CVE (Common Vulnerabilities and Exposures) is a publicly available information list to help cybersecurity professionals and organizations identify known security flaws.
It was introduced in 1999 by the MITRE Corporation, a non-profit funded by the United States government. Yes, it is the same corporation behind MITRE ATT&CK, a security model potentially better than the cyber kill chain.
It has become the standard for the entire cybersecurity industry across the globe. So, anyone who wants to keep their cybersecurity strategies up-to-date or wants to protect their systems refers to the CVE.
What is CVE?
CVE is a publicly accessible catalog with information on vulnerabilities and their potential security severity.
It is not a vulnerability database, considering you do not have enough technical information regarding the vulnerabilities (like impact, fix, etc.). A CVE includes information like the date, reference number, and a brief vulnerability description.
Everyone in the cybersecurity industry refers to CVE for keeping the strategies up-to-date. You can refer to the CVE list maintained on its GitHub page to find, search, or download information regarding a certain CVE.
It is important to note that finding everything in the CVE is impossible. You still have to research, keep up with the news, and be on the lookout for every vulnerability. That being said, CVE is an enormous, helpful catalog.
Why Do We Need CVE?
Even though CVE is not everything, can you imagine cybersecurity without CVE?
CVE makes information accessible and classifies vulnerabilities under a common name. A cybersecurity expert can quickly start looking for a fix or defend against a threat by checking the CVEs associated with software or the system.
In other words, it is an essential part of the cybersecurity risk assessment process, considering you get accurate insights on the issues with your software or system.
Goals of CVE
The primary goal of CVE is to collaborate and share knowledge about vulnerabilities and exposure to defend ourselves better.
Some of them include:
Allow everyone to understand/recognize known vulnerabilities easily.
Filter security flaws by year.
Facilitate knowledge sharing to handle cybersecurity better.
Add more insights into vulnerability databases and security tool comparisons.
Of course, with a CVE, one can better defend or resolve the problems in a product or organization to protect PII, and also add insights for digital forensics when something goes wrong.
Here’s How a CVE is Created
A CVE can only be assigned (or generated) by a partner in the CVE program.
The partner can be the CVE Number Authority (CNA) or have a role specified in the CVE program. A CNA assigns IDs to the vulnerability, considering it meets specific criteria, which we shall explore as you read.
These CVE program partners can assign and publish the CVE records. Some examples include Microsoft, Red Hat, and other research organizations or bug bounty programs.
Once a vulnerability is found, the organization or vendor has to provide the required information for it to be considered to be added as a CVE. The data includes:
Type of vulnerability (SQL Injection, Buffer Overflow, etc.)
If the vendor or product team has confirmed/acknowledged the vulnerability
Attack type (physical, remote, etc.)
Potential impact of the vulnerability
Details of components affected by the vulnerability
Details on the vulnerability
Credits to the one who discovered the vulnerability (individual/organization)
Public reference to the vulnerability
When reporting, all of this information must be supplied by the individual or an organization.
Furthermore, if you are not a CNA and want to report the vulnerability, you can submit it directly to CVE if the vendor/product’s company is not a CNA.
Suppose the vendor is a CNA in the list of CVE Program partners. You will have to report the vulnerability directly to them instead of CVE.
However, before all of this, you must ensure that the vulnerability meets the minimum requirements before you try to report it to anyone. The bare minimum includes the vulnerability that was not previously reported, and it should not be a CNA-covered product (if you are reporting it in an individual capacity).
Furthermore, it makes a difference if the vulnerability has a public reference on the web. If not, even if the CVE is accepted, it will be displayed as “RESERVED” until you provide a URL with public information about it.
What is a CVSS?
The Common Vulnerability Scoring System (CVSS) lets you know the severity (or the impact) of the security flaw reported in the CVE. CVSS is not managed by the same organization responsible for CVEs.
It is owned and managed by another US-based non-profit organization, FIRST.org.
CVSS has a particular specification of how the metrics are calculated, and it constantly evolves to keep up with the complexities of vulnerabilities. When writing this, CVSS 3.1 is the latest specification everyone refers to.
While the numbering system of 0-10 score is as simple as it sounds, it has three metric groups.
The base score is how severe the vulnerability is. Then, a temporal score changes with time due to external interactions with the vulnerability. Finally, there’s an environmental score specific to its impact on a particular organization affected by the CVE.
The base metric is also called the “vulnerability” component. It considers how a vulnerability is exploited and what makes it more effective. Things like the means of exploitation (remote/local), external conditions, privilege level, user interaction, and what it impacts.
