Cisco IOS CVE-2011-3279

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

Cisco IOS CVE-2011-3279

Aharon

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

ios.xml (169K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Aharon

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

ios.xml (169K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

joval
I'm not sure if this is related, but I have observed an issue evaluating the Cisco IOS state oval:org.mitre.oval:ste:6348:

Illegal octal escape sequence near index 69
12\.4\(22\w*\)MD0?$|12\.4\(20\w*\)T(1\w*|[0-1]?|$)|12\.4\(22\w*\)T(\0?|$)|12\.4\(\d+\w*\)XZ(\d.*|$)|12\.4\(\d+\w*\)YA(\d.*|$)|
12\.4\((\d|1\d|2[0-2])\[a-z|A-Z]*\)YD0?$|12\.4\((\d|1\d|2[0-2])[a-z|A-Z]*\)YE0?$|12\.2\(\d+\w*\)XN[A-D](\d.*|$)
                                                                     ^

I gather the there's some issue with the "?" in "\0?|$".  Has anyone else seen this problem?

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



On 10/21/2011 2:14 PM, Chernin, Michael A. wrote:

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Aharon
In reply to this post by Aharon

I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?

 

Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.

 

I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Aharon
In reply to this post by Aharon

Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.

 

This is still more accurate and easier to manage than the paragraph of regular expressions:

1.       Specifying the exact impacted version makes less assumptions

2.       Exact versions checking is easier to automate than automating the management of a large regular expression

3.       You can quickly search a definition by version to determine impact

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?

 

Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.

 

I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

ios2.xml (1M) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Jon Baker
Administrator
In reply to this post by Aharon

Aharon,

 

I assume you are referring to the CPE Names listed in the NVD (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3279). Unfortunately, I do not know how the NVD analysts assign CPE Names to vulnerabilities or why there is such a discrepancy in this case. This might be worth asking the NVD team about. You should be able to reach them at [hidden email].

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Chernin, Michael A. [mailto:[hidden email]]
Sent: Monday, October 24, 2011 10:17 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?

 

Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.

 

I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Jon Baker
Administrator
In reply to this post by Aharon

I agree that this approach is easier to manage than the mega regular expression approach previously taken. We have been sitting tight on processing this submission because we are looking for others in the community to weigh in on your approach.

 

Also, in looking at the definition I noticed that you have assigned many ids in the org.mitre.oval namespace. Is it possible to fix your submission such that all new ids are in some other namespace?


Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Chernin, Michael A. [mailto:[hidden email]]
Sent: Monday, October 24, 2011 1:41 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.

 

This is still more accurate and easier to manage than the paragraph of regular expressions:

1.       Specifying the exact impacted version makes less assumptions

2.       Exact versions checking is easier to automate than automating the management of a large regular expression

3.       You can quickly search a definition by version to determine impact

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?

 

Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.

 

I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Aharon

Jon,

 

No problem with the wait, I assumed it was due to looking for community commentary. Not sure how I ended up using Mitre namespace, so I am resubmitting with the correct temporary namespace.

 

Aharon

 


---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Baker, Jon [mailto:[hidden email]]
Sent: Friday, October 28, 2011 12:45 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I agree that this approach is easier to manage than the mega regular expression approach previously taken. We have been sitting tight on processing this submission because we are looking for others in the community to weigh in on your approach.

 

Also, in looking at the definition I noticed that you have assigned many ids in the org.mitre.oval namespace. Is it possible to fix your submission such that all new ids are in some other namespace?


Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Chernin, Michael A. [mailto:[hidden email]]
Sent: Monday, October 24, 2011 1:41 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.

 

This is still more accurate and easier to manage than the paragraph of regular expressions:

1.       Specifying the exact impacted version makes less assumptions

2.       Exact versions checking is easier to automate than automating the management of a large regular expression

3.       You can quickly search a definition by version to determine impact

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?

 

Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.

 

I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________
DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

ios3.xml (1M) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Luis Nunez
In reply to this post by Jon Baker
<base href="x-msg://1952/">
I am also in favor of the "exact version matching".  It makes for easier reading of the xml.  I'd like to maybe pull together some people on this thread and discuss this at the ITSAC next week.

