Common Vulnerabilities and Exposures (CVE) are a standard for uniform naming convention and identification of publicly known security vulnerabilities in information systems. [1] Through this standardization, security vulnerabilities can be communicated accurately in a few words. Importantly, CVEs are always publicly known vulnerabilities.
News articles describe vulnerabilities by using the CVE-ID and a short summary very precisely. [2]
By uniquely identifying a vulnerability through the associated CVE ID, the vulnerability can easily be communicated internationally and across all language barriers.
A CVE ID consists of three parts. The prefix is the same for each ID, so each CVE ID starts with ‘CVE’. This is followed by the four-digit year. This does not show the year of discovery, but the year of public disclosure of the vulnerability. As a result, a vulnerability found in December 2018 but not released until January 2019 will be marked 2019. The consecutive numbering of a CVE ID consists of four, five, or seven digits. [3]
The key information that is included in a CVE entry is, in addition to the CVE ID, the Common Weakness Enumeration (CWE) ID, as well as references and a description of the vulnerability. It also lists the Common Platform Enumerations (CPEs) that are directly and indirectly affected, the Common Vulnerability Scoring System (CVSS), if available, and the date and time of publication and last processing.
The CWE is a unified naming tool for identifying and defining causes of the identified vulnerability. There is one specific CWE for each vulnerability type. These are created by the MITRE Corporation with the support of the National Cyber Security Division (NCSD). The NCSD is in turn a division of the Department of Homeland Security (DHS). [4]
The CPE is a standardized method for the unique naming of applications, operating systems and hardware devices, which are installed in a computer system. IT management programs can gather information about the software products installed in a system, identify products by their CPE name, and use that standardized information to enable full or partial automated processing. [5]
The CVSS is a standard for assessing the characteristics and impact of IT vulnerabilities that are systematically set to the specific characteristics of a vulnerability. This allows the urgency of the different vulnerabilities to be determined. [6]
CVE IDs may only be created by licensed companies operating under the authority of the CVE program. The licenses are issued by the MITRE Corporation. These companies are called CVE Numbering Authorities (CNAs) and have the right to assign CVE IDs to vulnerabilities within an agreed scope. During the creation process, the CNAs generate a CVE record with the information known at that time and forward it to the MITRE. MITRE publishes this entry in the CVE feeds. [7]
For example, as “BlueKeep” (CVE-2019-0708) refers to the vulnerability in Microsoft’s Remote Desktop Protocol implementation by the Federal Office for Information Security (BSI) warned against dangers à la WannaCry (CVE-2017-0144). Such a message gains additional traction if there also is reporting about an active exploitation of the described gap. [9]
Aside from such common threats to standard operating systems, there are also very industry-specific vulnerabilities, such as the well-known Stuxnet worm (CVE-2010-2772, CVE-2010-2568). [11] [12] Vulnerabilities have also been listed in industrial control software in the recent past. See, e.g. CVE-2019-10915. [10]
As these examples show, industrial installations are also affected by security vulnerabilities, and the use of the available information creates transparency about the own vulnerabilities in the system and can help to eliminate them. Apart from targeted attacks on industrial plants, there is also a so-called “spillover effect”. This describes that attacks that were originally intended for the office area rather unintentionally affect the industrial plants and infect this area additionally. [13] Office IT threats should therefore not categorically be excluded from considerations concerning the OT area.
If you are interested in learning more about the added value of CVE, please read this article:
https://www.ondeso.com/en/the-added-value-of-cve/
Sounds interesting? Here you can download the summary as PDF for free:
We have briefly summarized all contents in this video for you:
[1] https://cve.mitre.org/about/
[3] https://cve.mitre.org/about/faqs.html#what_is_cve_entry
[4] https://nvd.nist.gov/vuln/categories
[5] https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7695.pdf
[6] https://nvlpubs.nist.gov/nistpubs/Legacy/IR/nistir7435.pdf
[7] https://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdf
[11] https://nvd.nist.gov/vuln/detail/CVE-2010-2772#vulnCurrentDescriptionTitle
[12] https://nvd.nist.gov/vuln/detail/CVE-2010-2568#vulnCurrentDescriptionTitle
[13] https://www.infosecurityeurope.com/__novadocuments/588383?v=636917895698800000