back to article CVE bug system has bugs – quick, use this alternative, say hackers

Frustrated security professionals acting on behalf of equally irritated researchers unable to gain Common Vulnerabilities and Exposures (CVE) numbers for their bugs have started an alternative numbering system to help triage what they describe as a huge backlog of ignored software flaws. Several prominent researchers are now …

  1. Anonymous Coward
    Anonymous Coward

    Let me get this straight ..

    .. you send reports of confirmed vulnerabilities into a US based company to ensure they're both logged and fixed and you don't receive a response?

    I think it may be worth checking if their email hasn't been "accidentally" diverted to the NSA..

    1. Anonymous Coward
      Anonymous Coward

      Re: Let me get this straight ..

      No you just ask for a CVE number to reserve it for publication. Once the vulnerability is ready for disclosure (either by the company fixing it or not responding at all), then you publish it with the assigned CVE code that you reserved ... this then gets hauled into all the downstream and upstream platforms - threat intelligence, vulnerability databases, etc.

  2. Charles 9 Silver badge

    Not as if anywhere else is safe...

    1. PNGuinn
      WTF?

      Please Sir, please Sir ...

      May I claim copyright on "Extremely Xploitable Gaff", EXG, for when DWF doesn't cut the mustard??

      Please, Sir???

      1. kurtseifried

        We're not claiming copyright on DWF just to be clear. These are like phone numbers or GPS coordinates, just factual bits of information to make finding other bits of information (security vulnerability related) much more easy.

  3. zb42

    Distributed Weakness Filing, enough volunteer labour

    CVE assignments is easily a full time job for a couple of people if they are cranking them out with very little verification.

    There were about 6000 issued in 2015. (the highest numbered is CVE-2015-8822 but they didn't use some numbers).

    Just weeding out duplicates, invalid reports, trolls and jokes and publishing a coherent summary will easily take an hour each. That is nowhere near enough time to actually install some software and see if a bug is real.

    Raymond Chen of Microsoft, blogging as OldNewThing, complains that Microsoft get a lot of invalid security-hold reports that can be summed up as "if you already have admin privilege you can do blah".

    People with enough knowledge to do anything beyond saying "Eh, sounds plausible, have a number" are uncommon and can be out earning money.

    I am doubtful about them getting enough volunteer labour to replace the work of Mitre corp.

    1. ascasc

      Re: Distributed Weakness Filing, enough volunteer labour

      So I (Kurt Seifried) have some experience with this, I've assigned almost 5,000 CVE's myself (4,760 as of October 18, 2015 when I last counted) and I've been involved with vulnerability management/analysis for almost 2 decades.

      The problem is you, and I suspect Mitre are caught in the trap of thinking about this problem as a single issue when in fact (as Art Manion of CERT pointed out) it's actually two problems:

      1. Assigning IDs

      2. Analysis, deconfliction, write-up

      https://cve.mitre.org/data/board/archives/2016-03/msg00004.html

      DWF aims to address problem #1 by making it much simpler to get a DWF, and to push DWF assignment as close to the vulnerability as possible, e.g. by getting major researchers on board and assigning, and also getting vendors and vulnerability coordinating bodies on board. A perfect example of this is the first official DWF assigned, DWF-2016-89000:

      https://bugzilla.redhat.com/show_bug.cgi?id=DWF-2016-89000

      https://patrick.uiterwijk.org/DWF-2016-89000/

      https://www.google.ca/search?q=DWF-2016-89000

      The second problem is also largely already solved by the community, but there are no good feedback mechanisms with CVE (I should know, I've been reporting errors to them as I find them for over a decade), DWF solves this problem by being fully transparent and open and using the GitHUB platform to make feedback (in the form of pulls/issues) really easy, and more importantly to make correcting things easy (multiple DWF project people will have commit access). So if you do find an error or conflict you can easily report it, if you want to add information to an issue, you can also do so easily through the Artifact Database. As for write ups the community already does this, witness security researcher reports and advisories, or vendor advisories, there is no need to rewrite these things constantly.

