One Solution to MITRE's Overworked CVE System: Build a New One (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

One Solution to MITRE's Overworked CVE System: Build a New One (helpnetsecurity.com)

Posted by timothy on Friday March 11, 2016 @02:19AM from the hope-it's-built-with-merger-in-mind dept.

An anonymous reader writes: For the last 17 years, the American not-for-profit MITRE Corporation has been editing and maintaining the list of Common Vulnerabilities and Exposures (CVEs). According to a number of researchers, MITRE has lately been doing a lousy job when it comes to assigning these numbers, forcing researchers to do without them or to delay public disclosure of vulnerabilities indefinitely. The problem is getting worse by the day, and the situation has spurred Kurt Seifried, a "Red Hat Product Security Cloud guy" and a CVE Editorial Board member, to create a complementary system for numbering vulnerabilities.

26 of 47 comments (clear)

Min score:

Reason:

Sort:

copied from the register by Anonymous Coward · 2016-03-11 02:51 · Score: 1

no offense, but this article has been copied from the register: http://www.theregister.co.uk/2...
1. Re:copied from the register by AchilleTalon · 2016-03-11 03:13 · Score: 1
  
  No, not a copy, just an article on the same subject.
  
  --
  Achille Talon
  Hop!
Standards - https://xkcd.com/927/ by BitZtream · 2016-03-11 03:00 · Score: 1

Yes, because another service is always the solution ... instead of fixing the existing one and improving it.
This is typical red hat (and a common Linux issue in general) ... we don't like it so we're going to reinvent the wheel ... poorly and refuse to acknowledge any problems or defects in the new version.
Sometimes you just need to put a little effort into actually working together instead of being a douchebag loan wolf who takes his toys and goes to live in the woods.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
1. Re:Standards - https://xkcd.com/927/ by arth1 · 2016-03-11 03:05 · Score: 2
  
  a douchebag loan wolf
  Is that better or worse than a loan shark?
2. Re:Standards - https://xkcd.com/927/ by AlterEager · 2016-03-11 04:04 · Score: 1
  
  Yes, because another service is always the solution ... instead of fixing the existing one and improving it.
  So, how do you do that exactly? Someone asks MITRE for a CVS number for a vulnerability they've found and MITRE replies:
  
  Thank you for your request.
  Your request is outside the scope of CVE's published priorities. As such, it will not be assigned a CVE-ID by MITRE or another CVE CNA at this time.
  What next?
3. Re:Standards - https://xkcd.com/927/ by mysidia · 2016-03-11 04:45 · Score: 1
  
  What next?
  Why don't we just have the vendor self-generate a GUID to use to refer to the security vulnerability?
  Whoever notes the vulnerability first generates a GUID, and MITRE's only Job becomes to provide a database of the GUIDs.
4. Re:Standards - https://xkcd.com/927/ by frank_adrian314159 · 2016-03-11 05:09 · Score: 1
  
  Is that better or worse than a loan shark?
  That depends... Is it a douchebag loan shark?
  
  --
  That is all.
5. Re:Standards - https://xkcd.com/927/ by AlterEager · 2016-03-11 05:18 · Score: 1
  
  MITRE refused to allocate a CVE. It's not the number that's the problem, it's that they are refusing to do their job.
Thanks by Anonymous Coward · 2016-03-11 03:21 · Score: 3, Insightful

I was looking for a way to say this politely, but can you just can it with the systemd trolling? It has literally no connection to this proposal. This is some guy who happens to work at Red Hat. It shouldn't shock anyone that Red Hat employs a lot of people in the Linux and/or security worlds. He says right up front he is speaking on his own behalf and not that of Red Hat, and as far as I can tell he has jack-all to do with systemd development. There's even the possibility that he dislikes systemd as much as you do. I'd bet any amount of money that he would oppose your hypothetical systemd-CVE as a completely pointless increase in attack surface.
Begone, troll. This is not the overreaching NIH syndrome you were looking for.
1. Re:Thanks by Luthair · 2016-03-11 03:53 · Score: 2, Insightful
  
