The Development of a Common Vulnerability Enumeration Vulnerabilities and Exposures List Steven M. Christey David W. Baker William H. Hill David E. Mann The MITRE Corporation

Outline l Description l Examples l Applications to IDS l Activities l Editorial Board

What is the CVE (Common Vulnerabilities and Exposures List)? l A list of common information systems security problems (but CISSP was taken) l Vulnerabilities - Problems that are universally thought of as “vulnerabilities” in any security policy - Software flaws that could directly allow serious damage - phf, ToolTalk, Smurf, rpc.cmsd, etc. l Exposures - Problems that are sometimes thought of as “vulnerabilities” in some security policies - Stepping stones for a successful attack - Running finger, poor logging practices, etc.

CVE Goals l Enumerate all publicly known problems l Assign a standard, unique name to each problem l Exist independently of multiple perspectives l Be publicly open and shareable, without distribution restrictions

Why the CVE? l Provide common language for referring to problems l Facilitate data sharing between - IDSes - Assessment tools - Vulnerability databases - Academic research - Incident response teams l Foster better communication across the community l Get better tools that interoperate across multiple vendors

Sample CVE Entries

Sample CVE Mapping

CVE for IDS l Standard name for vulnerability-related attacks l Interoperability - Multi-vendor compatibility - Correlate with assessment tool results to reduce false positives - Share incident data l Consistency of reports l IDS comparisons - Accuracy, coverage, performance l Common attack list l DARPA CIDF and IETF IDWG

CVE from Vulnerability Assessment to IDS Do my systems have these problems? Which tools test for these problems? Tool 1 CVE-1 CVE-2 CVE-3 Tool 2 CVE-3 CVE-4 Does my IDS have the signatures? IDS CVE-1 CVE-3 CVE-4 I can’t detect exploits of CVE-2 - how well does Tool 1 check for it? CVE-1 CVE-2 CVE-3 CVE-4 Popular Attacks

CVE from Attacks to Incident Recovery I detected an attack on CVE-3. Did my assessment say my system has the problem? Tool 2 CVE-3 CVE-4 Tool 1 CVE-1 CVE-2 CVE-3 YES Clean up Close the hole Report the incident Tell your vendor Go to YES NO Don’t send an alarm But the attack succeeded! Public Databases CVE-2 CVE-3 Advisories CVE-1 CVE-2 CVE-3

CVE Timeline l “Towards a Common Enumeration of Vulnerabilities,” 2nd CERIAS Workshop on Vulnerability Databases (January 1999) l Initial creation of Draft CVE (Feb-April 1999) vulnerabilities - Data derived from security tools, hacker site, advisories l Formation of Editorial Board (April-May 1999) l Validation of Draft CVE (May-Sept 1999) l Creation of validation process (May-Sept 1999) l Discussion of high-level CVE content (July-Sept 1999) l Public release (Real Soon Now)

The CVE Editorial Board l Experts from more than 15 security-related organizations - Researchers, security tool vendors, mailing list moderators, vulnerability database owners, response teams, system administrators, security analysts l Mailing list discussions - Validation and voting for individual CVE entries - High-level content decisions l Meetings - Face-to-Face - Teleconference l Membership on an as-needed or as-recommended basis

Bringing New Entries into the CVE l Assignment - Candidate number CAN-1999-XXXX to distinguish from validated CVE entry - Candidate Numbering Authority (CNA) reduces “noise” l Proposal - Announcement and discussion - Voting: Accept, Modify, Reject, Recast, Reviewing l Modification l Interim Decision l Final Decision - CVE name(s) assigned if candidate is accepted l Publication