A vulnerability is a mistake that attackers can exploit to gain access or cause harm. At KubeCon + CloudNativeCon America, Pushkar Joglekar of VMware Tanzu discussed how a CVE (Common Vulnerabilities and Exposures) catalog standardizes identifying vulnerabilities.
It’s also important to understand how vulnerability scores are calculated. Considering the asset value and weaponization of vulnerabilities are critical when assessing risk.
Table of Contents
CVE Identifiers
Once a vulnerability is submitted by a CVE program participant or a CNA, a unique CVE identifier is assigned. The identifiers follow the CVE-YYYY-NNNNN, where the year stipulated when the vulnerability was added to the CVE list (it could have been discovered earlier without being made public sometimes). The identifier includes a vulnerability description and references to other resources like security advisories or technical reports.
CVE identifiers aim to standardize vulnerability information and promote better correspondence among cybersecurity professionals. Various tools, databases and repositories can use the identifiers to correlate information about vulnerabilities.
Vulnerabilities are mistakes in computer software that give attackers unwarranted access to systems or networks. They range from the most common (such as a flaw in a web browser that allows nefarious parties to read credit card numbers being processed) to the most sophisticated, which may involve stealing passwords or taking control of entire systems.
Vulnerabilities are defined and categorized by the CVE Board, comprising various cybersecurity organizations, including security tool vendors, academia and research institutions, government departments and agencies and security experts. The board provides critical input regarding data sources, product coverage, coverage goals and operating structure for the CVE program. It’s also responsible for maintaining the CVE standards. The US Department of Homeland Security funds the CVE Program.
CVE Types
The CVE system provides a common language and standardized identifiers for vulnerabilities, helping organizations identify and communicate with one another about potential cybersecurity threats. Companies need to understand how the CVE process works and how it relates to other vulnerability management tools like bug trackers and threat intelligence feeds to get the most out of this critical security tool.
A vulnerability is an error within software code that can be exploited to gain unauthorized access to computer systems and networks. Attackers can use these vulnerabilities to steal information, install malware, or cause other harm to the organization’s assets. The CVE process defines and categorizes these errors so that security professionals can easily identify them, understand their impacts, and respond to them quickly.
A unique CVE number must be referenced whenever a new vulnerability is discovered when identifying and communicating about the issue. Each CVE number is formatted with a year, a CVE name and a long sequence of numbers called a CVE ID, such as CVE-2014-6271 or CVE-2018-6274.
The identifying CVE data is then organized into various metric groups, such as attack vector (the way an attacker can exploit the vulnerability), privileges required (whether an attacker needs system admin or superuser privileges to access the system) and whether user interaction is required (yes, no, or optional). These metrics are combined with other factors, including severity, to determine a vulnerability’s overall impact.
CVE Severity
Vulnerabilities can be found in open-source and commercial software and third-party libraries developers use. These vulnerabilities expose applications and systems to hackers, resulting in unauthorized access and data breaches. As a result, the CVE process was created to share information about these vulnerabilities with the industry and provide guidance on defending against them. It is essential to know how does CVE define vulnerabilities before incorporating them into your operations.
When someone discovers a vulnerability, they must report it to the CVE Program through a standardized process. This involves submitting the openness to a CVE program partner, who assesses the submitted documents and reserves an ID. Once the vulnerabilities are verified and categorized, they are added to the CVE glossary.
The CVE Process is also supported by the Common Vulnerability Scoring System (CVSS). CVSS provides a framework for assigning severity to vulnerabilities based on different metrics. This allows organizations to prioritize vulnerabilities and implement patch management protocols accordingly.
The CVSS Base vector includes the metrics User Interaction (UI), Privileges Required (PR), and Exploitability (E). The newer Environmental metrics are Scope (S), Integrity Impact (I) and Availability Impact (A). These help to evaluate a vulnerability’s impact on the security of a given environment and allow the user to recompute the base score with these environmental variables for a more accurate assessment of the risk.
CVE Reporting
The CVE Program is a widely used, standardized system for cataloging public knowledge of cybersecurity vulnerabilities. This allows different tools, such as vulnerability scanners, to exchange information about the same exposure more easily. It enables organizations to compare products and services to find the best fit for their security needs.
Vulnerabilities are discovered daily; without a standard identification system, it would be difficult to track them. To be added to the CVE database, a flaw must go through a rigorous vetting process. This includes proving that the vulnerability is valid, hurts users, and has been reported to the vendor.
After submitting a report, the CVE Numbering Authority (CNA) assigns a unique ID to the vulnerability. The CNAs are a diverse group of representatives from the IT industry and research organizations. They are also responsible for ensuring that each CVE entry is accurate, complete, and up-to-date.
After the CVE ID is assigned, it is made public by the CNAs and included in the National Vulnerability Database (NVD). The NVD offers a more detailed description of each vulnerability than what is provided in the CVE entry. The NVD is also where you can find a vulnerability’s Common Vulnerability Scoring System (CVSS) score, which helps evaluate its severity. This information is crucial for assessing your organization’s risk and designing an effective remediation plan.