[VIM] CVE published vs unpublished
jericho at attrition.org
Sat Dec 27 06:28:53 UTC 2008
From: Noam Rathaus <noamr at beyondsecurity.com>
Date: Mon, 14 Jan 2008 21:50:27 +0200
Notice the date here, i'm replying a considerable time later.
: > Can someone from CVE administrator give me an estimate how many given CVEs
: > have not materialized into "anything" (never been disclosed - remained under
: > review)?
This is a good question. Over the years, i was curious from an OSVDB
standpoint and "how many CVE do we map to" from a numeric aspect. If you
look at CVE-2007-0001 to CVE-2007-3000, are we really missing 500
(arbitrary number)? Or is it a case where we're missing 300 because 200
were never published?
When I got back into the grind of full time pen-testing, I was in a
position to handle vulnerability disclosure. It was a shop with 20 full
time consultants when I joined, every single one working 40 hour weeks or
more, with *zero down time*. Imagine the vulnerabilities we found over
time =) While many of us did a lot of custom application tests, that do
not warrant CVE numbers, we did test COTS frequently. When I joined, no
one was handling disclosure either. It was done rarely, by a consultant's
own initiative, typically only for reoccuring clients.
Within a year, I think I ended up requesting a dozen or so CVEs from Steve
(I say that to distinguish they came from CVE, not another pool). Over a
year after requesting them, most are still reserved. Since I am no longer
with the company, I don't know if they will ever be released. If they
aren't in 5 years, I may mail Steve out of the blue and say "these CVE
requests will never get published I don't think", just to throw him a
curve ball and make him think.
Some of the vulnerabilities I found, have since been published. The
company I was with finally opted not to publish advisories, after spending
countless hours writing our policy, template, going back/forth with
lawyers, etc. The ones I released were done quietly, with 100% responsible
disclosure (waiting a long time for the vendor if needed), and have since
been added quietly to CVE, OSVDB and Nessus in at least one case. The
vulnerabilities I did not discover, but were handling disclosure for at
the time, are the ones that will likely never see the light of day unless
a third party finds it. That is very possible, because none of the
software was really obscure. I hate being bound by NDA and sitting on
vulnerabilities that were reported, but may be unpatched because no one
harassed the vendor.
On Wed, 23 Jan 2008, Steven M. Christey wrote:
: Also, I don't ping the people who reserved CVEs in order to check on
: their status. Some might have turned out to be false and the requester
: never notified us; in other cases, maybe a decision was made not to
: publish; some might still be in the middle of the resolution process.
This would be a neat one time event. Ping the people who requested, ask
the status. I suggest it because I have done this with a reserved OSVDB
that sat there for a year. After I pinged the researcher, he basically
said "oops, totally spaced it, thanks for reminding me" and he ended up
publishing details and the OSVDB was made public.
: Also, we are inconsistent about handling vague vulnerability reports
: from auction / non-disclosure firms like WabiSabiLabi and Immunity, but
: generally don't include them. This includes the hash publications we're
: starting to see more of.
Since this mail, more have been posted. If I had more time, i'd love to
document all of them in one place, and ping the researchers every X months
asking if it has since been disclosed. What bothers me most about this
practice is that pre-posting hashes is essentially saying "i'm first,
here's proof if i need it" and it isn't necessarily linked to the actual
disclosure days/months/years later.
: 2001 min=18 ; max=20
: 2002 min=33 ; max=40
: 2003 min=36 ; max=56
: 2004 min=48 ; max=74
: 2005 min=110 ; max=146
: 2006 min=134 ; max=170
: 2007 min=178 ; max=231
: 2008 min=68 ; max=100
This is a fascinating number too: 873. How many people have considered
that there may be 873 known vulnerabilities (likely more when you consider
CVE grouping/abstraction) out there, sitting in the hands of presumably
'good' security companies, but undisclosed. That begins to give an
interesting basis for considering how many vulnerabilities are out there,
undisclosed, without CVE candidates. Safe to assume 5x more? 10x more?
More information about the VIM