Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
An Uncommon 20 Years of Commonly Enumerating Vulns
Larry Cashdollar, a researcher with more than 300 CVEs to his credit, looks back at his favorite vulnerabilities (and being the only individual CNA on Mitre's list).
October 16, 2020
Larry Cashdollar needed someone big -- someone not afraid of physical retribution. So he called Donovan, an imposing figure at six-four. And Cashdollar says, "I made a mistake."
At the time, Cashdollar, now a senior researcher at Akamai, was a Unix system administrator at Computer Sciences Corp. under contract at Bath Iron Works. The mistake Cashdollar had made was exploiting a vulnerability in a program called "midikeys," inadvertently changing the root password on an SGI Onyx graphics system just when the engineers had begun giving a demo of the Onyx to a Navy admiral. Donovan's job was to go into the room and tell the Bath Iron Works engineers the new password.
Cashdollar's career survived the incident and took off with what turned out to be his first published Common Vulnerability Enumerator, or CVE. Now, with more than 300 published CVEs to his credit, Cashdollar can look back at his early days in computer security with less panic than during that first incident.
The Birth of the CVE
In January 1999, David E. Mann and Steven M. Christey, who both worked at Mitre, presented a paper titled "Towards a Common Enumeration of Vulnerabilities." Before that, "there was no unique way to determine a vulnerability in the system," Cashdollar says. "You know, there was Buffer Overflow and sendmail."
And one of the problems was that it was difficult to know whether a vulnerability one researcher was describing had already been found and described by another researcher.
The idea of a common "language" for researchers and system administrators to use appealed to Cashdollar. The idea of being able to claim one of these published vulnerabilities as his own also appealed.
"When CVEs came around, I was like, wow, you know, I would love to find a vulnerability in something," he says.
Of course, in the early days of CVEs a researcher didn't just submit a vulnerability to Mitre for inclusion.
"You didn't file for a CVE; you published it on a security mailing list and somebody from Mitre who might think that your vulnerability was worthy of a CVE would assign one," Cashdollar says. "When you put them on the BugTraq list back in the 1990s, there would be someone who would test your work, verify it, and people that would go through and sort of verify if your claim was true. So there were all people sort of analyzing my vulnerability, and it was it was kind of neat."
"Later I was looking on BugTraq for the midikeys thing again. And I noticed that Mitre had assigned a vulnerability or CVE ID to it," Cashdollar says.
He was happy and excited that he could now claim with legitimacy to have found a vulnerability. He decided then that if he ever reached the goal of 10 published CVEs, he would have a T-shirt printed to mark the occasion. Now, he says, "I have more than 10 and I still haven't made a T-shirt."
A Number of His Own
By 2016, the process had become more regular, but the system was in danger of being overwhelmed by all the vulnerabilities being found in various systems and applications. Cashdollar says it reached a point where researchers were noticing the delay in getting CVEs assigned and published.
Around this time, Cashdollar started conversations with Kurt Seifried of RedHat about options -- conversations that led to Seifried developing Distributed Weakness Filings (DWF), an open source version of the CVE. The DWF ultimately worked in cooperation with Mitre to become a Certified Numbering Authority (CNA), issuing CVEs on open-source projects within the overall CVE system.
Cashdollar also received an invitation to talk about CVEs with Mitre. When he went to their campus, "They were fleshing out the becoming a CNA so you could actually become your own CVE assigner," he says, "where they would give you a block of CVEs and you would be able to assign CVEs to your own vulnerabilities on this block that they had preassigned or dedicated to you."
During the meeting, "They told me, we're going to make you the first researcher certified numbering authority for Mitre and we're going to see how this goes. You're going to be our guinea pig. And I'm like, OK, that sounds like fun," he says.
Today, there are 161 CNAs, of which 127 are vendors and project, and 22 are researchers. Scrolling through Mitre's list of CNAs, Cashdollar is the only individual to be found. He has approximately 305 CVEs to his credit -- "approximately" because there are vulnerabilities currently awaiting CVEs to be assigned by vendors.
As for whether he still gets the same thrill from seeing a new CVE added to his list, Cashdollar says, "I guess it depends on what application I'm breaking."
Simple authentication vulnerabilities in WordPress plugins that can be exploited with a CURL command carry low excitement for him. But "The old school stuff is more fun to me. If I find something like a /temp race condition vulnerability in Solaris 11, I'll end up, you know, writing a C exploit to watch the files and then create a simlink to scshadow and then try to change the password. And I'll just write a much better exploit for something that's unique because it's still a lot of fun for me."
About the Author
You May Also Like