[VIM] CVE published vs unpublished

security curmudgeon jericho at attrition.org
Sat Dec 27 06:28:53 UTC 2008 

From: Noam Rathaus <noamr at beyondsecurity.com>
Date: Mon, 14 Jan 2008 21:50:27 +0200

Notice the date here, i'm replying a considerable time later.

Noam said:

: > Can someone from CVE administrator give me an estimate how many given CVEs
: > have not materialized into "anything" (never been disclosed - remained under
: > review)?

This is a good question. Over the years, i was curious from an OSVDB 
standpoint and "how many CVE do we map to" from a numeric aspect. If you 
look at CVE-2007-0001 to CVE-2007-3000, are we really missing 500 
(arbitrary number)? Or is it a case where we're missing 300 because 200 
were never published?

When I got back into the grind of full time pen-testing, I was in a 
position to handle vulnerability disclosure. It was a shop with 20 full 
time consultants when I joined, every single one working 40 hour weeks or 
more, with *zero down time*. Imagine the vulnerabilities we found over 
time =) While many of us did a lot of custom application tests, that do 
not warrant CVE numbers, we did test COTS frequently. When I joined, no 
one was handling disclosure either. It was done rarely, by a consultant's 
own initiative, typically only for reoccuring clients. 

Within a year, I think I ended up requesting a dozen or so CVEs from Steve 
(I say that to distinguish they came from CVE, not another pool). Over a 
year after requesting them, most are still reserved. Since I am no longer 
with the company, I don't know if they will ever be released. If they 
aren't in 5 years, I may mail Steve out of the blue and say "these CVE 
requests will never get published I don't think", just to throw him a 
curve ball and make him think.

Some of the vulnerabilities I found, have since been published. The 
company I was with finally opted not to publish advisories, after spending 
countless hours writing our policy, template, going back/forth with 
lawyers, etc. The ones I released were done quietly, with 100% responsible 
disclosure (waiting a long time for the vendor if needed), and have since 
been added quietly to CVE, OSVDB and Nessus in at least one case. The 
vulnerabilities I did not discover, but were handling disclosure for at 
the time, are the ones that will likely never see the light of day unless 
a third party finds it. That is very possible, because none of the 
software was really obscure. I hate being bound by NDA and sitting on 
vulnerabilities that were reported, but may be unpatched because no one 
harassed the vendor.

On Wed, 23 Jan 2008, Steven M. Christey wrote:

: Also, I don't ping the people who reserved CVEs in order to check on 
: their status.  Some might have turned out to be false and the requester 
: never notified us; in other cases, maybe a decision was made not to 
: publish; some might still be in the middle of the resolution process.

This would be a neat one time event. Ping the people who requested, ask 
the status. I suggest it because I have done this with a reserved OSVDB 
that sat there for a year. After I pinged the researcher, he basically 
said "oops, totally spaced it, thanks for reminding me" and he ended up 
publishing details and the OSVDB was made public.

: Also, we are inconsistent about handling vague vulnerability reports 
: from auction / non-disclosure firms like WabiSabiLabi and Immunity, but 
: generally don't include them.  This includes the hash publications we're 
: starting to see more of.

Since this mail, more have been posted. If I had more time, i'd love to 
document all of them in one place, and ping the researchers every X months 
asking if it has since been disclosed. What bothers me most about this 
practice is that pre-posting hashes is essentially saying "i'm first, 
here's proof if i need it" and it isn't necessarily linked to the actual 
disclosure days/months/years later.

: 2001  min=18  ; max=20
: 2002  min=33  ; max=40
: 2003  min=36  ; max=56
: 2004  min=48  ; max=74
: 2005  min=110  ; max=146
: 2006  min=134  ; max=170
: 2007  min=178  ; max=231
: 2008  min=68  ; max=100

This is a fascinating number too: 873. How many people have considered 
that there may be 873 known vulnerabilities (likely more when you consider 
CVE grouping/abstraction) out there, sitting in the hands of presumably 
'good' security companies, but undisclosed. That begins to give an 
interesting basis for considering how many vulnerabilities are out there, 
undisclosed, without CVE candidates. Safe to assume 5x more? 10x more? 
100x more?

More information about the VIM mailing list