Extending OID scheme

Vulnerability Tests
1

We are preparing substantial advances for our scan technology and scan coverage. It has come the time to take more advantage of the OID scheme for VTs. This is the enumeration system to have unique identifiers for all vulnerability tests, you surely know them from scan results and scan reports.

Currently used scheme

1.3.6.1.4.1.25623: Base OID
|
+--.1: Vulnerability Tests
    |
    +--.0: OpenVAS Legacy Identifiers
        |
        +-- NNNNNN: Identifier Range Groups

Where 1.3.6.1.4.1.25623 is officially assigned as “iso.org.dod.internet.private.enterprise.OpenVAS”.

The identifier range groups reflect historic developments and the ranges were defined and assigned for various purposes.

A decade ago draft ideas were discussed to extend the scheme, but it never came to a final decision since the range-scheme worked well enough for the challenges we solved in the past. Now it is time to advance.

Extension for operating system vendor advisories

A significant number of vulnerability tests address advisories published by vendors of operating systems. For each of the operating systems where a formal advisory publication exists we will assign an own OID group and for this group apply the vendor’s enumeration scheme to the extend it is possible (OID is limited to numbers).

1.3.6.1.4.1.25623: Base OID
|
+--.1: Vulnerability Tests
    |
    +--.0: OpenVAS Legacy Identifiers
    |   |
    |   +-- NNNNNN: Identifier Range Groups
    |
    +--.1: Vulnerability Tests for operating system vendor advisories
        |
        +--.1: Debian
        |
        +--.2: EulerOS
        |
        +--.3: Fedora
        |
        +--.4: ...

The structure below each operating system is, directly or indirectly, determined by the vendor identifier scheme which even might change if the vendor decides so. Therefore the structure is not further detailed here.

We will add further operating systems as per need.

Timeline, effects and migration

Essentially, the new OID scheme will have no effect to your daily business with Greenbone solutions. Likely you will not even notice.

At some point new VTs will occur that use the extended OID scheme. That’s all.

Well, there is one place with a minimal effect: Some PDF reports have a chart and table “Top 10 Vulnerabilities” where they used only the last element of an OID for abbreviation.

We will start doing so likely in January 2020, or in February 2020 the latest.

Only if you created your own processing chains where you for some reason shortened the OID to just the last number, you will need to adjust. However, only the OID as a whole was and is meant to be unique.

In case you created your own VTs and used OID that might clash with the extended scheme, then you are in trouble. There is a Identifier Range Group reserved for private OIDs which you should have used as documented here: VT Development

We currently have no plans to migrate already published VTs to the new scheme.

3 Likes