What is the CVE and how does it work?
- 11 July, 2017 10:22
CVE stands for Common Vulnerabilities and Exposures, a program launched in 1999 by MITRE, a nonprofit that operates research and development centers sponsored by the federal government. Its purpose is to identify and catalog vulnerabilities in software or firmware into a free “dictionary” for organizations to improve their security.
According to the CVE website, a vulnerability is a mistake in software code that provides an attacker with direct access to a system or network. It could allow an attacker to pose as a super-user or system administrator with full access privileges.
An exposure is a mistake that gives an attacker indirect access to a system or network. It could allow an attacker to gather customer information that could be sold.
The dictionary’s main purpose is to standardize the way each known vulnerability or exposure is identified. Standard IDs allow security administrators to access technical information about a specific threat across multiple CVE-compatible information sources.
CVE is sponsored by US-CERT, within the Department of Homeland Security (DHS) Office of Cybersecurity and Information Assurance (OCSIA). MITRE, maintains the CVE dictionary and public website. It also manages the CVE Compatibility Program, which promotes the use of standard CVE identifiers by authorized CVE Numbering Authorities (CNAs).
The following questions and answers are adapted from the CVE website and from Kurt Seifried, director at the Distributed Weakness Filing (DWF) project, senior software engineer for Red Hat Product Security and a CVE board member
Is CVE just another vulnerability database?
No. CVE is designed to allow vulnerability databases and other capabilities to be linked together, and to facilitate the comparison of security tools and services. CVE only contains the standard identifier number with status indicator, a brief description and references to related vulnerability reports and advisories. It does not include risk, impact, fix or detailed technical information. The US National Vulnerability Database (NVD) does include fix, scoring, and other information for identifiers on the CVE List.
Can hackers use the CVE to break into networks?
The short answer is yes, but MITRE and the CVE board contend that the benefits of CVE outweigh the risks:
- CVE lists only publicly known vulnerabilities and exposures, which means skilled hackers likely know about them anyway.
- It takes much more work for an organization to protect its networks and fix all possible holes than it takes for a hacker to find a single vulnerability, exploit it, and compromise the network.
- There is growing agreement in the infosec community that sharing information is beneficial. This is reflected in the fact that the CVE Board and CNAs include key infosec organizations.
What are CNAs and what is their purpose?
CNAs are organizations that identify and distributes CVE IDs to researchers and information technology vendors for inclusion in first-time public announcements of new vulnerabilities. They are part of what MITRE and the CVE board have termed a “federated system,” in which dozens of other organizations – 62 at current count – help identify vulnerabilities and assign them an ID number without directly involving MITRE, which is the primary CNA, in the details of the specific vulnerabilities.
Organizations that are CNAs include Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Microsoft, Mozilla, Oracle, Rapid 7, Red Hat, Siemens, Symantec and VMWare, plus organizations like CERT/CC (Computer Emergency Response Team/Coordination Center) and the DWF Project.
How does an organization qualify to become a CNA?
It could be a vendor with a significant user base and established security advisory capability, a regional coordinator such as a CERT, a domain publisher like an Information Sharing and Analysis Center (ISAC) representing a particular sector, or a mature research organization. The organization must be an established distribution point or source for first-time product vulnerability announcements, which may concern their own products.
What is a “root” CNA?
MITRE is the “primary” CNA, while root CNAs cover a certain area or niche. In many cases, a root CNA is a major company like Microsoft that posts vulnerabilities only in its own products. In other cases, a company like Red Hat focuses on open source vulnerabilities.
Seifried adds that applicants have some choices about the role they wish to play. “If you want to be a root CNA (like DWF/JP-CERT/CC or the existing group of commercial companies like Red Hat or Microsoft), you ask MITRE. If you are an open source project, you could go directly to MITRE if you’re large enough (as the Apache Foundation did in past, also prior to the DWF being up and running), or you can go directly to the DWF to become a sub-CNA of the DWF,” he said.
Where can one find the latest version of the CVE List?
New CVE Identifiers are added to the CVE website daily basis and are immediately available. The latest version of the CVE is on the CVE List Master Copy page. A free tool from CERIAS/Purdue University monitors changes to the CVE List. Also, CVE Change Logs provide daily or monthly changes to the list. The tool is a feature of CERIAS' Cassandra incident response database service, which is listed on the CVE-Compatible Products and Services page. Recently assigned CVE Identifiers also appear in the US National Vulnerability Database.
What is the “vetting” process for each new vulnerability or exposure?
Seifried said CVE uses a claims-based model, which is summarized in part of a transcript from a board teleconference last year: “CVE IDs will now be given in cases where a researcher finds a flaw or design oversight in software, even though it may not be seen as a vulnerability by the vendor. The researcher may be asked to provide evidence of a demonstrated negative impact, such as an example/scenario where the flaw is exploitable.”
He added that, “the stronger the claim, the more likely it is to get a CVE.” If it comes from an established vendor like Red Hat, “then we generally believe them. The same goes for well-known security research companies like a Qualys, and individuals like (white-hat hacker) Tavis Ormandy and others. “There is also a dispute process and a reject process in case the veracity of the CVE comes into question.
Does the CVE List contain all known vulnerabilities and exposures?
No, and there is some debate about what percent it does include. (See "Closing the CVE gap: Is MITRE up to it?") According to CVE, the goal of the program is to be “comprehensive.” Estimates of what percentage are missing from the list range from about a third to nearly half. MITRE declined to say what it believes the gap is, because there is no universally accepted way to count them.
How can CVE help protect networks?
By using the CVE ID for a particular vulnerability or exposure, organizations can quickly and accurately obtain information from a variety of CVE-Compatible information sources. By facilitating better comparisons between different security tools and services, CVE can help an organization choose what are the most appropriate for its needs.
Using CVE-Compatible products and services also helps improve responses to security advisories. If the advisory is CVE-Compatible, organizations can see if their scanners or security services check for this threat and then determine whether their intrusion detection systems have the appropriate attack signatures. For those that build or maintain systems for customers, the CVE compatibility of advisories will help directly identify any fixes from the vendors of the commercial software products in those systems. That also requires the vendor fix site to be CVE-Compatible.
This article was originally posted on CSO Online (US) on the 10th July 2017.