Quantcast

Should a CPE name be assigned to Windows Remote Desktop Protocol?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Should a CPE name be assigned to Windows Remote Desktop Protocol?

Brant Cheikes

We recently noticed that this NVD entry for CVE-2012-0002

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0002

 

seems to have assigned the following CPE name to RDP:

cpe:/a:microsoft:remote_desktop_protocol

 

This CPE name also appears in the Official CPE Dictionary as of 14Mar2012.

 

Unless I’m mistaken, this is the first time a CPE name has been assigned to a protocol rather than a software application, operating system, or hardware device.  Here is related documentation from Microsoft:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa383015%28v=vs.85%29.aspx

 

The pertinent Microsoft security bulletin is here:

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

 

We note that the bulletin does not list “Remote Desktop Protocol” under “Affected Software”.

 

Any opinions about this use of CPE?  Absent a strong rationale for its retention, we would recommend dropping this CPE name from the Dictionary and from the NVD entry.

 

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 


smime.p7s (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Should a CPE name be assigned to Windows Remote Desktop Protocol?

McCormick, Christopher [USA]
Hi Brant,

  The NVD mapping has been revised to not include the erroneous name.  The name has also been deprecated from the Dictionary.  The deprecation processed is attached.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0002

http://web.nvd.nist.gov/view/cpe/search/results?searchChoice=keyword&includeDeprecated=on&searchText=cpe%3A%2Fa%3Amicrosoft%3Aremote_desktop_protocol

Regards,

Chris



From: Cheikes, Brant A. [[hidden email]]
Sent: Thursday, March 22, 2012 11:00 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] Should a CPE name be assigned to Windows Remote Desktop Protocol?

We recently noticed that this NVD entry for CVE-2012-0002

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0002

 

seems to have assigned the following CPE name to RDP:

cpe:/a:microsoft:remote_desktop_protocol

 

This CPE name also appears in the Official CPE Dictionary as of 14Mar2012.

 

Unless I’m mistaken, this is the first time a CPE name has been assigned to a protocol rather than a software application, operating system, or hardware device.  Here is related documentation from Microsoft:

http://msdn.microsoft.com/en-us/library/windows/desktop/aa383015%28v=vs.85%29.aspx

 

The pertinent Microsoft security bulletin is here:

http://technet.microsoft.com/en-us/security/bulletin/ms12-020

 

We note that the bulletin does not list “Remote Desktop Protocol” under “Affected Software”.

 

Any opinions about this use of CPE?  Absent a strong rationale for its retention, we would recommend dropping this CPE name from the Dictionary and from the NVD entry.

 

/Brant

 

Brant A. Cheikes
The MITRE Corporation
202 Burlington Road, M/S K302
Bedford, MA 01730-1420
Tel. 781-271-7505; Cell. 617-694-8180; Fax. 781-271-2352

 


rdp_deprecation.xml (1K) Download Attachment
Loading...