The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List

1
The Development of a Common Vulnerability
Enumeration Vulnerabilities and Exposures List

• Steven M. Christey
• David W. Baker
• William H. Hill
• David E. Mann
• The MITRE Corporation

2
Outline

• Description
• Examples
• Applications to IDS
• Activities
• Editorial Board

3
What is the CVE (Common Vulnerabilities and
Exposures List)?

• A list of common information systems security
  problems (but CISSP was taken)
• Vulnerabilities
• Problems that are universally thought of as
  vulnerabilities in any security policy
• Software flaws that could directly allow serious
  damage
• phf, ToolTalk, Smurf, rpc.cmsd, etc.
• Exposures
• Problems that are sometimes thought of as
  vulnerabilities in some security policies
• Stepping stones for a successful attack
• Running finger, poor logging practices, etc.

4
CVE Goals

• Enumerate all publicly known problems
• Assign a standard, unique name to each problem
• Exist independently of multiple perspectives
• Be publicly open and shareable, without
  distribution restrictions

5
Why the CVE?

• Provide common language for referring to problems
• Facilitate data sharing between
• IDSes
• Assessment tools
• Vulnerability databases
• Academic research
• Incident response teams
• Foster better communication across the community
• Get better tools that interoperate across
  multiple vendors

6
Sample CVE Entries
7
Sample CVE Mapping
8
CVE for IDS

• Standard name for vulnerability-related attacks
• Interoperability
• Multi-vendor compatibility
• Correlate with assessment tool results to reduce
  false positives
• Share incident data
• Consistency of reports
• IDS comparisons
• Accuracy, coverage, performance
• Common attack list
• DARPA CIDF and IETF IDWG

9
CVE from Vulnerability Assessment to IDS
Which tools test for these problems?
Do my systems have these problems?
Does my IDS have the signatures?
Tool 1
Popular Attacks
IDS
CVE-1 CVE-2 CVE-3
CVE-1 CVE-3 CVE-4
CVE-1 CVE-2 CVE-3 CVE-4
Tool 2
CVE-3 CVE-4
I cant detect exploits of CVE-2 - how well does
Tool 1 check for it?
10
CVE from Attacks to Incident Recovery
YES
Public Databases
I detected an attack on CVE-3. Did my
assessment say my system has the problem?
CVE-2 CVE-3
Clean up
Close the hole
Advisories
Report the incident
CVE-1 CVE-2 CVE-3
NO
Dont send an alarm
But the attack succeeded!
Tell your vendor Go to YES
11
CVE Timeline

• Towards a Common Enumeration of
  Vulnerabilities, 2nd CERIAS Workshop on
  Vulnerability Databases (January 1999)
• Initial creation of Draft CVE (Feb-April 1999)
• 663 vulnerabilities
• Data derived from security tools, hacker site,
  advisories
• Formation of Editorial Board (April-May 1999)
• Validation of Draft CVE (May-Sept 1999)
• Creation of validation process (May-Sept 1999)
• Discussion of high-level CVE content (July-Sept
  1999)
• Public release (Real Soon Now)

12
The CVE Editorial Board

• Experts from more than 15 security-related
  organizations
• Researchers, security tool vendors, mailing list
  moderators, vulnerability database owners,
  response teams, system administrators, security
  analysts
• Mailing list discussions
• Validation and voting for individual CVE entries
• High-level content decisions
• Meetings
• Face-to-Face
• Teleconference
• Membership on an as-needed or as-recommended
  basis

13
Bringing New Entries into the CVE

• Assignment
• Candidate number CAN-1999-XXXX to distinguish
  from validated CVE entry
• Candidate Numbering Authority (CNA) reduces
  noise
• Proposal
• Announcement and discussion
• Voting Accept, Modify, Reject, Recast, Reviewing
• Modification
• Interim Decision
• Final Decision
• CVE name(s) assigned if candidate is accepted
• Publication