Thanks Aharon.

-ln


On Oct 28, 2011, at 12:45 PM, Baker, Jon wrote:

I agree that this approach is easier to manage than the mega regular expression approach previously taken. We have been sitting tight on processing this submission because we are looking for others in the community to weigh in on your approach.
 
Also, in looking at the definition I noticed that you have assigned many ids in the org.mitre.oval namespace. Is it possible to fix your submission such that all new ids are in some other namespace?

Thanks,
 
Jon
 
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
 
From: Chernin, Michael A. [mailto:[hidden email]] 
Sent: Monday, October 24, 2011 1:41 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.
 
This is still more accurate and easier to manage than the paragraph of regular expressions:
1.       Specifying the exact impacted version makes less assumptions
2.       Exact versions checking is easier to automate than automating the management of a large regular expression
3.       You can quickly search a definition by version to determine impact
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279
 
I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?
 
Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.
 
I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279
 
I noticed the versions were not set to 0. Resolved.
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Attached is CVE-2011-3279 for IOS.
 
I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.
 
Aharon
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Jon Baker
Administrator
In reply to this post by Aharon

I talked to Luis briefly about your approach to oval definitions for cisco ios at ITSAC. The only real downside I see is the massive size of this definition. I think that the simplified results processing, simplified maintenance, and removal of the massive regex all outweigh the size.

 

I am inclined to go ahead and add this definition in the repository. If needed we can update it later.

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Chernin, Michael A. [mailto:[hidden email]]
Sent: Friday, October 28, 2011 1:05 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Jon,

 

No problem with the wait, I assumed it was due to looking for community commentary. Not sure how I ended up using Mitre namespace, so I am resubmitting with the correct temporary namespace.

 

Aharon

 


---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Baker, Jon [hidden email]
Sent: Friday, October 28, 2011 12:45 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I agree that this approach is easier to manage than the mega regular expression approach previously taken. We have been sitting tight on processing this submission because we are looking for others in the community to weigh in on your approach.

 

Also, in looking at the definition I noticed that you have assigned many ids in the org.mitre.oval namespace. Is it possible to fix your submission such that all new ids are in some other namespace?


Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Chernin, Michael A. [hidden email]
Sent: Monday, October 24, 2011 1:41 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.

 

This is still more accurate and easier to manage than the paragraph of regular expressions:

1.       Specifying the exact impacted version makes less assumptions

2.       Exact versions checking is easier to automate than automating the management of a large regular expression

3.       You can quickly search a definition by version to determine impact

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?

 

Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.

 

I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Jon Baker
Administrator

This definition is now available in the repository.

 

Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Baker, Jon [mailto:[hidden email]]
Sent: Thursday, November 03, 2011 8:36 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I talked to Luis briefly about your approach to oval definitions for cisco ios at ITSAC. The only real downside I see is the massive size of this definition. I think that the simplified results processing, simplified maintenance, and removal of the massive regex all outweigh the size.

 

I am inclined to go ahead and add this definition in the repository. If needed we can update it later.

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Chernin, Michael A. [hidden email]
Sent: Friday, October 28, 2011 1:05 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Jon,

 

No problem with the wait, I assumed it was due to looking for community commentary. Not sure how I ended up using Mitre namespace, so I am resubmitting with the correct temporary namespace.

 

Aharon

 


---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Baker, Jon [hidden email]
Sent: Friday, October 28, 2011 12:45 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I agree that this approach is easier to manage than the mega regular expression approach previously taken. We have been sitting tight on processing this submission because we are looking for others in the community to weigh in on your approach.

 

Also, in looking at the definition I noticed that you have assigned many ids in the org.mitre.oval namespace. Is it possible to fix your submission such that all new ids are in some other namespace?


Thanks,

 

Jon

 

============================================

Jonathan O. Baker

G022 - IA Industry Collaboration

The MITRE Corporation

Email: [hidden email]

 

From: Chernin, Michael A. [hidden email]
Sent: Monday, October 24, 2011 1:41 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.

