Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Vulnerabilities
  • The History of Common Vulnerabilities and Exposures (CVE)
  • Vulnerabilities

The History of Common Vulnerabilities and Exposures (CVE)

5 years ago Ary Widdes
The History of Common Vulnerabilities and Exposures (CVE)

During the late 1990s, security professionals were using information assurance tools in concert with vulnerability scanners to detect and remove vulnerabilities from the systems for which they are responsible.

There’s just one problem – each security vendor has its own database with little to no crossover. Each vendor’s tool generates its own alert for detected vulnerabilities, and these alerts must be manually cross-referenced between the tools to determine if they are separate issues or multiple alerts for the same issue.

This is the scenario which spawned the Common Vulnerability and Exposures, or CVE, List. In January 1999, David E. Mann and Steven M. Christey of The MITRE Corporation published “Towards a Common Enumeration of Vulnerabilities” at a workshop at Purdue University.

In addition to wanting to know if multiple tools had identified the same vulnerability or not, Mann and Christey had a desire to compare the breadth and depth of coverage provided by each tool. To facilitate these needs, their whitepaper proposed creating a unified vulnerability and exposure reference list that could be used across participating assessment/IDS tools: the CVE List.

Towards a Common Enumeration of Vulnerabilities

According to the whitepaper, the original plan for the CVE List was for each vulnerability to be uniquely identifiable with no need for manual cross-referencing. The CVE List was also intended to be a complete list of known vulnerabilities and to be publicly accessible without worrying about distribution restrictions.

With the CVE List as a vendor-independent resource, it would enable those vendors to make the decisions about how much of an impact the vulnerability would have on their products or systems. The List itself would not provide impact scoring. In the CVE List, vulnerabilities would be limited to showing their standardized ID number, a status indicator (candidate vs accepted/rejected), a brief description of the vulnerability and any reference links to related vulnerability reports and advisories.

How MITRE grew the CVE List

After the presentation of the whitepaper, the group that would become the CVE Editorial Board was created in May 1999 to pull the initial CVE List together. The very first CVE List contained 321 vulnerabilities, chosen after careful deliberation and consideration of duplicates. In September 1999, the first CVE List was made public. MITRE announced the creation of the CVE List during a press conference. It also placed a booth at SANS 1999 to help introduce the List and promote its adoption.

In the summer of 2000, MITRE put out a request for legacy vulnerability information with the intent of adding it to the CVE List. This would create a more complete list of known vulnerabilities, especially prior to the inception of the List. MITRE received more than 8,400 submissions, which they whittled down to 900 after accounting for duplicates and by setting aside any submissions with insufficient information or that needed further consideration. By September 2001, those 900 had been further reduced to 562 CVE List candidates.

Similarly, as the end of 2000 neared, almost thirty organizations and persons had agreed to participate in the CVE List. Many of these organizations would later form the earliest CVE Numbering Authorities (CNA): Internet Security Systems (ISS), BindView, Compaq, Silicon Graphics, IBM, CERT/CC (Computer Emergency Response Team Coordination Center), Microsoft, Hewlett-Packard, Cisco Systems and Red Hat Linux. Members of these organizations also helped form the CVE Editorial Board and later formed the CVE Senior Advisory Council in 2001.

Taking CVEs to the next level

At a conference in Hawaii in June 2002, Christey delivered a progress report on the CVE Initiative along with Robert A. Martin. Among other information, the report noted that by May of 2002, the CVE List had 2,032 entries, and CVE/MITRE was receiving 150 to 200 new CVE submissions each month. Adoption of the CVE List was further boosted when NIST (National Institute of Standard and Technology) released its Special Publication 800-51 in 2002, where it recommended that U.S. agencies prefer the use of tools that use CVE Identifiers. Two years later, the U.S. Defense Information Systems Agency mandated that information assurance products used in the department use CVE Identifiers, as well.

A well-known counterpart to CVE List, the National Vulnerability Database (NVD), was formed in 2005. NVD expands on the CVE List and, like CVE, is sponsored by the Department of Homeland Security’s Cybersecurity and Infrastructure Agency, though they are separate projects. Unlike the CVE List, which intentionally excludes scores for vulnerabilities so as to remain apart from environmental factors, NVD provides vulnerability scoring, which it bases on risk and impact. When provided by vendors, NVD attaches information on fix versions, patches and updates that resolve the vulnerability. Both CVE List and NVD will add reference links to the originating vendor advisories and any other vendor advisories that apply to the specific CVE.

