代写代考 CVE 1999 to 200114

Introduction to CVE, CWE, and the Top 25
29, 2015 @sushidude
© 2015 The MITRE Corporation. All rights reserved.

􏰀 MITRE employee for 25+ years (so far)
􏰀 Started in artificial intelligence
􏰀 Like many others – fell into computer security
􏰀 Realized it’s a great fit
– Always changing
– Always challenging
– Many opportunities to (try to) do the right thing
􏰀 “MITRE partners with the government applying systems engineering and advanced technology to address issues of critical national importance.”
– Values:CommitmenttothePublicInterest,PeopleinPartnership,Excellence that Counts
– Top STEM Company for Women, March 2015
– Top Employer (Workforce Diversity for Engineering & IT Professionals
– Top STEM Employer (Hispanic Network Magazine)
􏰀 http://www.mitre.org/about/mission-and-values © 2015 The MITRE Corporation. All rights reserved.

Today’s Theme
There is always a well-known solution to every human problem – neat, plausible, and wrong.
H.L. Mencken
Sometimes the simple life
Ain’t so simple.
(the correct lineup)
© 2015 The MITRE Corporation. All rights reserved.

Ye Goode of 1999: Historical Context
􏰀Melissa worm
􏰀The year before Y2K
􏰀 impeached
􏰀 Euro currency established
􏰀 retires
􏰀 Sponge debuts
􏰀 (Carl from The Walking Dead) born
􏰀 Star Wars: The Phantom Menace introduces the world to Jar Jar Binks
© 2015 The MITRE Corporation. All rights reserved.

Welcome to 1998
􏰀 Vulnerability databases were mostly private
– “We’ll show you our database if you show us your NDA”
􏰀 Bugtraq was a low-traffic list
􏰀 Full-disclosure and OSVDB didn’t exist
􏰀 CERT advisories said very little
􏰀 Exploits were shared privately
􏰀 Attacks were rampant for months/years
􏰀 Vendors didn’t fix things for months/years
􏰀 Vulnerability scanning industry still in infancy 􏰀 WWW wasn’t ubiquitous
􏰀 Maybe 10 unique vulnerability types
􏰀 “Smashing the Stack” was only 2 years old
􏰀 Most reported vulnerabilities were in servers
© 2015 The MITRE Corporation. All rights reserved.

Vulnerability Information Sharing
Scanning Tools
Intrusion Detection Systems
Alerts & Advisories
|6| (circa 1998-1999)
Vendor Patches
Priority Lists
Incident Response & Reporting
© 2015 The MITRE Corporation. All rights reserved.

CVE Began with a Challenge at
MITRE for 2 of our Technical Staff…
(Vulnerability Management: Circa 1998-1999)
􏰀 How to pick a vulnerability scanning tool? – Which one finds more?
􏰀 Are we safe against vulnerabilities listed in CERT advisories?
– How to match CERT names of vulnerabilities with scanning tool results?
© 2015 The MITRE Corporation. All rights reserved.

Aha moment on an Exercise
Bike in MITRE’s Bedford Fitness Center in 1998…
© 2015 The MITRE Corporation. All rights reserved.
September 1998 Issue of Scientific American article on the Periodic System:
List of Elements predated the Periodic Table by 100’s of Years

2nd Workshop on Research with Security Vulnerability Databases, Purdue University
CVE Editorial Board
© 2015 The MITRE Corporation. All rights reserved.

CVE Entries: Dictionary, not a Database
1) Flat Identifier
2) Short Description
© 2015 The MITRE Corporation. All rights reserved.
3) External References

CVE 1999 to 200114
© 2015 The MITRE Corporation. All rights reserved.

Vulnerability Information Sharing
| 17 | (circa 1999+)
Vendor Patches
Alerts & Advisories
Priority Lists
Scanning Tools
Intrusion Detection Systems
Incident Response & Reporting
© 2015 The MITRE Corporation. All rights reserved.

Content Decisions
􏰀 Explicit guidelines for content of CVE entries
– Ensure and publicize consistency within CVE
– Provide “lessons learned” for researchers
– Document differences between vulnerability “views”
􏰀 Two basic types
– Inclusion: What goes into CVE? What doesn’t, and why?
– Level of Abstraction: One or many entries for similar issues? – Format: How are CVE entries formatted?
􏰀 Difficult to document
– “[It’s] like trying to grasp wet corn starch” (Board member)
Incomplete information is the bane of consistency – and content decisions!
© 2015 The MITRE Corporation. All rights reserved.

