To many It professionals a "vulnerability" refers to any fact about a computer system that is a security concern in their network environment. The CVE web site cites the TCP/IP finger protocol as an example. Since the finger service reveals user information, many network operators put in place security policies that disallow finger from being run on some systems. That makes sense at the edge where finger service might be exploited, but there might be real uses for finger in other parts of the network. But because of the issue at the edge finger would be considered a "vulnerability" and described as such in that networks security policy.
Rather than referring to this as a vulnerability even though given different use cases different use cases this may not be considered to be vulnerabilities by everyone. So CVE introduces the term "exposure" to allow a service to be identified as potentially creating a security issue without necessarily being a problem.
CVE defines vulnerabilities and exposures like this:
A universal vulnerability is a state in a computing system (or set of systems) which either:
- allows an attacker to execute commands as another user
- allows an attacker to access data that is contrary to the specified access restrictions for that data
- allows an attacker to pose as another entity
- allows an attacker to conduct a denial of service
- allows an attacker to conduct information gathering activities
- allows an attacker to hide activities
- includes a capability that behaves as expected, but can be easily compromised
- is a primary point of entry that an attacker may attempt to use to gain access to the system or data
- is considered a problem according to some reasonable security policy
No comments:
Post a Comment