 

This is still more accurate and easier to manage than the paragraph of regular expressions:

1.       Specifying the exact impacted version makes less assumptions

2.       Exact versions checking is easier to automate than automating the management of a large regular expression

3.       You can quickly search a definition by version to determine impact

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?

 

Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.

 

I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279

 

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Luis Nunez
<base href="x-msg://3015/">Thanks Jon.

I just wanted to add that Cisco has a scheduled release dates for the IOS bundles.
4th Wednesday on the months of March and September.  

They will also release out of scheduled advisories based on urgency.  Link to Cisco security advisory policy.

thanks.
-ln




On Nov 3, 2011, at 8:55 PM, Baker, Jon wrote:

This definition is now available in the repository.
 
Thanks,
 
Jon
 
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
 
From: Baker, Jon [mailto:[hidden email]] 
Sent: Thursday, November 03, 2011 8:36 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
I talked to Luis briefly about your approach to oval definitions for cisco ios at ITSAC. The only real downside I see is the massive size of this definition. I think that the simplified results processing, simplified maintenance, and removal of the massive regex all outweigh the size.
 
I am inclined to go ahead and add this definition in the repository. If needed we can update it later.
 
Jon
 
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
 
From: Chernin, Michael A. [hidden email] 
Sent: Friday, October 28, 2011 1:05 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Jon,
 
No problem with the wait, I assumed it was due to looking for community commentary. Not sure how I ended up using Mitre namespace, so I am resubmitting with the correct temporary namespace.
 
Aharon
 

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Baker, Jon [hidden email] 
Sent: Friday, October 28, 2011 12:45 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
I agree that this approach is easier to manage than the mega regular expression approach previously taken. We have been sitting tight on processing this submission because we are looking for others in the community to weigh in on your approach.
 
Also, in looking at the definition I noticed that you have assigned many ids in the org.mitre.oval namespace. Is it possible to fix your submission such that all new ids are in some other namespace?

Thanks,
 
Jon
 
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
 
From: Chernin, Michael A. [hidden email] 
Sent: Monday, October 24, 2011 1:41 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.
 
This is still more accurate and easier to manage than the paragraph of regular expressions:
1.       Specifying the exact impacted version makes less assumptions
2.       Exact versions checking is easier to automate than automating the management of a large regular expression
3.       You can quickly search a definition by version to determine impact
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279
 
I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?
 
Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.
 
I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279
 
I noticed the versions were not set to 0. Resolved.
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Attached is CVE-2011-3279 for IOS.
 
I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.
 
Aharon
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

Omar Santos

Thanks Jon and Luis,

 

Luis is correct, the Cisco PSIRT regularly discloses vulnerabilities in Cisco IOS Software on the fourth Wednesdays in March and September via the Cisco IOS Software Security Advisory Bundled Publication. FYI, I will be the new representative from the Cisco PSIRT for OVAL. You can engage me with any questions about each bundle Security Advisory (and any other Cisco security advisory), escalation requests, or any other related issues.


Regards,

Omar Santos
Incident Manager, PSIRT
Security Research and Operations
Cisco Systems, Inc.
Email: [hidden email]
Phone: +1 919 392 8635
PGP Key: 0x3AF27EDC

Cisco.com - http://www.cisco.com
Cisco Security Advisories and Notices - http://www.cisco.com/go/psirt

This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or
disclosure by others is strictly prohibited. If you are not the intended
recipient (or authorized to receive for the recipient), please contact
the sender by reply email and delete all copies of this message.

For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html

On 11/4/2011 10:44 AM, Luis Nunez wrote:
<base href="x-msg://3015/">Thanks Jon.

I just wanted to add that Cisco has a scheduled release dates for the IOS bundles.
4th Wednesday on the months of March and September.  

They will also release out of scheduled advisories based on urgency.  Link to Cisco security advisory policy.

thanks.
-ln




On Nov 3, 2011, at 8:55 PM, Baker, Jon wrote:

This definition is now available in the repository.
 
