In May 2017, WannaCry, a strain of ransomware, spread quickly around the world. It managed to affect National Health Service hospitals in England and three companies in Spain and reached many other countries including Russia, France and Japan.
WannaCry had leveraged a Windows vulnerability known as EternalBlue for which Microsoft already published a patch but, clearly, many organizations had failed to patch their systems.
And the notorious Equifax breach the same year? Well, the company was hacked via a consumer complaint portal, exposing private information on 143 million Americans. Attackers gained access to Equifax systems by exploiting a known vulnerability in Apache Struts that also had an available patch—which Equifax failed to patch.
Even though every organization dreads zero-day exploits, the truth is that one in three breaches takes place as a result of unpatched vulnerabilities. As these breaches continue to happen, it's important to assess and systemize the many different types of vulnerabilities and the dangers they pose to systems. That's why software vulnerabilities are categorized and stored in what we know as "CVE," a valuable list which helps security vendors and organizations identify common vulnerabilities and exposures.
In October 2019, CVE celebrated its 20-year anniversary and today we're going to get familiar with relevant and common terms, the importance of CVE and what databases will help you track known flaws, so you can patch them as quickly as possible. We've written before on how to detect CVEs, so let's get familiar with what CVE is:
- What is a vulnerability in the cybersecurity world?
- What is an exposure in cybersecurity?
- What is CVE?
- What is a CNA?
- Top 4 CVE databases
What is a vulnerability in the cybersecurity world?
During the development process, mistakes are bound to happen—commonly referred to as "bugs." Not all bugs are dangerous in terms of security, but those that could be exploited by attackers to gain unauthorized access to the system are a threat, and are known as vulnerabilities.
Any weakness in a computer system that can be exploited by one or more threats is considered a vulnerability. Vulnerabilities can allow attackers to run unauthorized code, access system information and steal, modify and destroy data.
There are many different types of vulnerabilities and each one has a different level of severity, depending on how dangerous the outcome is in the event it is exploited.
What is an exposure in cybersecurity?
An exposure is an error in software code or a configuration issue that gives an attacker indirect access to a system or a network, and allows them to conduct information gathering or hide their activities. They can and often do lead to a data breach. While exposure doesn't allow direct access, it is a component of an attack that violates a security policy.
According to the official CVE website, examples of exposures include running services for information gathering, running services that are a common attack point, and the use of applications that can be successfully attacked by brute force methods.
Both vulnerabilities and exposures are stored and sorted in CVE.
What is CVE?
As we touched upon earlier, CVE, or Common Vulnerabilities and Exposures, is a reference list that identifies and categorises publicly disclosed security vulnerabilities and exposures in software. CVE was launched in 1999 by the MITRE Corporation, a nonprofit sponsored by the National Cyber Security Division, or NCSD.
When a researcher or a company discovers a new vulnerability or an exposure, they add them to the CVE list so other organizations can leverage this data and protect their systems. CVE prioritizes assigning CVE Identifiers for products, vendors, and product categories of participating CNAs, but a request for CVE Identifier can be made for any vulnerability. There are a couple of steps in requesting a CVE Identifier, and you can find more info here. Each new entry gets assigned a standardized CVE name, a brief description and a vulnerability report which allows researchers who scan for vulnerabilities to use this information to find known cyber threats and identify vulnerability exploits.
CVE should be considered a dictionary, an informational list of security vulnerabilities and exposures that's free to be viewed by anyone online. It's important to note that CVE is not a vulnerability database; rather, it's developed to connect different vulnerability databases and security tools. And because it's not a vulnerability database, it doesn't contain information on the risks, the fixes or technical data on the entry. But, as CVEs are directly related to vulnerability databases, you can pivot between different links to get more data, technical descriptions, fix information and more.
What is a CVE Identifier?
CVE Identifiers, also known as CVE entries, CVE IDs, CVE names or, sometimes just CVEs, are common names for publicly known security vulnerabilities and exposures. Each has its own unique identifiers. They follow the same formula, which consists of the word "CVE", followed by the year they were added to the list and then a four-digit serial number. CVE Identifiers are assigned by MITRE but may receive their numeric ID from non-governmental commercial numbering authorities who number the vulnerabilities and exposures found in their own products.
