VDBs Devolving?
Posted by jericho
I’m big on Vulnerability Database (VDB) evolution. I tend to harp on them for not adding features, not making the data more accessible and generally doing the exact same thing they did ten years ago. While the target of my ire is typically functionality or usability, today it is about a little more.
Last night I wanted to check for details on a CVE entry that was rather vague and had a single reference to BID. This is fairly common in the VDB world as one database will add an entry and not provide a link to the source of the data (Secunia and BID primarily). As luck would have it, BID was down. Almost twelve hours later and their VDB is still down. What annoys me is that while they aren’t delivering vulnerability information, they sure are delivering advertisements. Why can’t VDBs get the same dedication and resources that ad farms get?
Next, I wanted to find out if the other VDBs created an entry for the latest OpenBSD flap yet, so I went to X-force which is a pretty reliable database. Much to my dismay, it appears that the ‘advanced’ search is now gone. While it wasn’t extremely powerful, it let you do some basic sorting that was immensely helpful in finding what you need. I have mail out to them asking for confirmation that it is indeed gone versus a web geek error. I certainly hope it is the latter…
Update: Over 24 hours later, the BID database is finally available again. ISS has not replied to at least two mails from VDB managers asking about the missing advanced search feature.
Over 24 hours, BID still down. Guess they don’t maintain staff over weekends.
Still down at 10:27 AM Eastern. At some point they’ll come in from the holiday weekend and reboot something. Maybe.
I have been de-obfuscating that OpenBSD exploit to see exactly what it does, but so far it looks fairly lame. I am unable to get the VGA target to escalate on a fresh 4.0 install in a VMWare image, either with machdep.allowaperture set to either 0 or 1. I don’t install X on servers, and so I didn’t install it on this image, either. Maybe that’s it. If the vuln is ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.0/i386/007_agp.patch , then X shouldn’t be necessary.
I don’t even know what to make of the IPv6 exploit. The program says root is required, which is stupid. Running it as a regular user goes nowhere. I dunno, maybe the joke’s on me for spending time trying to see what this is supposed to do.
FYI, it’s part of our analysis process to always try to find the “raw disclosure” for an issue, and we don’t consider a sole BID or SECUNIA item a raw disclosure. However, as you know, sometimes it’s difficult to figure out how another VDB learned about an issue.