Thanks,
 
Jon
 
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
 
From: Baker, Jon [[hidden email]] 
Sent: Thursday, November 03, 2011 8:36 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
I talked to Luis briefly about your approach to oval definitions for cisco ios at ITSAC. The only real downside I see is the massive size of this definition. I think that the simplified results processing, simplified maintenance, and removal of the massive regex all outweigh the size.
 
I am inclined to go ahead and add this definition in the repository. If needed we can update it later.
 
Jon
 
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
 
From: Chernin, Michael A. [hidden email] 
Sent: Friday, October 28, 2011 1:05 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Jon,
 
No problem with the wait, I assumed it was due to looking for community commentary. Not sure how I ended up using Mitre namespace, so I am resubmitting with the correct temporary namespace.
 
Aharon
 

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Baker, Jon [hidden email] 
Sent: Friday, October 28, 2011 12:45 PM
To: [hidden email]
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
I agree that this approach is easier to manage than the mega regular expression approach previously taken. We have been sitting tight on processing this submission because we are looking for others in the community to weigh in on your approach.
 
Also, in looking at the definition I noticed that you have assigned many ids in the org.mitre.oval namespace. Is it possible to fix your submission such that all new ids are in some other namespace?

Thanks,
 
Jon
 
============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
 
From: Chernin, Michael A. [hidden email] 
Sent: Monday, October 24, 2011 1:41 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Ok, attached is a new definition using the complete list of versions. I contemplated if this could be done cleaner. The IOS versions could be grouped out into inventory definitions. My concern is that small changes in impacted versions of future vulnerabilities could create a scenario where new similar inventory definitions will need to be consistently created. With inventory definitions not looking promising, I put all the version tests into the vulnerability definition.
 
This is still more accurate and easier to manage than the paragraph of regular expressions:
1.       Specifying the exact impacted version makes less assumptions
2.       Exact versions checking is easier to automate than automating the management of a large regular expression
3.       You can quickly search a definition by version to determine impact
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Monday, October 24, 2011 10:17 AM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279
 
I used the CPE names included within CVE-2011-3279 to generate this OVAL. I didn’t realize that the CPE names used in Cisco CVEs don’t represent the version of IOS that is impacted.  There are approximately 150 CPEs references in the CVE and there are approximately 1,600 versions impacted when viewing Cisco’s vulnerability notice. What exactly do the CPEs in the CVE represent?
 
Can the 1,600 versions referenced within the Cisco document be included within the CVE in CPE format? As it is now I am having to take product and version data directly from the vendor bulletin in an unformatted fashion, which is why I thought we had the CPE standard.
 
I am going to retool this definition to use the true 1,600+ impacted versions and resubmit for discussion.
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Friday, October 21, 2011 3:15 PM
To: 'OVAL Discussion List (Closed Public Discussion)'
Subject: RE: Cisco IOS CVE-2011-3279
 
I noticed the versions were not set to 0. Resolved.
 
Aharon
 
DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 
From: Chernin, Michael A. 
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279
 
Attached is CVE-2011-3279 for IOS.
 
I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.
 
Aharon
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]
 

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

_____________________________________________________________ 

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

drothenberg
In reply to this post by joval

David,

    I have taken a look into this, and have some news if you have not had this resolved yet. According to the java.util.regex javadoc, the “\0” escape is interpreted as the beginning of an octal escape. The “\0” should be followed by either two numbers in the range [0-7] or three numbers of the form [0-3][0-7][0-7]. Had you intended this to be interpreted as the NULL character? The “$” should catch the end-of-line if so. Also, looking at the regex, is the space after the “YA” option and before the 12 in the “YD” option intentional?