Importance of CVE
Before CVE was created in 1999, there was no centralized list of common identifiers that made it possible to share information across multiple information sources, databases, tools and services.
CVE provides a standard with which you can assess the coverage of your security tools and their effectiveness. Also, organizations can check if their vulnerability scanners explore a threat in question, and then establish whether their defense systems possess the information needed to identify an exploit attempt.
What is a CNA?
CNA stands for "CVE Numbering Authority" and as of December 2019, there are 109 of these commercial organizations operating from 20 different countries. They include Apple, Cisco, Linux, IBM, Adobe, Oracle, Mozilla, Microsoft, Red Hat, Rapid7 and Github, among many others.
These organizations identify and assign CVE identifiers but also distribute them to researchers and security vendors, for public announcements of newly discovered security vulnerabilities and exposures. MITRE is considered the primary CNA; and the third "type" is the CERT Coordination Center, the emergency response team which is also authorized to assign CVE Identifiers.
Many different organizations can become a CNA, including different vendors and projects, bug bounty programs, national and industry CERTs, vulnerability researchers and root CNAs. There are some requirements thought: they need to have established vulnerability management practices as well as a vulnerability disclosure policy.
As mentioned, MITRE is the primary CNA, and the CERT Coordination Center is the tertiary. So what would a root CNA be?
Root CNAs refer to organizations that cover a certain area or niche and control sub-CNAs within a community. In many cases, they are large companies such as Apple and Microsoft that publish vulnerabilities and exposures about their own products, or can focus on a certain type or a vulnerability, the way Red Hat does for open source vulnerabilities.
Top 4 CVE databases
As we've learned, MITRE wouldn't be considered a vulnerability database, it acts as the primary CNA. There are many other vulnerability databases that help organizations develop and use patches to mitigate critical security vulnerabilities. Let's look at some of the most commonly used CVE databases:
National Vulnerability Database (NVD)
When a vulnerability or exposure is reported, MITRE contains the CVE ID and a short description. Then, the NVD, or National Vulnerability Database, provides a security analysis and more thorough coverage of the vulnerability.
MITRE and NVD are two separate entities, but they're synchronised, all entries from MITRE are also available in the NVD, and they're both sponsored by the U.S. Department of Homeland Security. Ever since NVD was formed in 2005, it's been a dominant database for organizations and researchers relying on detailed information regarding vulnerabilities and exposures. It offers details about the vulnerability as well as information on the fix, and gives it a score based on the access complexity, exploitability, remediation level and other metrics.
Vulnerability Assessment Platform (Vulners)
Vulners is the largest correlated database of vulnerabilities and exploits available, and it offers a regularly updated database of more than 70 sources. Its search engine is similar to Google, going so far as to call it "Google for hackers". Every entry in the database contains identifiers, definitions and severity. Vulners also offers many different products such as a vulnerability scanner, Nmap scanner plugin, browser scanner extension and an AI vulnerability assessment tool. You can choose one of their plans or stick to the free account to test it.
Vulnerability Database (VulDB)
VulDB (or Vulnerability Database) is, you guessed it—a vulnerability database. They document all security vulnerabilities disclosed for electronic products. It's used by security researchers for vulnerability management, threat intelligence and incident response and is a free service. VulDB analyzes the current and historic data of vulnerabilities so it can recognize trends and anticipate threats.
CVE Details is another free CVE vulnerability database that uses NVD's data but also features information sources such as Exploit Database. Its easy-to-use interface lets you browse by vendor and products as well as by date and type. CVE Details makes it easy to search for specific information regarding a vulnerability and is used by many individuals and researchers working for major security vendors.
Having knowledge about CVEs and being able to patch them as quickly as possible is an important cybersecurity practise more organizations need to adopt. Having centralized lists and databases makes it easy for researchers to inform their security tools, correlate data and, in the end, be prepared to patch and mitigate any threats that may go their way.
Discover your company's Attack Surface in real-time, get critical information about domains, open ports, affected IP addresses, and more with our all-in-one Attack Surface Intelligence pilot product. Contact us to get more information on our new ASI tool.