The Development of a Common Vulnerability Enumeration Vulnerabilities

The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann The MITRE Corporation

Outline l Description l Examples l Applications to IDS l Activities l Editorial Board

What is the CVE (Common Vulnerabilities and Exposures List)? l A list of common information systems security problems (but CISSP was taken) l Vulnerabilities Problems that are universally thought of as “vulnerabilities” in any security policy Software flaws that could directly allow serious damage phf, Tool. Talk, Smurf, rpc. cmsd, etc. l Exposures Problems that are sometimes thought of as “vulnerabilities” in some security policies Stepping stones for a successful attack Running finger, poor logging practices, etc. -

CVE Goals l Enumerate all publicly known problems l Assign a standard, unique name to each problem l Exist independently of multiple perspectives l Be publicly open and shareable, without distribution restrictions

Why the CVE? l Provide common language for referring to problems l Facilitate data sharing between - IDSes - Assessment tools - Vulnerability databases - Academic research - Incident response teams l Foster better communication across the community l Get better tools that interoperate across multiple vendors

Sample CVE Entries

Sample CVE Mapping

CVE for IDS l Standard name for vulnerability-related attacks l Interoperability - Multi-vendor compatibility - Correlate with assessment tool results to reduce false positives Share incident data l Consistency of reports l IDS comparisons Accuracy, coverage, performance l Common attack list l DARPA CIDF and IETF IDWG -

CVE from Vulnerability Assessment to IDS Do my systems have these problems? Popular Attacks CVE-1 CVE-2 CVE-3 CVE-4 Which tools test for these problems? Tool 1 CVE-2 CVE-3 Tool 2 CVE-3 CVE-4 Does my IDS have the signatures? IDS CVE-1 CVE-3 CVE-4 I can’t detect exploits of CVE-2 - how well does Tool 1 check for it?

CVE from Attacks to Incident Recovery I detected an attack on CVE-3. Did my assessment say my system has the problem? Tool 2 CVE-3 Tool 1 CVE-4 CVE-1 CVE-2 CVE-3 YES Public Databases Clean up Close the hole CVE-2 CVE-3 Advisories Report the CVE-1 incident CVE-2 NO CVE-3 Don’t send an alarm But the attack succeeded! Tell your vendor Go to YES

CVE Timeline l “Towards a Common Enumeration of Vulnerabilities, ” 2 nd CERIAS Workshop on Vulnerability Databases (January 1999) l Initial creation of Draft CVE (Feb-April 1999) 663 vulnerabilities Data derived from security tools, hacker site, advisories l Formation of Editorial Board (April-May 1999) l Validation of Draft CVE (May-Sept 1999) l Creation of validation process (May-Sept 1999) l Discussion of high-level CVE content (July-Sept 1999) l Public release (Real Soon Now) -

The CVE Editorial Board l Experts from more than 15 security-related organizations - Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts l Mailing list discussions Validation and voting for individual CVE entries High-level content decisions l Meetings Face-to-Face Teleconference l Membership on an as-needed or as-recommended basis -

Bringing New Entries into the CVE l Assignment - Candidate number CAN-1999 -XXXX to distinguish from validated CVE entry Candidate Numbering Authority (CNA) reduces “noise” l Proposal Announcement and discussion Voting: Accept, Modify, Reject, Recast, Reviewing l Modification l Interim Decision l Final Decision CVE name(s) assigned if candidate is accepted l Publication -