 

David Rothenberg

 

From: David Solin [mailto:[hidden email]]
Sent: Friday, October 21, 2011 3:30 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I'm not sure if this is related, but I have observed an issue evaluating the Cisco IOS state oval:org.mitre.oval:ste:6348:

Illegal octal escape sequence near index 69
12\.4\(22\w*\)MD0?$|12\.4\(20\w*\)T(1\w*|[0-1]?|$)|12\.4\(22\w*\)T(\0?|$)|12\.4\(\d+\w*\)XZ(\d.*|$)|12\.4\(\d+\w*\)YA(\d.*|$)|
12\.4\((\d|1\d|2[0-2])\[a-z|A-Z]*\)YD0?$|12\.4\((\d|1\d|2[0-2])[a-z|A-Z]*\)YE0?$|12\.2\(\d+\w*\)XN[A-D](\d.*|$)
                                                                     ^

I gather the there's some issue with the "?" in "\0?|$".  Has anyone else seen this problem?

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



On 10/21/2011 2:14 PM, Chernin, Michael A. wrote:

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

joval
Hi David,

It's not my content; it's just a problem I observed trying to use the public (MITRE) content.  I presume it must have been written by someone who went to some length to interpret the meaning of an IOS version_string.  I really have no idea what it's "supposed" to be checking for, only that it appears to be broken.

If as you suggest it's supposed to represent a NULL, then the whole group (\0?|$) should just be replaced with a $, right?  Does Perl regex interpret "\0" as a $?

Best regards,
--David

On 12/9/2011 9:19 AM, Rothenberg, David B. wrote:

David,

    I have taken a look into this, and have some news if you have not had this resolved yet. According to the java.util.regex javadoc, the “\0” escape is interpreted as the beginning of an octal escape. The “\0” should be followed by either two numbers in the range [0-7] or three numbers of the form [0-3][0-7][0-7]. Had you intended this to be interpreted as the NULL character? The “$” should catch the end-of-line if so. Also, looking at the regex, is the space after the “YA” option and before the 12 in the “YD” option intentional?

 

David Rothenberg

 

From: David Solin [[hidden email]]
Sent: Friday, October 21, 2011 3:30 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I'm not sure if this is related, but I have observed an issue evaluating the Cisco IOS state oval:org.mitre.oval:ste:6348:

Illegal octal escape sequence near index 69
12\.4\(22\w*\)MD0?$|12\.4\(20\w*\)T(1\w*|[0-1]?|$)|12\.4\(22\w*\)T(\0?|$)|12\.4\(\d+\w*\)XZ(\d.*|$)|12\.4\(\d+\w*\)YA(\d.*|$)|
12\.4\((\d|1\d|2[0-2])\[a-z|A-Z]*\)YD0?$|12\.4\((\d|1\d|2[0-2])[a-z|A-Z]*\)YE0?$|12\.2\(\d+\w*\)XN[A-D](\d.*|$)
                                                                     ^

I gather the there's some issue with the "?" in "\0?|$".  Has anyone else seen this problem?

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



On 10/21/2011 2:14 PM, Chernin, Michael A. wrote:

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

mdavidson

The description of the referencing definition is this:

 

Unspecified vulnerability in Cisco IOS 12.2XNA, 12.2XNB, 12.2XNC, 12.2XND, 12.4MD, 12.4T, 12.4XZ, and 12.4YA allows remote attackers to cause a denial of service (device reload) via a crafted NTPv4 packet, aka Bug IDs CSCsu24505 and CSCsv75948.

 

Presumably, that regular expression was crafted to match each of the above version numbers. The regex appears to match each version number individually with an OR in between each version number matching regex.

 

The component regular expressions can be broken out as such (offending regex is #3; it’s bolded):

1.       12\.4\(22\w*\)MD0?$|

2.       12\.4\(20\w*\)T(1\w*|[0-1]?|$)|

3.       12\.4\(22\w*\)T(\0?|$)|12\.4\(\d+\w*\)XZ(\d.*|$)|

4.       12\.4\(\d+\w*\)YA(\d.*|$)|

5.       12\.4\((\d|1\d|2[0-2])\[a-z|A-Z]*\)YD0?$|

6.       12\.4\((\d|1\d|2[0-2])[a-z|A-Z]*\)YE0?$|

7.       12\.2\(\d+\w*\)XN[A-D](\d.*|$)

 

I think that the \0? Was probably intended to be something like 0\w*, based on how the rest of the regexes look. It looks like a typo to me.

