Pascal C. Meunier and Eugene H. Spafford

CERIAS TR 2002-34

conference

The public part of the vulnerability management cycle, publication-notification-patch is of interest to system administrators. We describe the architecture of the vulnerability notification Cassandra system (https://cassandra.cerias.purdue.edu). The timeliness of the notifications was evaluated by using the publication dates of CERT Incident Notes as approximations for the dates when vulnerabilities are widely exploited. We found that notifications sent by Cassandra in 2001 (until November) provided a forewarning of 60 days on average. However, these notifications were not always timely. An analysis of the vulnerability information flow identified sources of undesirable delays. A new Cassandra service, CVE Change Logs, was created to report daily changes to the CVE and bypass some sources of delays. Other efforts by MITRE mitigated other sources of delays and consolidated changes on their web site. An unexpected finding of this study is that the timing and the number of vulnerabilities involved in the method of disclosing vulnerabilities can contribute to notification delays due to the limited processing capacity of intermediates and the finite patching capability of system administrators. We conclude that the large batch processing of vulnerabilities contributes to notification and patching delays and is undesirable. For the same reasons, randomly timed disclosures of vulnerabilities should be undesirable, suggesting the creation of a concerted mechanism for the disclosure of vulnerabilities.

PDF

2002 – June – 26

First.Org, Inc., PMB 349, 650 Castro Street, Suite 120, Mountain View, CA 94041, USA

Purdue University

Meunier

FIRST Conference

CERIAS

1970-11-30

CVE, MITRE, ICAT

English

Vulnerability notification services