  If they stopped trolling they might have time to write the software they want that doesn't use systemd. Of course they don't want to do actual work, they want someone else to do it for them.
2. Re:Thanks by Anonymous Coward · 2016-03-11 05:26 · Score: 1
  
  The ironic thing is that people are so against systemd, when many of their complaints apply equally to OpenRC. Namely, it's mostly written in C (81.8% C, 9.3% Shell, 8.5% makefile, .4% other), it has annotations for dependency resolution, supports cgroups, and I believe parallel startup is also in the works. But when systemd does it, clearly nobody needs those features.
  The other ironic thing is that people have this nostalgic idea that sysvinit was somehow not a piece of crap. Except that it was self-defeating: the first replacement for SysV init was the init scripts themselves, which completely disregarded all of the features provided by init/inittab. Whatever we think of as an init system must have some insight into the underlying system; blindly starting or restarting services is a feature no one needs. Nobody trusts inittab to be able to start/stop/restart the database correctly, so the init scripts needed to absorb (and frequently, duplicate) all of the complexity actually needed to manage a system, and 33 years later, there is literally no one willing to maintain that snowballed clusterfuck. Systemd, OpenRC, launchd, and all the other SysV init replacements were simply recognizing that while there must be some script-like component to the init process, service writers should rely on scripting only where it cannot be avoided. Because while the script writer knows the most about their own processes, they do not and should not have the most information about the system as a whole.
  SysV init is the epitome of abandonware: discarded by everyone, even sysvinit.
"But according to a number of researchers" by Dr.+Evil · 2016-03-11 03:29 · Score: 2

1 is a number. There are lots of numbers.
If there's a problem at all, I would wager it's all the crappy "security researchers" trying to make a name for themselves by claiming the sky is falling and getting a CVE on their blog to make themselves look important.
1. Re:"But according to a number of researchers" by generic · 2016-03-11 04:38 · Score: 1
  
  What makes for a crappy security researcher? because the software they've found a bug in isn't on mitre's short little list of CVE approved vendors?
  
  --
  Microsoft aggravates my tourettes syndrome.
2. Re:"But according to a number of researchers" by Dr.+Evil · 2016-03-11 09:28 · Score: 1
  
  If I have a Radware product in my organization, I would subscribe to their security and support mailing lists, which is where this seems to be posted. There are thousands or more of different products from different vendors, probably tens or hundreds of thousands if you include the crazy knockoffs, FOSS assemblages, and fly-by-night companies.
  There are far fewer genuinely unique bits of software which most of these products are made from. E.g., only so many IP stacks are out there, only so many web servers, etc. Even this vulnerability mentions that it is in a "third party library"
  I had a longer reply, but if you follow the links, the guy who reported it expressly asked for discretion...
  "(And currently I'd apprechiate if you don't make a big buzz out of this issue, because we're preparing a paper on it by the end of march where we'll disclose a bunch of similar issues)"
  Ooops.
  Sucky security researchers are in my mind, the guys who self-aggrandize. This may very well be an issue where the guy's discovered something much bigger and wants one of those quiet reserved CVEs for his release of the vulnerability in the underlying library. There are lots of details in this specific case.
  I guess we'll find out.
3. Re:"But according to a number of researchers" by generic · 2016-03-11 22:56 · Score: 1
  
  I see your point, I only care to assign CVE IDs to my discoveries because folks ask me for them. It gets annoying when I've found a vulnerability and someone is hounding me about the CVE ID so they can track it and mitre doesn't respond to my emails.
  