 

-Mark

 

From: David Solin [mailto:[hidden email]]
Sent: Friday, December 09, 2011 10:32 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Hi David,

It's not my content; it's just a problem I observed trying to use the public (MITRE) content.  I presume it must have been written by someone who went to some length to interpret the meaning of an IOS version_string.  I really have no idea what it's "supposed" to be checking for, only that it appears to be broken.

If as you suggest it's supposed to represent a NULL, then the whole group (\0?|$) should just be replaced with a $, right?  Does Perl regex interpret "\0" as a $?

Best regards,
--David

On 12/9/2011 9:19 AM, Rothenberg, David B. wrote:

David,

    I have taken a look into this, and have some news if you have not had this resolved yet. According to the java.util.regex javadoc, the “\0” escape is interpreted as the beginning of an octal escape. The “\0” should be followed by either two numbers in the range [0-7] or three numbers of the form [0-3][0-7][0-7]. Had you intended this to be interpreted as the NULL character? The “$” should catch the end-of-line if so. Also, looking at the regex, is the space after the “YA” option and before the 12 in the “YD” option intentional?

 

David Rothenberg

 

From: David Solin [[hidden email]]
Sent: Friday, October 21, 2011 3:30 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I'm not sure if this is related, but I have observed an issue evaluating the Cisco IOS state oval:org.mitre.oval:ste:6348:

Illegal octal escape sequence near index 69
12\.4\(22\w*\)MD0?$|12\.4\(20\w*\)T(1\w*|[0-1]?|$)|12\.4\(22\w*\)T(\0?|$)|12\.4\(\d+\w*\)XZ(\d.*|$)|12\.4\(\d+\w*\)YA(\d.*|$)|
12\.4\((\d|1\d|2[0-2])\[a-z|A-Z]*\)YD0?$|12\.4\((\d|1\d|2[0-2])[a-z|A-Z]*\)YE0?$|12\.2\(\d+\w*\)XN[A-D](\d.*|$)
                                                                     ^

I gather the there's some issue with the "?" in "\0?|$".  Has anyone else seen this problem?

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



On 10/21/2011 2:14 PM, Chernin, Michael A. wrote:

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Cisco IOS CVE-2011-3279

drothenberg

I do believe that the \0 matches the end of the string. I had created a small check using variables since I cannot test IOS devices, and it evaluates to true for expected version strings. This just shows that it runs fine on the PCRE library as opposed to the java.util.regex, which throws errors. I agree with Mark that it is similar to some of the other patterns (namely 1,5,6 in his list) and could be a typo. As it currently stands, the “\0?|$” regex actually lets additional text follow the version string since the left hand side evaluates to true (? Instead of + matched 0 null bytes, an acceptable number in this case). This could be a design flaw, as it no longer takes into account the position of the end of the string. Same holds for most of the other cases where there is a “?|$” in the regex string. I doubt this functionality is intended, since there are easier ways to allow for an “any” string before the end of the line.

 

David Rothenberg

From: Davidson II, Mark S [mailto:[hidden email]]
Sent: Friday, December 09, 2011 10:42 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

The description of the referencing definition is this:

 

Unspecified vulnerability in Cisco IOS 12.2XNA, 12.2XNB, 12.2XNC, 12.2XND, 12.4MD, 12.4T, 12.4XZ, and 12.4YA allows remote attackers to cause a denial of service (device reload) via a crafted NTPv4 packet, aka Bug IDs CSCsu24505 and CSCsv75948.

 

Presumably, that regular expression was crafted to match each of the above version numbers. The regex appears to match each version number individually with an OR in between each version number matching regex.

