Mobility Loop


Originally published by Mobility Loop.

Reposted with permission.

Copyright 2006 Core Competence Inc.

All rights reserved.



Knowledge is Power:




Thursday, December 29, 2005

Written by Lisa Phifer   

PhiferSystem administrators have long depended on public registers like the Mitre Common Vulnerabilities and Exposures (CVE) dictionary and the DHS National Vulnerability Database (NVD) to track newly-discovered security flaws, potential impacts, and associated patches. But there was no comparable catalog of wireless network vulnerabilities until the launch of on December 5th, 2005.

What is a vulnerability list?

The CVE dictionary describes and names "all publicly known facts about computer systems that could allow somebody to violate a reasonable security policy for that system." CVEs are unique identifiers assigned to information security vulnerabilities and exposures. Vulnerabilities let attackers execute unauthorized commands, access restricted data, pose as other entities, or conduct denial of service attacks. Exposures let attackers gather information, hide their activities, or exploit vulnerable entry points.

Similarly, the WVE dictionary intends to provide standardized nomenclature for wireless vulnerabilities and exploits which take advantage of them. WVEs may pertain to any protocol or product specifically design for wireless communication, including radio frequency protocols like 802.11, Bluetooth, 3G, and WiMAX, and non-RF protocols like IrDA. Wireless vulnerabilities may relate to wireless protocols (e.g., 802.11 WEP flaws), implementations, or infrastructure flaws that directly affect wireless network security.

Why catalog vulnerabilities?

Assigning a common name (i.e., unique identifier) to publicly known vulnerabilities makes it easier to share data across independently-developed databases and security tools that are not otherwise integrated. According to the CVE site, "If a report from one of your security tools incorporates CVE names, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem."

Of course, for this goal to be realized, vendors must make products "CVE-compatible." For example, network scanners and intrusion detection systems must describe discovered vulnerabilities by CVE name, and system software updates must explicitly identify any mitigated CVEs. The resulting process of vulnerability detection, risk assessment, and problem mitigation (nicely illustrated here) is routinely implemented today by many system administrators.

It is hoped that WVEs will eventually provide similar benefits to wireless network administrators. The WVE list will help increase awareness of wireless security threats and provide insights into how to prevent attacks. By creating a public repository of wireless-specific data, administrators will have one list to search for known wireless security issues. If wireless intrusion detection systems and wireless vulnerability scanners embrace WVE nomenclature, this database will make it easier for administrators to correlate incidents and weaknesses flagged by disparate products. Similarly, if wireless equipment manufacturers begin to cross-reference associated WVEs which issuing products updates, it will be easier to find the patch or configuration change known to mitigate these problems.

Putting WVEs to good use

The WVE list can be browsed or searched by keyword. For those who wish to be alerted to newly-posted entries, an RSS feed is available. For example:

* Suppose your company is developing a security policy for Bluetooth devices, and you wish to learn more about Bluetooth vulnerabilities. A quick WVE search on "Bluetooth" yields a list of candidate vulnerabilities, including WVE-2005-0002: BlueBug, WVE-2005-0005: BlueSmack, WVE-2005-0003: BlueSnarf, and WVE-2005-0009: Static Bluetooth PIN codes. If you carry a Motorola phone with Bluetooth, you might wish to refine your search to find product-specific vulnerabilities (in this example, WVE-2005-0007: HeloMoto.)

* Suppose that you have just deployed a Linksys 802.11 router and want to make sure that you have applied available security patches. Your WVE search might lead you to WVE-2005-0063: Linksys WRT54G 'apply.cgi' Remote Buffer Overflow. Drilling down on that link not only describes the issue and potential consequences, but also identifies the firmware version known to overcome this flaw (i.e., WRT54G v4.20.7).

These are just two quick examples of ways in which the WVE list might be put to good use. Note that WVEs are publicly known vulnerabilities. The list was seeded with initial candidates proposed by sponsors, but much remains to be done, and continued expansion depends upon industry participation.

Anyone can submit a proposed vulnerability, but must follow responsible disclosure practices when reporting newly-discovered vulnerabilities. Submissions are reviewed by an editorial board before they are assigned unique WVE names and published as candidates on the WVE website.

By participating in this board, I hope to help grow this industry resource and raise wireless security awareness and preparedness. I would encourage those of you with similar interests to visit and help us to expand the WVE list.