3. What is a CVE?
3
• CVE, short for Common Vulnerabilities and Exposures,
is a list of publicly disclosed computer security
flaws. When someone refers to a CVE, they mean a
security flaw that's been assigned a CVE ID number
• Security advisories issued by vendors and researchers
almost always mention at least one CVE ID. CVEs help
IT professionals coordinate their efforts to
prioritize and address these vulnerabilities to make
computer systems more secure.
4. How does the CVE system work?
4
• CVE is overseen by the MITRE corporation with funding
from the Cybersecurity and Infrastructure Security
Agency, part of the U.S. Department of Homeland Security.
• The National Vulnerability Database (NVD) is a database
of publicly-known security vulnerabilities, and the CVE
IDs are used as globally-unique tracking numbers.
5. How are CVE IDs Used?
5
• The CVE dictionary is enumerated with a CVE ID. The ID
has the format CVE-year-number.
• CVE IDs are assigned to specific vulnerabilities that
occur in software.
• Why software?
• When security researchers are discussing vulnerabilities
in a particular version of a software product, it is
much more clear to refer to the vulnerability by the CVE
ID than by the name and version of the software.
7. First CVE
7
• First CVE in the world
• ip_input.c in BSD-derived TCP/IP implementations allows remote
attackers to cause a denial of service (crash or hang) via crafted
packets
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001
• Assigning CNA
• MITRE Corporation
8. First CVE Microsoft
8
• First CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0007
9. Is the CVE ID range defined for an organization?
9
• NO,
• Exmaple:
• CVE-2014-0001 - Buffer overflow in client/mysql.cc in Oracle MySQL
• Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001
• CVE-2015-0001 - The Windows Error Reporting (WER) component in
Microsoft Windows 8, Windows 8.1
• Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0001
10. How are CVE IDs Assigned?
10
• MITRE is the primary maintainer of CVE,So primary
assigner for CVE IDs.
• MITRE has designated a small group of third party
organizations as CVE Numbering Authorities (CNAs)
• meaning these organizations have limited authority on
assigning CVE IDs without MITRE
11. What’s is CNA?
11
• CVE Numbering Authorities (CNAs) are organizations from
around the world that are authorized to assign CVE IDs
to vulnerabilities affecting products,
• CNA Program Worldwide
• There are 146 organizations from 25 countries
participating as CNAs as of November 20, 2020
• List of CAN
• https://cve.mitre.org/cve/request_id.html#cna_participants
13. How can I request a CVE ID?
13
• To request a CVE ID if the vulnerability is NOT public?
• Contact the vendor that provides the vulnerability product, if the
vendor is a CNA. (https://cve.mitre.org/cve/cna.html)
• Request a CVE directly from MITRE by submitting the
formcve.(https://cveform.mitre.org/ )
• if you have trouble reaching a vendor or require other assistance
in coordinating and disclosing your vulnerability, feel free to
contact us (the CERT/CC) for assistance (cert@cert.org) Or
https://www.kb.cert.org/vuls/report/
18. Delay in update CVE List
18
• It takes 30 minutes for the update to take place when
you receive the email.
• https://twitter.com/CVEnew
• https://github.com/CVEProject/cvelist
19. Goal CVE
19
• Public vulnerability of software/product
• Investigate the importance of vulnerability (SCORE)
• Quick update by corporate (RedHat, Suse)
23. Openwall Project
23
• Openwall GNU/*/Linux (or Owl for short) is a small
security-enhanced Linux distribution for servers,
appliances, and virtual appliances.