When the CVE Senior Advisory Council was formed in 2001, its stated goal was to ensure that the CVE program received the funding and guidance required to maximize the effectiveness and adoption of the CVE program, especially in regards to the US government. Membership in the Council was and is primarily restricted to the senior executives of relevant government organizations. The Council also influences decisions made within the CVE program, though most items not relating to government sponsorship are instead handled by the Editorial Board.

By contrast, the CVE Editorial Board has a much broader membership that includes information security specialists such as commercial security-tool vendors, government agencies and academic/research institutions. The Board makes content decisions regarding the CVE List, and many of its members also do outreach work towards expanding the adoption of the List.

The Evolution of Assigning CVE Numbers

In January of 2014, the board determined that the method by which CVEs were assigned needed change; in the then-current state, only up to 9,999 CVEs were allowed per year. Prior to 2014, CVE IDs were assigned using the CVE-YYYY-NNNN format (eg CVE-2020-0791). The January 2014 vote by the Board updated the CVE ID syntax by extending the N portion so that more than four digits could be assigned as needed: CVE-YYYY-NNNNN. Only a year later in January 2015, CVE-2014-10001 was assigned.

The Distributed Weakness Filing, partnered with CVE in 2016 to act as a Root CVE Numbering Authority (CNA) for the open source community. At the time, the category of Root CNA didn’t officially have status. Participants were either an organization or individual researchers who reached out to MITRE directly for CVE IDs. The addition of the DWF prompted the CVE board to expedite what they referred to as a federated CVE system where MITRE is the primary CNA that oversees Root CNAs, which in turn oversee sub-CNAs.

In addition to re-organizing CNAs into the federated system, the CVE board also updated the rules for how CNAs are allowed to assign CVE IDs. Included in the update were stronger guidelines for CVE submissions to help reduce the potential for issuing CVE IDs for duplicate or invalid issues.

By 2018, CVE celebrated the addition of their 100th CVE Numbering Authority and further refined the CNA guidelines and CVE reporting schema. The CVE Board also discussed how to handle cloud service vulnerabilities by reflecting on when a flaw or security issue “counted” for a CVE and who was responsible for issuing the ID if the service was Infrastructure vs. Platform vs. Software. As of 2020, there did not appear to be an official consensus on this matter despite CVEs being issued for cloud service vulnerabilities.

CVE – A core part of vulnerability and patch management

Last year, in 2019, CVE celebrated 20 years of vulnerability enumeration. According to the anniversary press release, CVE had more than 100 organizations participating as CNAs from 18 countries and had enumerated more than 124,000 vulnerabilities.

A lot has changed in the 21 years since the CVE List’s inception – both in terms of technology and vulnerabilities. Without the CVE List, it’s possible that security professionals would still be using multiple tools from multiple vendors just to ensure complete coverage. It’s also possible that someone else would have created a service similar to the CVE List. Either way, from idea to whitepaper to database, the CVE List has become a core part of vulnerability and patch management.

Ary Widdles

The post ” The History of Common Vulnerabilities and Exposures (CVE)” appeared first on TripWire

Source:TripWire – Ary Widdes

Tags: CERT, Cloud, Goverment, Linux, Microsoft, TripWire

Continue Reading

Previous DoJ Indicts Two Hackers for Defacing Websites with Pro-Iran Messages
Next Building Your Team up to Win the Security Arms Race

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists

1 day ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

2 days ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

2 days ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

SmarterMail Fixes Critical Unauthenticated RCE Flaw with CVSS 9.3 Score

3 days ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Two Ivanti EPMM Zero-Day RCE Flaws Actively Exploited, Security Updates Released

3 days ago [email protected] (The Hacker News)

Recent Posts

  • Iran-Linked RedKitten Cyber Campaign Targets Human Rights NGOs and Activists
  • Mandiant Finds ShinyHunters-Style Vishing Attacks Stealing MFA to Breach SaaS Platforms
  • CERT Polska Details Coordinated Cyber Attacks on 30+ Wind and Solar Farms
  • Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access
  • China-Linked UAT-8099 Targets IIS Servers in Asia with BadIIS SEO Malware

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT