SlideShare a Scribd company logo

How to assign a CVE to yourself?

Download as PPTX, PDF
R
Ramin Farajpour Cami

How to assign a CVE to yourself

Technology
1 of 25
Whoami? • Security Researcher • Google, Apple, Twitter, Yahoo, Ebay, BlackBery, ... • Vulnerability Researcher at RavinAcademy • Open Source Contribute • Django, Wget, OpenConnect, libssh, ... • Windows/Linux System Programmer with Clang 2 • Twitter : @MF4rr3ll • Github : @raminfp
What is a CVE? 3 • CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number • Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.
How does the CVE system work? 4 • CVE is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security. • The National Vulnerability Database (NVD) is a database of publicly-known security vulnerabilities, and the CVE IDs are used as globally-unique tracking numbers.
How are CVE IDs Used? 5 • The CVE dictionary is enumerated with a CVE ID. The ID has the format CVE-year-number. • CVE IDs are assigned to specific vulnerabilities that occur in software. • Why software? • When security researchers are discussing vulnerabilities in a particular version of a software product, it is much more clear to refer to the vulnerability by the CVE ID than by the name and version of the software.
CVE Range 6
First CVE 7 • First CVE in the world • ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001 • Assigning CNA • MITRE Corporation
First CVE Microsoft 8 • First CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0007
Is the CVE ID range defined for an organization? 9 • NO, • Exmaple: • CVE-2014-0001 - Buffer overflow in client/mysql.cc in Oracle MySQL • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001 • CVE-2015-0001 - The Windows Error Reporting (WER) component in Microsoft Windows 8, Windows 8.1 • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0001
How are CVE IDs Assigned? 10 • MITRE is the primary maintainer of CVE,So primary assigner for CVE IDs. • MITRE has designated a small group of third party organizations as CVE Numbering Authorities (CNAs) • meaning these organizations have limited authority on assigning CVE IDs without MITRE
What’s is CNA? 11 • CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products, • CNA Program Worldwide • There are 146 organizations from 25 countries participating as CNAs as of November 20, 2020 • List of CAN • https://cve.mitre.org/cve/request_id.html#cna_participants
12 Diagram
How can I request a CVE ID? 13 • To request a CVE ID if the vulnerability is NOT public? • Contact the vendor that provides the vulnerability product, if the vendor is a CNA. (https://cve.mitre.org/cve/cna.html) • Request a CVE directly from MITRE by submitting the formcve.(https://cveform.mitre.org/ ) • if you have trouble reaching a vendor or require other assistance in coordinating and disclosing your vulnerability, feel free to contact us (the CERT/CC) for assistance (cert@cert.org) Or https://www.kb.cert.org/vuls/report/
DEMO 14 Submit request CVE
How can I request a CVE ID? (acknowledged) 15
CVE Assigned (Response) 16
17 Request CVE Of RedHat Team (secalert@redhat.com)
Delay in update CVE List 18 • It takes 30 minutes for the update to take place when you receive the email. • https://twitter.com/CVEnew • https://github.com/CVEProject/cvelist
Goal CVE 19 • Public vulnerability of software/product • Investigate the importance of vulnerability (SCORE) • Quick update by corporate (RedHat, Suse)
CVE-2019-20839 20 • https://ubuntu.com/security/CVE-2019-20839 • https://security-tracker.debian.org/tracker/CVE-2019- 20839 • https://www.suse.com/security/cve/CVE-2019-20839/ • https://www.rapid7.com/db/vulnerabilities/debian-cve- 2019-20839/ • https://access.redhat.com/security/cve/cve-2019-20839
Is each report approved for CVE? 21
Is each report approved for CVE? 22
Openwall Project 23 • Openwall GNU/*/Linux (or Owl for short) is a small security-enhanced Linux distribution for servers, appliances, and virtual appliances.
Openwall Malilist 24
Question? https://twitter.com/ravinacademy https://www.linkedin.com/company/ravin-academy/about/ https://t.me/ravinacademy info@ravinacademy.com

Recommended

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 

Recommended

Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksHunting The Shadows: In Depth Analysis of Escalated APT Attacks
Hunting The Shadows: In Depth Analysis of Escalated APT AttacksF _
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesHiding in Plain Sight: The Danger of Known Vulnerabilities
Hiding in Plain Sight: The Danger of Known VulnerabilitiesImperva
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware AnalysisRamin Farajpour Cami
 
Advanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to usPriyanka Aash
 
PROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...AlienVault
 
Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Common Techniques To Identify Advanced Persistent Threat (APT)
Common Techniques To Identify Advanced Persistent Threat (APT)Yuval Sinay, CISSP, C|CISO
 
Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Hacking ble smartwatch
Hacking ble smartwatch Hacking ble smartwatch
Hacking ble smartwatch idsecconf
 
(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacksPriyanka Aash
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 
Common Vulnerabilities and Exposures details
Common Vulnerabilities and Exposures detailsCommon Vulnerabilities and Exposures details
Common Vulnerabilities and Exposures detailsnizlin1
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal oreAlexander Leonov
 

More Related Content

What's hot

Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsSameer Thadani
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationSatria Ady Pradana
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Dan Morrill
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident responsePriyanka Aash
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016grecsl
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsPriyanka Aash
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalSatria Ady Pradana
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspectiveDr. Anish Cheriyan (PhD)
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiAllanGray11
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Hacking ble smartwatch
Hacking ble smartwatch Hacking ble smartwatch
Hacking ble smartwatch idsecconf
 
(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacksPriyanka Aash
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardHITCON GIRLS
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesOWASP Delhi
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testingMohit Belwal
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?btpsec
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksImperva
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...Luigi Delgrosso
 

What's hot (20)

Persistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent ThreatsPersistence is Key: Advanced Persistent Threats
Persistence is Key: Advanced Persistent Threats
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)Understanding advanced persistent threats (APT)
Understanding advanced persistent threats (APT)
 
Security precognition chaos engineering in incident response
Security precognition chaos engineering in incident responseSecurity precognition chaos engineering in incident response
Security precognition chaos engineering in incident response
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
 
Breaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration testsBreaking and entering how and why dhs conducts penetration tests
Breaking and entering how and why dhs conducts penetration tests
 
Down The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security ProfessionalDown The Rabbit Hole, From Networker to Security Professional
Down The Rabbit Hole, From Networker to Security Professional
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective Ethical Hacking Conference 2015- Building Secure Products -a perspective
Ethical Hacking Conference 2015- Building Secure Products -a perspective
 
Continuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash BaraiContinuous Automated Red Teaming (CART) - Bikash Barai
Continuous Automated Red Teaming (CART) - Bikash Barai
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Hacking ble smartwatch
Hacking ble smartwatch Hacking ble smartwatch
Hacking ble smartwatch
 
(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - HowardBirds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resourcesGetting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
What is Penetration Testing?
What is Penetration Testing?What is Penetration Testing?
What is Penetration Testing?
 
Detect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted AttacksDetect & Remediate Malware & Advanced Targeted Attacks
Detect & Remediate Malware & Advanced Targeted Attacks
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
 

Similar to How to assign a CVE to yourself?

Common Vulnerabilities and Exposures details
Common Vulnerabilities and Exposures detailsCommon Vulnerabilities and Exposures details
Common Vulnerabilities and Exposures detailsnizlin1
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal oreAlexander Leonov
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesDavid Jorm
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerSteve Poole
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databasesphanleson
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckBlack Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsIBM Security
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsBlack Duck by Synopsys
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...Alexander Leonov
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliveryBlack Duck by Synopsys
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackTim Mackey
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012DaveEdwards12
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!VAddy
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!ichikaway
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Jonathan Cran
 

Similar to How to assign a CVE to yourself? (20)

Common Vulnerabilities and Exposures details
Common Vulnerabilities and Exposures detailsCommon Vulnerabilities and Exposures details
Common Vulnerabilities and Exposures details
 
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal orePHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
PHDays 8: Vulnerability Databases. Sifting thousands tons of verbal ore
 
Ids 004 cve
Ids 004 cveIds 004 cve
Ids 004 cve
 
BNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdfBNYMellon - CVE 101.pdf
BNYMellon - CVE 101.pdf
 
Life of a CVE
Life of a CVELife of a CVE
Life of a CVE
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
 
Secure Coding and Threat Modeling
Secure Coding and Threat ModelingSecure Coding and Threat Modeling
Secure Coding and Threat Modeling
 
Java application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developerJava application security the hard way - a workshop for the serious developer
Java application security the hard way - a workshop for the serious developer
 
2.Public Vulnerability Databases
2.Public Vulnerability Databases2.Public Vulnerability Databases
2.Public Vulnerability Databases
 
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black DuckSoftware Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
Software Security Assurance for DevOps - Hewlett Packard Enterprise + Black Duck
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
PHDays 9: new methods of Vulnerability Prioritization in Vulnerability Manage...
 
