How does the CVE system work?
Common Vulnerability and Exposure Identifiers (CVE) supervision falls on MITRE Corporation, with the financial backing of the Cybersecurity and Infrastructure Security Agency (CISA), an entity belonging to the United States Department of Homeland Security.
CVE entries are concise and do not contain technical details or information about risks, impact or solutions. Such information is found in other databases, such as the National Vulnerability Database (NVD) of the United States, the CERT/CC Vulnerability Notes Data and multiple lists maintained by vendors and other companies.
These CVE identification numbers play a critical role in enabling users to reliably identify unique vulnerability spots and make coordination easier in security solution and tool development for multiple systems. The MITRE Corporation is responsible for maintaining the CVE list, although it is frequently companies and members of the open source community who report security flaws that become CVEs.
CVE identifiers
CVE identifiers are assigned by CVE Numbering Authorities (CNAs). Currently, there are 327 CNAs (325 CNAs y 2 CNA-LRs) out of 37 countries participating in the CVE Program representing major information technology vendors, as well as security companies and research institutions. In this sense, Pandora FMS is in contact with security researchers who inform the company about vulnerabilities they detected, providing details such as date and time when the security breach was identified, affected versions, type of security to report (XSS, CSRF, SQLi, RCE), affected components (API, agent, server, among others), screenshots or transaction logs and instructions to reproduce the problem, following their vulnerability disclosure and management policies. It is worth mentioning that we ask the researcher not to publish the details of the vulnerability, having to first analyze the problem, reproduce the bug and determine the prioritization for its correction. Once the problem is corrected, together with the Researcher, the response to the community is managed and the correction made in an official version of CVE, indicating the CVE Code, the details of the vulnerability, certification date and version that was fixed.
It is noteworthy that CVE reports not only come from researchers, but rather they may come from anyone who discovers a vulnerability and reports it, whether it is a vendor, a researcher, or just a wise user. In fact, many vendors offer rewards for discovering security flaws to encourage responsible disclosure. If a vulnerability is found in open source software systems, it is important to notify the community.
MITRE also has the ability to issue CVE identifiers directly. CNAs receive blocks of CVE identifiers and save them for later use in new issues that are discovered. Thousands of CVE identification numbers. are issued every year. Even a single complex product, such as an operating system, can accumulate hundreds of CVE identifiers.
The information about the vulnerability will reach the CNA in one way or another. The CNA assigns a CVE identification number to the information, creates a brief description, and provides references. Subsequently, the new CVE identifiers are published on the corresponding website.
In many instances, a CVE identifier is assigned before a security warning is issued, as vendors often keep security vulnerabilities secret until a fix is developed and tested. This is done to reduce opportunities for those looking to exploit vulnerabilities without fixes.
Once a CVE entry is published, it includes the identification number (in “CVE-2023-1234567” format), a brief description of the exposure or vulnerability, and references that may contain links to recommendations and reports related to such vulnerability.
Features of CVEs
It is important to understand that a vulnerability is a weak spot that cybercriminals can exploit to gain unauthorized access to or perform unauthorized actions on computer systems, such as executing code, accessing a system’s memory, installing malware, and stealing sensitive data. Exposure is a bug found in software or hardware that allows cybercriminals to take actions such as accessing a system or network, finding an opportunity to breach or leak data, and obtaining personally identifiable information to later sell it. Accidental exposures have led to the biggest data breaches and not so much from sophisticated attacks.
CVE ID numbers are assigned to vulnerabilities that meet this specific set of criteria:
- Self-contained solution: The vulnerability can be solved autonomously, without relying on other fixes.
- Vendor confirmation or documentation: The software or hardware vendor acknowledges the existence of the vulnerability and its negative impact on security. Alternatively, the person who reported the vulnerability provides a report demonstrating its negative impact and its violation of the security policy of the affected system.
- Affecting a code base: Vulnerabilities that affect more than one product receive separate CVE identifiers. In cases involving shared libraries, protocols, or standards, a single CVE is assigned if it is not possible to use the shared code without exposing oneself to the vulnerability. Otherwise, a different CVE is assigned to each product.
Advantages of CVEs
CVEs play an important role in the constant Security Monitoring to audit and secure systems, creating an environment of Digital Trust, based on:
- Identification and awareness – CVEs become a common language for security professionals to identify and communicate vulnerabilities quickly.
- Prioritization – CVEs allow security strategists to prioritize which vulnerabilities to address based on their severity and potential impact.
- Patch Management – CVE references help locate and apply patches or make updates to fix vulnerabilities.
- Risk Mitigation – By addressing known CVEs, organizations can reduce their attack surface and minimize the risk of security incidents.
Collaboration is also very important. The CVE system fosters knowledge and collaboration among security researchers, vendors, and organizations, which can lead to a faster resolution of vulnerabilities or exposures.
CVE Considerations
As explained above, CVEs start from the information on vulnerabilities and exposures provided by different actors, so their identification is a “living entity” in constant change and evolution, which deserves to be mentioned some important considerations:
- Difficulty interpreting and monitoring the CVE list- without the right tools, it is difficult to know what vulnerabilities affect the organization without additional tools.
- Conflict of Interest – According to section 7 of the CNA Rules, a vendor that receives a report about a security vulnerability or exposure has complete discretion in this regard, which may result in a conflict of interest. There is an opportunity for a supplier to attempt to leave faults unrepaired by denying a CVE assignment, a decision that mitre cannot reverse.
- While CVEs are off the radar – The accelerated growth of vulnerabilities and exposures has caused a delay in CVE assignments, which may delay their availability in the identifier list. There are also unreported vulnerabilities that remain hidden from the radar of security advisors or problem trackers.
- Incomplete information – Not all vulnerabilities and exposures receive CVE; many are privately disclosed and can be patched without a public CVE allocation.
- Complexity – The CVE system focuses on identifying and tracking vulnerabilities and exposures, but may not capture the full context of an attack, impacting the definition of resolutions.
In an analysis of the MITRE Framework, it is alarming that only 86% of all open source vulnerabilities are included in the MITRE CVE list and almost 30% of JavaScript open source vulnerabilities are not found in the CVE database.
When talking about CVE, we should also talk about CWE (Common Weakness Enumeration), which is an initiative driven by the CVE community and also maintained by Mitre Corporation to provide a standardized and comprehensive list of common software weaknesses, vulnerabilities, and coding errors, as a resource for cybersecurity professionals and software developers. Examples of vulnerabilities in Software are:
- Coding errors during the software development process. Examples: Buffer overflows, input validation errors, and improper error handling.
- Design flaws, such as flaws in the architecture or design of a software system. Examples: insecure authentication mechanisms or inadequate access controls.
- Vulnerabilities introduced through third-party libraries or components on which a software application is based.
- Incorrect software or system configurations that may cause confidential data or services to be exposed on the Internet.
Finally, keep in mind that there may be unknown vulnerabilities that cybercrime can exploit before a solution or patch is available.
Conclusion
As it can be seen, CVEs are a critical component in cybersecurity to identify, prioritize, and mitigate vulnerabilities and exposures as part of an effective and comprehensive strategy. Organizations must stay informed about CVEs to address risks and threats proactively, effectively and as immediately as possible, relying on the best security monitoring tools and platforms
Remember that, in a more connected world, it is essential to improve security posture, reduce risks, and protect data and digital assets, leveraging the collaborative and complementary efforts of a global cybersecurity community, aiming to not only prevent security breaches but also financial losses from costs associated with legal sanctions and vulnerability resolution, regulatory non-compliance, and reputational damage.
Talk to our sales team, ask for a quote, or ask your questions about our licenses