 

The component regular expressions can be broken out as such (offending regex is #3; it’s bolded):

1.       12\.4\(22\w*\)MD0?$|

2.       12\.4\(20\w*\)T(1\w*|[0-1]?|$)|

3.       12\.4\(22\w*\)T(\0?|$)|12\.4\(\d+\w*\)XZ(\d.*|$)|

4.       12\.4\(\d+\w*\)YA(\d.*|$)|

5.       12\.4\((\d|1\d|2[0-2])\[a-z|A-Z]*\)YD0?$|

6.       12\.4\((\d|1\d|2[0-2])[a-z|A-Z]*\)YE0?$|

7.       12\.2\(\d+\w*\)XN[A-D](\d.*|$)

 

I think that the \0? Was probably intended to be something like 0\w*, based on how the rest of the regexes look. It looks like a typo to me.

 

-Mark

 

From: David Solin [hidden email]
Sent: Friday, December 09, 2011 10:32 AM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Hi David,

It's not my content; it's just a problem I observed trying to use the public (MITRE) content.  I presume it must have been written by someone who went to some length to interpret the meaning of an IOS version_string.  I really have no idea what it's "supposed" to be checking for, only that it appears to be broken.

If as you suggest it's supposed to represent a NULL, then the whole group (\0?|$) should just be replaced with a $, right?  Does Perl regex interpret "\0" as a $?

Best regards,
--David

On 12/9/2011 9:19 AM, Rothenberg, David B. wrote:

David,

    I have taken a look into this, and have some news if you have not had this resolved yet. According to the java.util.regex javadoc, the “\0” escape is interpreted as the beginning of an octal escape. The “\0” should be followed by either two numbers in the range [0-7] or three numbers of the form [0-3][0-7][0-7]. Had you intended this to be interpreted as the NULL character? The “$” should catch the end-of-line if so. Also, looking at the regex, is the space after the “YA” option and before the 12 in the “YD” option intentional?

 

David Rothenberg

 

From: David Solin [[hidden email]]
Sent: Friday, October 21, 2011 3:30 PM
To: oval-discussion-list OVAL Discussion List/Closed Public Discussi
Subject: Re: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

I'm not sure if this is related, but I have observed an issue evaluating the Cisco IOS state oval:org.mitre.oval:ste:6348:

Illegal octal escape sequence near index 69
12\.4\(22\w*\)MD0?$|12\.4\(20\w*\)T(1\w*|[0-1]?|$)|12\.4\(22\w*\)T(\0?|$)|12\.4\(\d+\w*\)XZ(\d.*|$)|12\.4\(\d+\w*\)YA(\d.*|$)|
12\.4\((\d|1\d|2[0-2])\[a-z|A-Z]*\)YD0?$|12\.4\((\d|1\d|2[0-2])[a-z|A-Z]*\)YE0?$|12\.2\(\d+\w*\)XN[A-D](\d.*|$)
                                                                     ^

I gather the there's some issue with the "?" in "\0?|$".  Has anyone else seen this problem?

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download



On 10/21/2011 2:14 PM, Chernin, Michael A. wrote:

I noticed the versions were not set to 0. Resolved.

 

Aharon

 

DTCC Confidential (Yellow)
---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 

From: Chernin, Michael A.
Sent: Friday, October 21, 2011 2:11 PM
To: [hidden email]
Subject: [OVAL-DISCUSSION-LIST] Cisco IOS CVE-2011-3279

 

Attached is CVE-2011-3279 for IOS.

 

I am finding that the version_string test using pattern_matching for the 100+ Cisco versions impacted by an individual CVE is both cumbersome and error prone. In this definition I replaced the pattern matching with exact version matching. It makes for a larger definition, but I find it much more readable and manageable. I am open to discussing the merits of this change if the group deems it necessary.

 

Aharon

---------------------------------------------------
Michael "Aharon" Chernin
Security Automation Program Manager
Corporate Information Security -Depository Trust & Clearing Corporation
[hidden email]

 


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].


_____________________________________________________________

DTCC DISCLAIMER: This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify us immediately and delete the email and any attachments from your system. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email.
To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

 

--

jOVAL.org: OVAL implemented in Java.
Scan any machine from any machine. For free!
Learn More | Features | Download

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DISCUSSION-LIST in the BODY of the message. If you have difficulties, write to [hidden email].

var_ios_version55_test.xml (13K) Download Attachment