Secure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous deliverySecure application deployment in the age of continuous delivery
Secure application deployment in the age of continuous delivery
 
Secure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStackSecure application deployment in Apache CloudStack
Secure application deployment in Apache CloudStack
 
Top Application Security Trends of 2012
Top Application Security Trends of 2012Top Application Security Trends of 2012
Top Application Security Trends of 2012
 
Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!Vulnerabilities are bugs, Let's Test For Them!
Vulnerabilities are bugs, Let's Test For Them!
 
Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!Vulnerabilities are bugs, Let's test for them!
Vulnerabilities are bugs, Let's test for them!
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction Effective Prioritization Through Exploit Prediction
Effective Prioritization Through Exploit Prediction
 

Recently uploaded

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 

Recently uploaded (20)

WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 

How to assign a CVE to yourself?

  • 1.
  • 2. Whoami? • Security Researcher • Google, Apple, Twitter, Yahoo, Ebay, BlackBery, ... • Vulnerability Researcher at RavinAcademy • Open Source Contribute • Django, Wget, OpenConnect, libssh, ... • Windows/Linux System Programmer with Clang 2 • Twitter : @MF4rr3ll • Github : @raminfp
  • 3. What is a CVE? 3 • CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number • Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.
  • 4. How does the CVE system work? 4 • CVE is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security. • The National Vulnerability Database (NVD) is a database of publicly-known security vulnerabilities, and the CVE IDs are used as globally-unique tracking numbers.
  • 5. How are CVE IDs Used? 5 • The CVE dictionary is enumerated with a CVE ID. The ID has the format CVE-year-number. • CVE IDs are assigned to specific vulnerabilities that occur in software. • Why software? • When security researchers are discussing vulnerabilities in a particular version of a software product, it is much more clear to refer to the vulnerability by the CVE ID than by the name and version of the software.
  • 7. First CVE 7 • First CVE in the world • ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001 • Assigning CNA • MITRE Corporation
  • 8. First CVE Microsoft 8 • First CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0007
  • 9. Is the CVE ID range defined for an organization? 9 • NO, • Exmaple: • CVE-2014-0001 - Buffer overflow in client/mysql.cc in Oracle MySQL • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001 • CVE-2015-0001 - The Windows Error Reporting (WER) component in Microsoft Windows 8, Windows 8.1 • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0001
  • 10. How are CVE IDs Assigned? 10 • MITRE is the primary maintainer of CVE,So primary assigner for CVE IDs. • MITRE has designated a small group of third party organizations as CVE Numbering Authorities (CNAs) • meaning these organizations have limited authority on assigning CVE IDs without MITRE
  • 11. What’s is CNA? 11 • CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products, • CNA Program Worldwide • There are 146 organizations from 25 countries participating as CNAs as of November 20, 2020 • List of CAN • https://cve.mitre.org/cve/request_id.html#cna_participants
  • 13. How can I request a CVE ID? 13 • To request a CVE ID if the vulnerability is NOT public? • Contact the vendor that provides the vulnerability product, if the vendor is a CNA. (https://cve.mitre.org/cve/cna.html) • Request a CVE directly from MITRE by submitting the formcve.(https://cveform.mitre.org/ ) • if you have trouble reaching a vendor or require other assistance in coordinating and disclosing your vulnerability, feel free to contact us (the CERT/CC) for assistance (cert@cert.org) Or https://www.kb.cert.org/vuls/report/
  • 15. How can I request a CVE ID? (acknowledged) 15
  • 17. 17 Request CVE Of RedHat Team (secalert@redhat.com)
  • 18. Delay in update CVE List 18 • It takes 30 minutes for the update to take place when you receive the email. • https://twitter.com/CVEnew • https://github.com/CVEProject/cvelist
  • 19. Goal CVE 19 • Public vulnerability of software/product • Investigate the importance of vulnerability (SCORE) • Quick update by corporate (RedHat, Suse)
  • 20. CVE-2019-20839 20 • https://ubuntu.com/security/CVE-2019-20839 • https://security-tracker.debian.org/tracker/CVE-2019- 20839 • https://www.suse.com/security/cve/CVE-2019-20839/ • https://www.rapid7.com/db/vulnerabilities/debian-cve- 2019-20839/ • https://access.redhat.com/security/cve/cve-2019-20839
  • 21. Is each report approved for CVE? 21
  • 22. Is each report approved for CVE? 22
  • 23. Openwall Project 23 • Openwall GNU/*/Linux (or Owl for short) is a small security-enhanced Linux distribution for servers, appliances, and virtual appliances.