpm-ostree-client 2017-03-03
Scientific Linux SLSA-2017:0388-1 SL7 ipa 2017-03-02
Scientific Linux SLSA-2017:0386-1 SL7 kernel 2017-03-02
Scientific Linux SLSA-2017:0454-1 SL5 kvm 2017-03-07
Scientific Linux SLSA-2017:0396-1 SL7 qemu-kvm 2017-03-02
Slackware SSA:2017-066-01 firefox 2017-03-07
Slackware SSA:2017-066-02 thunderbird 2017-03-07
SUSE SUSE-SU-2017:0625-1 SLE12 qemu 2017-03-07
Ubuntu USN-3216-1 12.04 14.04 16.04 16.10 firefox 2017-03-08
Ubuntu USN-3222-1 12.04 14.04 16.04 16.10 imagemagick 2017-03-08
Ubuntu USN-3219-1 14.04 kernel 2017-03-07
Ubuntu USN-3220-1 16.04 linux, linux-gke, linux-raspi2, linux-snapdragon 2017-03-07
Ubuntu USN-3221-1 16.10 linux, linux-raspi2 2017-03-07
Ubuntu USN-3218-1 12.04 linux, linux-ti-omap4 2017-03-07
Ubuntu USN-3221-2 16.04 linux-hwe 2017-03-07
Ubuntu USN-3219-2 12.04 linux-lts-trusty 2017-03-07
Ubuntu USN-3220-2 14.04 linux-lts-xenial 2017-03-07
Ubuntu USN-3215-1 14.04 munin 2017-03-02
Ubuntu USN-3215-2 14.04 munin 2017-03-03
Ubuntu USN-3217-1 12.04 14.04 16.04 16.10 network-manager-applet 2017-03-07
Ubuntu USN-3211-2 16.04 16.10 php7 2017-03-02
Ubuntu USN-3214-1 12.04 14.04 w3m 2017-03-02
Full Story (comments: none)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds