Security researchers are urging the infosec community to abandon the MITRE-run CVE scheme for naming flaws in favour of a system that distributes the responsibility for assigning identifiers away from a single, government-run organisation.
The common vulnerabilities and exposures (CVE) system is run by the US MITRE Corporation, which is funded by the US Department of Homeland Security.
It was mandated for use by US government agencies in 2002, and currently covers more than 150 organisations and 300 products. The CVE system has been adopted as de facto for software flaw IDs internationally.
The system assigns unique numbers to vulnerabilities in publicly released software to help security companies and end user security professionals create and apply patches. It does not apply to open source technologies.
MITRE’s handling of the CVE database in recent years has earned complaints from security researchers across the globe who claim the organisation does not respond to requests for CVE assignment in a timely manner, or in some cases, at all.
A lack of CVE assignment results in a software bug being ignored by the US national vulnerability database, which is heavily relied on by US government agencies. Some big businesses are also known to dismiss bugs that lack a CVE ID, which raises the potential for a flaw to go unpatched.
The issue came to a head in March this year when a group of security researchers banded together to create a new ID system to catalogue software flaws they say were ignored by MITRE.
The distributed weakness filing (DWF) system was created by Red Hat employee and MITRE board member Kurt Seifried together with researchers Larry Cashdollar, Zachary Wikholm, and Josh Bressers.
Seifried in March said he had been spurred to act after receiving multiple confirmed reports of researchers coming up against a MITRE brick wall.
“We need a distributed, scale out method for assigning vulnerability identifiers that is as compatible with the existing CVE system as possible,” he wrote.
“Not just in terms of format but in terms of process and usage.
“My goal is to create a simple system for assigning vulnerability identifiers that relies on the community and not a single entity or organisation. Additionally I want to reduce the time and effort needed to get identifiers, something best achieved by pushing assigning out to as close to the vulnerability discover/handling as possible.”
Pros troll CVE
Australian security researcher David Jorm today told the AusCERT 2016 conference the problem had gotten so bad that infosec pros were mocking the CVE system by submitting false flaws from fake software they knew MITRE would easily assign a CVE ID to.
One researcher, who identified himself as Justin Timberlake with the email address firstname.lastname@example.org, reported a flaw in the "simulated reaming algorithm" of a piece of software that turned out to be a "zip file of randomly generated garbage", Jorm said.
"The sample exploit refers to the flanger pointer, the fister pointer, and Larry Emdur," he said.
"He immediately got a CVE. Two day turnaround for Justin Timberlake. What gives?"
Jorm also cited several examples of his own personal experience struggling to get a CVE assigned to flaws he had discovered.
In one case, the infosec pro pentested Grandstream Android phones and found they were susceptible to remote code execution. After reporting the flaw to MITRE, he claims to have received no response of any kind.
In response, he decided to give his vulnerability a name - dubbing it the Phwned flaw, complete with its own website - to give it the canonical identifier he had been unable to obtain from MITRE.
He today urged the industry to "rally around" the new DWF system.
"We've got a simple problem and a simple solution to it. It just needs uptake, it needs that critical mass," Jorm said.
"And the only way that's going to happen is if everybody starts using it."
DWF will be managed by numerous entities acting as numbering authorities. Anyone can be be designated a naming authority by requesting the status on Github.
The system will complement CVE; flaws with existing CVE identifiers can be mapped to DWF. Researchers who have been unable to obtain a CVE can request a DWF from one of the numbering authorities, either by direct email or through Github.