      So in conclusion: This is pretty much classic Cathedral vs. the Bazaar, the DWF Open Source model is a lot easier to participate in, and we've specifically picked a platform (GitHUB) that makes it trivial for people to interact with DWF and help the community help itself.

      https://en.wikipedia.org/wiki/The_Cathedral_and_the_Bazaar

  4. Anonymous Coward
    Anonymous Coward

    I always prefer an open approach, but as someone who has been online long enough to have experienced a USENET that was actually usable I do worry a bit about malicious entities flooding you with rubbish. It's almost as if you need a large number of "first pass" people to ensure what you get is at least sane or you will quickly drain your validation resources.

    I may be overly concerned, so I'll be watching this with interest. It's incredibly important work, but I think it also must be investigated what is happening at MITRE. It would be unfair to assume anything until there are some facts, but as far as I can tell, so far none are forthcoming.

    1. kurtseifried

      To be honest it's actually pretty easy. For one thing in the Open Source world I just ask them for an example of the vulnerable code/code fix, or for how exploitation occurs (e.g. with XSS it's usually trivial to demo), if they can't provide either then chances are they don't really understand the vulnerable enough to be asking for an identifier.

      For the closed source world it's obviously a bit tougher, which is why DWF number assignments are farmed out as much as possible to vendors, who can and do verify the issues (an then need an identifier for them).

      So if someone attempts to flood the DWF with stuff, Open Source stuff would be trivial to weed out, and for closed source we'd simply base it on various things like "is this person well known/have a good track record?" and "can we easily verify this" and so on.

  5. FatGerman

    F***ing Hell

    Beaurocracy rules again.

    What the flying farcical fuck does it mater what NUMBER it has? Someone reports a security bug in your software. FIX IT. Most companies would have this done before any government agency put down its donuts long enough to read the email.

    Jesus. Get a life.

    1. kurtseifried

      Re: F***ing Hell

      Because someone finds a flaw that affects several dozen products, or even hundreds of products (CVE-2009-3555), and many larger products and security related software (that get audited a lot) have a lot of flaws to be dealt with.

      Then there is the consumption of updates aspect, there is more than one way to fix a flaw, for example an XSS flaw in a web application, but you can block this with mod_security and an appropriate rule. How does mod_security communicate which things they have fixed easily when most web apps have dozens of XSS flaws found at various times.

      When communicating and coordinating these security vulnerabilities we need a common naming scheme, especially when we're handling thousands of vulnerabilities per year.

      1. Anonymous Coward
        Anonymous Coward

        Re: F***ing Hell

        Not to mention the dozens and dozens of platforms that depend on CVE's to actually categorise and scan for these vulnerabilities...

    2. Stuart Castle Silver badge

      Re: F***ing Hell

      "What the flying farcical fuck does it mater what NUMBER it has?"

      OK. Say you maintain a large bit of software. Something like an OS (Windows, OSX or Linux). You may have hundreds of bugs on the list to be squashed. They may even be bugs in other products that your software relies upon (such as libraries) you need to keep track of. How do you do this? You can set up your own system for receiving and tracking bug reports, but how do you track others?

      This is why the CVE system was invented.

      1. FatGerman

        Re: F***ing Hell

        Ahhhhh tracking. Yes. What people who don't have real work to do, do to fill their time. Yes, I see now. It's a job justification scheme. Well, good luck to them. In the meantime, I'll just fix that bug there.

  6. This post has been deleted by its author

  7. Anonymous Coward
    Anonymous Coward

    The inevitable conclusion

    So, the security industry standardized on a private company's government-funded pet project? Can you say "single point of failure?" Government projects are perpetually losing their funding, so unless there's a funding mandate somewhere higher up, you can't count on them being there from one day to the next. Other industries have already figured this one out - you form an independent industry body with members from business, government, and academia and give that body ownership over the products. That way, if one member loses funding to participate, the whole thing doesn't go tits up. Sounds like the security folks need to learn a bit more about how the world works.

  8. Anonymous Coward
    Anonymous Coward

    Thank you Kurt, Larry, Zach, Josh

    Mitre has let the community down for a while now, we need a solution by researchers who care.

    http://permalink.gmane.org/gmane.comp.security.oss.general/19051

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021