The temporal metric changes with the conditions and time as it considers whether the code to exploit the vulnerability is publicly available or if the vulnerability is unpatched. It also takes into consideration if the vulnerability has details along with the report.
Sometimes, the root cause of a vulnerability is not known. In such cases, the score gets lower, and if every detail associated with the CVE is specific, the score is higher.
Ultimately, the environmental metric is specific to the affected vendor or organization. It considers the impact of the vulnerability, the affected asset, and the measure of impact it will have on availability, confidentiality, and integrity.
It may also be referred to as “modified base metrics” because it considers the same factors but only for a specific organization.
Here’s what it looks like in the National Vulnerability Database (NVD) for CVEs:
We mostly see the base score in every database. You may or may not find the other scores in any of the vulnerability databases.
The base score group range looks like this:
0 → None
0.1-3.9 → Low
4.0-6.9 → Medium
7.0-8.9 → High
9.0-10.0 → Critical
The higher the score, the more severe it is.
So, if a CVE includes a higher base score, it should be treated as a priority to find a fix or defend against it.
How Are the Scores Calculated?
There are several aspects of a vulnerability, like whether it influences the availability and integrity of the data or the privileges required to exploit it.
For the basic metrics, CVSS Score, the factors include:
Attack vector (local/physical, network, etc)
The calculation relies on an equation specified by FIRST.org, the organization responsible for CVSS.
It is not as simple as mentioning a formula; there are sub-formulas, and you must refer to its official specifications document to calculate a score:
ISS = 1 – [(1-Confidentiality) x (1 – Integrity) x (1 – Availability)]
ISS, here is the Impact Sub-Score. The rest of the metrics in the formula have a certain constant value as follows:
Confidentiality/Integrity/Availability → High (0.56) | Low (0.22) | None (0)
If this sounds complex, one can also use the NVD Calculator to generate scores of all the metric groups without worrying about how it is calculated.
Top CVE Listings
The top (or popular) CVEs reported are not necessarily the ones with the highest CVSS score.
Every so often, a CVE could affect loads of software and organizations using it, and that makes it something to be more aware of.
For instance, CVE-2021-41617 is a vulnerability that allows privilege escalation in OpenSSH. While it was reported in 2021, it was recently updated as well.
Not to forget Apache’s Log4j vulnerability (CVE-2021-44228) that had the entire industry worried and encouraged security agencies like CISA to issue public guidance on it.
You can comb through vulnerability databases to filter the top CVEs you find concerning. But there’s no specific ranking to filter the top CVEs.
CVE and CVSS: Collaboration for Better Cybersecurity
While the purpose of CVE and CVSS differs, both help the cybersecurity world improve defenses.
CVEs help developers and cybersecurity experts to know the associated vulnerabilities in a product or system.
On the other hand, CVSS makes the information more meaningful by telling us how vital the CVE report is and its priority for the organization/vendor.
When you visit the website, you can browse all the known vulnerabilities in the cybersecurity world and check the latest reported ones. You get all the necessary details for the vulnerability, including the CVE, CVSS (as per latest specs), time reported, and date published.
VulDB is a vulnerability database that offers limited access to the latest information for free.
It offers a premium subscription to get better insights into the vulnerability. Users who need support, technical details, coverage, threat intelligence, and more can opt for the paid subscription.
On the other hand, a security advisory might list CVEs as per its CVSS to highlight the importance or reflect its priority order.
In some cases, like Microsoft, you must sign up to receive security notifications and stay current on what’s latest.
Inherently, they both do not have any limitations. However, they do not give you the complete picture of a vulnerability. You still have to research and learn more about the reported CVE using a vulnerability database and assess the product or system to see how it can be fixed or defended.
Not to forget, CVE and CVSS could be useless to end-users. You should focus on the basics of cybersecurity instead.
CVE vs CVSS
CVE is a list of known security flaws and some associated data like the date discovered, a brief description, and the vendor related to it. CVSS is a scoring system that helps cybersecurity experts know the impact of a CVE. They are both managed by different US-based non-profit organizations, but they complement themselves in all kinds of use cases to help improve the state of cybersecurity.
We need a lot of information for cybersecurity strategies. At times, it could be overwhelming.
However, making CVEs and CVSS standards to refer to makes things more straightforward.
CVE and CVSS are essential things to consider, and they paved the way for better vulnerability databases. Furthermore, these make information on security flaws accessible and easy to understand. You need both of them to win the cybersecurity game.