Why CVE-2001-0019 Could Identify 1, 2, or 6 Vulnerabilities
0 “Shellshock” anyone?
0 3 different source code scenarios
0 Without actual source, can’t be sure
which scenario is true
0 Even with source, there are different
ways of counting
0 Multiple format string problems are
especially difficult to distinguish
strcpy(arg, long_input);
if (strcmp(cmd, “show”) == 0) { process_show_command(arg); }
elsif (strcmp(cmd, “clear”) == 0) { process_show_command(arg); }
if (strcmp(cmd, “show”) == 0) {
strcpy(str, long_input);
process_show_command(str); } elsif (strcmp(cmd, “clear”) == 0) {
strcpy(str, long_input);
process_clear_command(str); }
if (strcmp(cmd, “show”) == 0) { if (strcmp(arg1, “script”) == 0) {
strcpy(str, long_input);
show_script(str); }
elsif (strcmp(arg1, “archive”) == 0) {
strcpy(str, long_input);
show_archive(str); }
elsif (strcmp(arg1, “log”) == 0) {
strcpy(str, long_input);
show_log(str); } }
elsif (strcmp(cmd, “clear”) == 0) {
if (strcmp(arg1, “script”) == 0) {
strcpy(str, long_input);
show_script(str); }
elsif (strcmp(arg1, “archive”) == 0) {
strcpy(str, long_input);
show_archive(str); }
elsif (strcmp(arg1, “log”) == 0) {
strcpy(str, long_input);
show_log(str); } }
© 2015 The MITRE Corporation. All rights reserved.

DB Abstraction: 1 to 5 Entries?
CVE-1: SQL injection in version 1.x through login.php and order.php.
ISS and Bugtraq ID
1: Mult. SQL injection in 1.x and 2.x 2: XSS in 2.x
Secunia, ISS, and Bugtraq ID
1: SQL injection and XSS in 1.x and 2.x
Somebody somewhere, probably
2: order.php
© 2015 The MITRE Corporation. All rights reserved.
CVE-3: XSS in version 2.x through login.php and search.php.
3: admin.php 4: search.php
CVE-2: SQL injection in version 2.x through admin.php.
1: SQL injection in login.php
2: SQL injection in order.php
3: SQL injection in admin.php
4: XSS in login.php
1: login.php
5: XSS in search.php

ifferent Audience 􏰁Different bstraction
Advisory ID
Coordination ID
Vulnerability ID
Microsoft Security Bulletin, Cisco Advisory, Secunia SA
Mozilla 1234
Mozilla 5678
• CVE was always intended as a coordination ID
• We originally thought that coordination could operate at the vulnerability level
• But, there’s too much fluctuation and variation in vulnerability information in the
early stages, when coordination ID is most needed
© 2015 The MITRE Corporation. All rights reserved.

Content Decisions: Abstraction
􏰀AB1: SPLIT if different flaw types
􏰀AB2: SPLIT if different versions are affected
􏰀SPLIT if different vectors are released at a later time 􏰀SPLIT if different codebases
􏰀Otherwise MERGE
􏰀Refinements and/or interpretations of the above
These factors are generally stable across all phases of vulnerability disclosure, and often known early in the game.
http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html © 2015 The MITRE Corporation. All rights reserved.

Content Decisions: Inclusion
􏰀 INCLUDE any issue for software that
– Could be deployed in an enterprise
– Could be network-connected physical devices
– Has minimal, but non-zero, risk
􏰀 path disclosure, admin-to-SYSTEM, client-side crasher 􏰀 EXCLUDE any issue that
– Is “site-specific,” SaaS, hosted, “in the cloud,” … – Is provably wrong
– Is just a rumor
– Is not “actionable”
– Is “just a bug” (e.g. defenestration exploit)
Site-specific / hosted software can be difficult to identify.
© 2015 The MITRE Corporation. All rights reserved.

Issue: What is a Vulnerability?
􏰀 CVE was originally called “Common Vulnerability Enumeration” 􏰀 Security tools included many “non-vulnerabilities”
􏰀 “Terminological warfare” by Editorial Board in August 1999
– 2 main debates
􏰀 W hat is a vulnerability?
􏰀 Should CVE include things that aren’t vulnerabilities?
– Primary example: running finger (CVE-1999-0612) 􏰀 “Stepping stone” but not directly exploitable
– Various alternate terms were debated
– “Exposure” wasn’t being used that often back then, and there was
a strong need to keep the CVE acronym, so…
– http://cve.mitre.org/about/terminology.html
– http://cve.mitre.org/board/archives/1999-08/threads.html Vulnerability definitions vary widely!
© 2015 The MITRE Corporation. All rights reserved.