  --
  Microsoft aggravates my tourettes syndrome.
Re:Redhat = embrace, extend by Luthair · 2016-03-11 03:42 · Score: 3, Insightful

So in the interests of full disclosure and transparency I (Kurt Seifried) am writing this email as an individual and member of the DWF System, and not as an employee of Red Hat. Please note that although I have a day job at Red Hat I also (like many information security people) work on other projects in my personal life, either because they are not work related, or because it's simply not appropriate to work on the project as part of my day job (in this case it's less about Red Hat, and more about the fact that as a Red Hat Employee I am a member of the CVE Editorial Board).
Seems clear RedHat has nothing to do with this
Red Hat/DoD/MITRE - I see the relationship by OffTheLip · 2016-03-11 03:54 · Score: 2

The US Dept of Defense (DoD) is a Red Hat customer and required to react to IAVA's/CVE's. MITRE provides system engineering support for the USAF among other branches so it seems like a good working relationship to me. Red Hat has been supportive of the IAVA/CVE patch process and working to better the system is a win-win in my opinion.
A vague problem by feenberg · 2016-03-11 04:47 · Score: 2

Is the problem that MITRE has an inventory of unprocessed requests, or that MITRE is rejecting requests as duplicative or incorrect? That does make a difference in how one thinks about the problem. If the latter, perhaps those in favor of bypassing MITRE could provide convincing examples of incorrect rejections.
1. Re:A vague problem by generic · 2016-03-11 04:51 · Score: 1
  
  Mitre either isn't responding or flat out rejecting valid requests because they've changed the scope of what they will assign numbers too.
  
  --
  Microsoft aggravates my tourettes syndrome.
2. Re:A vague problem by generic · 2016-03-11 22:59 · Score: 1
  
  Here is one http://www.openwall.com/lists/...
  
  --
  Microsoft aggravates my tourettes syndrome.
Re:Redhat = embrace, extend by ttucker · 2016-03-11 06:18 · Score: 1

Reality is so pedantic to a troll...
Re:Another solution by xxxJonBoyxxx · 2016-03-11 07:24 · Score: 2

>> Just a thought.

When did this place become Facebook? What's next, "just sayin'"? "JK"? Perhaps your high ID explains it, but on SlashDot there's no reason to snark off and then hide behind your mom's skirt - we LIKE bold discussions.
Re:Another solution by edtice1559 · 2016-03-11 08:16 · Score: 2

The fact that vulnerabilities are happening so fast that we can't even catalog them speaks pretty poorly for our industry. There is new code being written today that will have exploitable buffer overflows. Even though this problem has been well documented since probably the seventies. We have things like ASLR that put a band aid on it, but the reality is that the systems we develop are a few more orders of magnitude more complicated that what was built back then. But our tools and techniques haven't advanced much. Sometimes I'm surprised that any non-trivial software even works.
"Not for profit"... by jfengel · 2016-03-11 08:21 · Score: 1

"Non-profit" is a pretty loaded term here. It implies charities or colleges or arts organizations. That's not really what's going on. It just means that they're not turning their profits over to any shareholders. There are tax consequences, but it's actually not all that big a deal, since even ordinary corporations are only supposed to be paying taxes on profits anyway, not revenues. Which theoretically lets them raise wages and lower prices, though they're not actually all that good at either. Mostly, they turn it into giant executive bonuses.
I'm not exactly sure how MITRE and some other Beltway bandits get away with being "non-profits". I think they call themselves "research". But really, they don't belong in the same category as charities.
Relevant XKCD by themusicgod1 · 2016-03-11 08:47 · Score: 1

Problem: there are N relevant places to look for CVEs

Solution: let's make a better one!

Problem: there are N+1 relevant places to look for CVEs.

--
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Bull from a corporate shill Re:"Not for profit"... by rcharbon · 2016-03-12 23:24 · Score: 1

Uh-huh. And just for the sake of comparison, what do the CEOs at those noble 'for profit' government defense contractors make on a yearly basis? The article mentioned Lockheed Martin, whose CEO made $25 million in 2013: https://www.washingtonpost.com...