Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Rel

from [Steven M. Christey] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory
Date: Thu, 26 Jul 2007 17:24:00 -0400 (EDT) 

[sorry for any duplication]

Regarding the JWIG issue: this seems more like a description of a
*class* of vulnerabilities that could apply to an application written
in JWIG, if the application allows an attacker to influence the
contents of a template (which seems quite possible).  CVE does not
handle vulnerability classes (that's more the job of CWE), so we
probably should not have assigned an identifier.

Speaking of CVE...


Debasis Mohanty said:


this is not first time a CVE been assigned to a fake claims.


grep for "** DISPUTED **" in the descriptions, and you'll see this is
the case (over 250 by last count, which is about 1% of all publicly
reported issues, including some cases where the vendor disputes the
issue but it's probably legit).


history has proven that many clowns in the past had their fake claim
promoted by getting a CVE tagged.


In the vulnerability information management world, you basically have
three options when this kind of thing happens:

 - highlight the issue with dispute (CVE) or "Myth/Fake" (OSVDB)

 - delete the issue entirely without any tracing (others)

 - dedicate extensive resources to verify every claim, and/or don't
   publish until you're confident the claim is real (CERT and others)

When researchers seem to make frequent errors, we will put them on an
informal watch list, and de-prioritize their reports (when we're busy)
or try to verify or rebut them ourselves (when we've got time).


It is understood that with more are more exponentially replicating
clowns in the industry it is hard for mitre to validate all vague
claims.


We cannot verify every claim, and certainly vague claims cannot be
verified.  NOBODY has the resources to verify every single claim (see
[1] if you care).

We rely on vendor contacts and public acknowledgements, public
commentary on mailing lists, other refined vulnerability information
sources, and our own analysis (where feasible).  We used to have
voting by the CVE Editorial Board, but that got too unwieldy for them
due to the volume.

Over the years, CVE's role has evolved to become something of a
universal bug tracker, so the percentage of closely-reviewed issues
has decreased, alas.  The growth of grep-and-gripe research is
definitely a factor, but as Simple Nomad said [2], the system of
disclosure-by-mailing-list still works.

- Steve


[1] Why Vulnerability Databases can't do everything
    http://marc.info/?t=112145271100004&r=1&w=2

[2] Re: local Calendar System v1.1 (lcStdLib.inc) Remote File Include
    http://seclists.org/bugtraq/2007/Jan/0662.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Re: [Full-disclosure] [CVE 2007-3816] [Advisory] Vulnerability Facts Related JWIG Advisory, Steven M. Christey <=
Previous by Date:  [Full-disclosure] iDefense Security Advisory 07.26.07: IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability, iDefense Labs
Next by Date:  [Full-disclosure] WordPress wp-feedstats persistent XSS, David Kierznowski
Previous by Thread:  [Full-disclosure] iDefense Security Advisory 07.26.07: IBM AIX capture Terminal Control Sequence Buffer Overflow Vulnerability, iDefense Labs
Next by Thread:  [Full-disclosure] WordPress wp-feedstats persistent XSS, David Kierznowski
Indexes:  [Date] [Thread] [Top] [All Lists]