Title: The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List
1The Development of a Common Vulnerability
Enumeration Vulnerabilities and Exposures List
- Steven M. Christey
- David W. Baker
- William H. Hill
- David E. Mann
- The MITRE Corporation
2Outline
- Description
- Examples
- Applications to IDS
- Activities
- Editorial Board
3What is the CVE (Common Vulnerabilities and
Exposures List)?
- A list of common information systems security
problems (but CISSP was taken) - Vulnerabilities
- Problems that are universally thought of as
vulnerabilities in any security policy - Software flaws that could directly allow serious
damage - phf, ToolTalk, Smurf, rpc.cmsd, etc.
- Exposures
- Problems that are sometimes thought of as
vulnerabilities in some security policies - Stepping stones for a successful attack
- Running finger, poor logging practices, etc.
4CVE Goals
- Enumerate all publicly known problems
- Assign a standard, unique name to each problem
- Exist independently of multiple perspectives
- Be publicly open and shareable, without
distribution restrictions
5Why the CVE?
- Provide common language for referring to problems
- Facilitate data sharing between
- IDSes
- Assessment tools
- Vulnerability databases
- Academic research
- Incident response teams
- Foster better communication across the community
- Get better tools that interoperate across
multiple vendors
6Sample CVE Entries
7Sample CVE Mapping
8CVE for IDS
- Standard name for vulnerability-related attacks
- Interoperability
- Multi-vendor compatibility
- Correlate with assessment tool results to reduce
false positives - Share incident data
- Consistency of reports
- IDS comparisons
- Accuracy, coverage, performance
- Common attack list
- DARPA CIDF and IETF IDWG
9CVE from Vulnerability Assessment to IDS
Which tools test for these problems?
Do my systems have these problems?
Does my IDS have the signatures?
Tool 1
Popular Attacks
IDS
CVE-1 CVE-2 CVE-3
CVE-1 CVE-3 CVE-4
CVE-1 CVE-2 CVE-3 CVE-4
Tool 2
CVE-3 CVE-4
I cant detect exploits of CVE-2 - how well does
Tool 1 check for it?
10CVE from Attacks to Incident Recovery
YES
Public Databases
I detected an attack on CVE-3. Did my
assessment say my system has the problem?
CVE-2 CVE-3
Clean up
Close the hole
Advisories
Report the incident
CVE-1 CVE-2 CVE-3
NO
Dont send an alarm
But the attack succeeded!
Tell your vendor Go to YES
11CVE Timeline
- Towards a Common Enumeration of
Vulnerabilities, 2nd CERIAS Workshop on
Vulnerability Databases (January 1999) - Initial creation of Draft CVE (Feb-April 1999)
- 663 vulnerabilities
- Data derived from security tools, hacker site,
advisories - Formation of Editorial Board (April-May 1999)
- Validation of Draft CVE (May-Sept 1999)
- Creation of validation process (May-Sept 1999)
- Discussion of high-level CVE content (July-Sept
1999) - Public release (Real Soon Now)
12The CVE Editorial Board
- Experts from more than 15 security-related
organizations - Researchers, security tool vendors, mailing list
moderators, vulnerability database owners,
response teams, system administrators, security
analysts - Mailing list discussions
- Validation and voting for individual CVE entries
- High-level content decisions
- Meetings
- Face-to-Face
- Teleconference
- Membership on an as-needed or as-recommended
basis
13Bringing New Entries into the CVE
- Assignment
- Candidate number CAN-1999-XXXX to distinguish
from validated CVE entry - Candidate Numbering Authority (CNA) reduces
noise - Proposal
- Announcement and discussion
- Voting Accept, Modify, Reject, Recast, Reviewing
- Modification
- Interim Decision
- Final Decision
- CVE name(s) assigned if candidate is accepted
- Publication