Issue: What is a Real Vulnerability?
􏰀 ~50% of all issues are not publicly acknowledged by the vendor – http://cve.mitre.org/board/archives/2000-09/msg00038.html
􏰀 Many vulnerabilities are found in obscure software by unknown researchers without independent confirmation
􏰀 Resource-intensive to verify every report
􏰀 Some issues don’t cross “privilege boundaries”
􏰀 Some issues are technically security issues, but extremely low risk
􏰀 If it’s reported but it may not be real, should it be added to CVE?
– It will at least be reviewed
– How much verification is necessary?
0 Extreme example
Denial of service in Sendmail 8.6.11 and
– Couldnotbereplicatedbyvendor
– Checkedbymultipletools(whichmayonlycomparebanners) © 2015 The MITRE Corporation. All rights reserved.
CVE-1999-0205

Candidate Reservation Process
Request Candidate CVE-YYYY-NNNN
• Request candidate from CNA
• Provide candidate number to
vendor and other parties
• Include candidate number in
initial public announcement
• Notify MITRE of announcement
• Perform due diligence to avoid
duplicate or incorrect candidates
• Should work with affected vendor
to increase confidence in correctness of the candidate
• Primary CNA
• Accessible to
researchers via

• Educate CNA about
content decisions
• Update CVE web site
when candidate is
publicly announced
• Track potential abuses
• Obtain pool of candidate numbers from MITRE
• Define requirements for researchers to obtain a candidate
• Assign correct number of candidate numbers
• Ensure candidate is shared across all parties
• Do not use candidates in “competitive” fashion
© 2015 The MITRE Corporation. All rights reserved.
Candidate Numbering Authority
Researcher

Anatomy of a CVE Description: CVE-2009-4623
Multiple PHP remote file inclusion vulnerabilities in Advanced Comment System 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the ACS_path parameter to (1) index.php and (2) admin.php in advanced_comment_system/. NOTE: this might only be a vulnerability when the administrator has not followed installation instructions in install.php.
Flaw type, vendor name, product name, affected versions, remote/local, impact, attack vectors, clarifiers.
© 2015 The MITRE Corporation. All rights reserved.

10 Years of CVE Descriptions
CVE- 1999- 0067
CGI phf program allows remote command execution through shell metacharacters.
CVE- 2000- 0067
CyberCash Merchant Connection Kit (MCK) allows local users to modify files via a symlink attack.
CVE- 2001- 0067
The installation of J-Pilot creates the .jpilot directory with the user’s umask, which could allow local attackers to read other users‘ PalmOS backup information if their umasks are not securely set.
CVE- 2002- 0067
Squid 2.4 STABLE3 and earlier does not properly disable HTCP, even when “htcp_port 0” is specified in squid.conf, which could allow remote attackers to bypass intended access restrictions.
CVE- 2003- 0067
The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user’s terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
CVE- 2004- 0067
Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11)
gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1.
© 2015 The MITRE Corporation. All rights reserved.

10 Years of CVE Descriptions
CVE- 2005-0067
The original design of TCP does not require that port numbers be assigned randomly (aka “Port randomization”), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged “Destination Unreachable“ messages, (2) blind throughput-reduction attacks with forged “Source Quench” messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005- 0068arerelatedidentifiersthatareSPLITbasedontheunderlyingvulnerability. WhileCVEnormally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.
CVE- 2006-0067
SQL injection vulnerability in login.php in VEGO Links Builder 2.00 and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter.
CVE- 2007-0067
Unspecified vulnerability in the Lotus Domino Web Server 6.0, 6.5.x before 6.5.6, and 7.0.x before 7.0.3 allows remote attackers to cause a denial of service (daemon crash) via requests for URLs that reference certain files.
CVE- 2008-0067
Multiple stack-based buffer overflows in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allow remote attackers to execute arbitrary code via (1) long string parameters to the OpenView5.exe CGI program; (2) a long string parameter to the OpenView5.exe CGI program, related to ov.dll; or a long string parameter to the (3) getcvdata.exe, (4) ovlaunch.exe, or (5) Toolbar.exe CGI program.
CVE- 2009-0067
** RESERVED **
CVE- 2010-0067
Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Application Server 10.1.2.3 and 10.1.3.4 allows remote attackers to affect confidentiality via unknown vectors.
© 2015 The MITRE Corporation. All rights reserved.

Maximum CVE-YYYY-nnnn ID per year (as of Nov 5, 2014)
© 2015 The MITRE Corporation. All rights reserved.
CVE-2014-8622 CVE-2013-7375
CVE-2009-*
CVE-2010-*
CVE-2011-*
CVE-2012-*
CVE-2013-*
CVE-2014-*

Yawn. So What?
􏰀 If we made a 4-digit assumption, maybe^Wdefinitely others did too 􏰀 A lot of code, processes, & formats use CVE IDs
􏰀 Hundreds of CVE-compatible products in many languages
􏰀 Thousands of “users” across the globe
􏰀 We don’t know where that all is
􏰀 CVE is part of the infrastructure
􏰀 CVE is everywhere
􏰀 People depend on it without even knowing 􏰀 People use it in ways we don’t know
􏰀 Obligatory Heartbleed (I mean, CVE-2014-0160) reference
– Which obscure nooks and crannies of the Interwebz has it been
found lately?
© 2015 The MITRE Corporation. All rights reserved.

Where the Wild Things Are
􏰀Output Format
– Wider than 13-character columns – Sorting
􏰀 Input Format
– Data lengths
– Structures
– Search routines
􏰀 Extraction or Parsing
– 4-digit assumption, if violated, could trigger silent failure, fatal error,
or use of the wrong ID for an unrelated vulnerability
© 2015 The MITRE Corporation. All rights reserved.

Interpreters Don’t Care
(‘bout number representation)
# My awesome CVE ID detector in Perl. Shush. $str = “CVE-2014-839572957648549”;
if ($str =~ /CVE-(\d+)-(\d+)/) {
$id = sprintf(“CVE-%4d-%04d”, $1, $2); }
else { $id = “PARSE-ERROR”; } print “ID = $id\n”;
CVE-2014–001
• Big number that sprintf can’t handle? Return -1 • Format -1 with leading zeroes in 4 digits: -001
© 2015 The MITRE Corporation. All rights reserved.

􏰀 CVE IDs aren’t published in order, but good sorting is aesthetic and sometimes a good visual optimization
􏰀 What happens with typical string-only sorting of variable-length IDs?
CVE-2014-9999 CVE-2014-10000 CVE-2014-1234 CVE-2014-12345
CVE-2014-1234 CVE-2014-9999 CVE-2014-10000 CVE-2014-12345
CVE-2014-10000 CVE-2014-1234 CVE-2014-12345 CVE-2014-9999
© 2015 The MITRE Corporation. All rights reserved.

The New Syntax – Starting January 1, 2014
CVE-YYYY-NNNN…N
• 4-digit minimum in sequence number
• No maximum
• Add extra digits only when needed
• Only leading 0’s with 4 digits
http://cve.mitre.org/cve/identifiers/syntaxchange.html © 2015 The MITRE Corporation. All rights reserved.

Truncation: The Four Digit Assumption
CVE-2014-10000 CVE-2014-10001 CVE-2014-10002 CVE-2014-10003 CVE-2014-11000 CVE-2014-21000
CVE-2014-1000
• Wrong ID = the wrong vulnerability = wasted time and, worse, being vulnerable and not knowing it!
• We have seen (and I have written) code that does truncation.
• We have seen at least one live web site that truncates © 2015 The MITRE Corporation. All rights reserved.

Minimizing the Pain of Truncation Errors: The Protection Block
“ID Not Found”
CVE-2014-0998 CVE-2014-0999
CVE-2014-9998 CVE-2014-9999 CVE-2014-10000 CVE-2014-10001 CVE-2014-10002
CVE-2014-1000 CVE-2014-1001 CVE-2014-1002 … CVE-2014-1198 CVE-2014-1199 CVE-2014-1200
CVE-2014-1201 CVE-2014-1202
© 2015 The MITRE Corporation. All rights reserved.

From individual vulnerabilities to
whole classes of problems…

| 41 | Removing and Preventing the Vulnerabilities
Requires More Specific Definitions…CWEs
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) (79)
• Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (80)
• ImproperNeutralizationofScriptinanErrorMessageWebPage(81)
• ImproperNeutralizationofScriptinAttributesofIMGTagsinaWebPage(82)
• ImproperNeutralizationofScriptinAttributesinaWebPage(83)
• ImproperNeutralizationofEncodedURISchemesinaWebPage(84)
• DoubledCharacterXSSManipulations(85)
• ImproperNeutralizationofInvalidCharactersinIdentifiersinWebPages(86)
• ImproperNeutralizationofAlternateXSSSyntax(87)
Improper Restriction of Operations within the Bounds of a Memory Buffer (119) • Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) (120) • Write-what-where Condition (123)
• Out-of-bounds Read (125)
• Improper Handling of Length Parameter Inconsistency (130) • Improper Validation of Array Index (129)
• Return of Pointer Value Outside of Expected Range (

程序代写 CS代考加微信: powcoder QQ: 1823890830 Email: powcoder@163.com

Related Posts