Welcome to the latest issue of the CVE-Announce e-newsletter. This email newsletter is designed to bring recent news about CVE, such as new compatible products, new website features, CVE in the news, etc. right to your email box. Common Vulnerabilities and Exposures (CVE) is the standard for cyber security vulnerability names. CVE content is approved by the CVE Editorial Board, which is comprised of leading representatives from the information security community. CVE Numbering Authorities (CNAs) are major OS vendors, security researchers, and research organizations that assign CVE Identifiers to newly discovered issues without directly involving MITRE in the details of the specific vulnerabilities, and include the CVE Identifiers in the first public disclosure of the vulnerabilities. Details on subscribing (and unsubscribing) to the email newsletter are at the end. Please feel free to pass this newsletter on to interested colleagues.
Comments: cve@mitre.org
-------------------------------------------------------
CVE-Announce e-newsletter/June 8, 2015
-------------------------------------------------------
Contents:
1. CVE-IDs Used throughout Qualys' Top 10 External and Top 10 Internal Vulnerabilities Lists
2. CVE Mentioned in Article about Approaches to Vulnerability Naming on Christian Science Monitor
3. CVE Mentioned in Article about a Vulnerability Affecting "Millions" of Routers and Internet of Things (IoT) Devices on ZDNet
4. CVE Mentioned in Article about "Logjam" Vulnerability on SecurityWeek
5. CVE-IDs Used throughout Websense's "Threat Report 2015"
6. CVE Mentioned in "How to Get the CVSS Right" Article on Dell's Tech Page One Blog
7. Also in this Issue
8. Details/Credits + Subscribing and Unsubscribing
FEATURE STORY:
CVE-IDs Used throughout Qualys' Top 10 External and Top 10 Internal Vulnerabilities Lists
CVE-IDs are used throughout Qualys, Inc.'s February 2015 "Top 10 Vulnerabilities" lists to uniquely identify the vulnerabilities referenced on its top 10 external and top 10 internal vulnerabilities lists. The two lists are "dynamic lists of the most prevalent and critical security vulnerabilities in the real world."
According to the Qualys website, the two lists are "Based on the Laws of Vulnerabilities, this information is computed anonymously from over 1 billion IP audits per year. The Top 10 External Vulnerabilities are the most prevalent and critical vulnerabilities which have been identified on Internet facing systems. The Top 10 Internal Vulnerabilities show this information for systems and networks inside the firewall."
Review Qualys's Top 10 External Vulnerabilities and Top 10 Internal Vulnerabilities lists at: https://www.qualys.com/research/top10/.
LINKS:
Top 10 lists -
https://www.qualys.com/research/top10/
CVE-IDs –
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#june032015_CVE_IDs_Used_throughout_Qualys_Top_10_External_and_Top_10_Internal_Vulnerabilities_Lists
---------------------------------------------------------------
CVE Mentioned in Article about Approaches to Vulnerability Naming on Christian Science Monitor
CVE is mentioned in a May 22, 2015 article entitled "What the security industry can learn from the World Health Organization" on Christian Science Monitor. The main topic of the article is about how the "discovery of computer bugs can be marketing boons for cybersecurity firms. But one critic says the industry should take a page from the health profession and select names for flaws that aren't designed to stoke fear or generate buzz."
The author then discusses how some of the recent named bugs have been more about marketing and less about how serious they are, such as "VENOM," (i.e., CVE-2015-3456) which National Vulnerability Database ranks "…between medium and high risk – a 7.5 out of 10. But this year alone, it has listed nearly 800 bugs as high risk, and there is no shortage of 10s. Many of those involve extraordinarily popular software programs such major operating systems and Web browsers."
The article also includes a quote from Chris Eng, vice president of research at Veracode, who says: "What ends up happening is named vulnerabilities get more attention regardless of how much they deserve it. The intuition is, if it's branded, it's more dangerous."
The author continues: "Mr. Eng suggests that, in an ideal world, the industry could go back to the old days, and refer to vulnerabilities by their Common Vulnerabilities and Exposures numbers. "They're only eight numbers," he says. "They aren't that hard to remember. And the first four are the year."
Visit CVE-2015-3456 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3456 to learn more about "VENOM."
LINKS:
Article -
http://www.csmonitor.com/World/Passcode/2015/0522/What-the-security-industry-can-learn-from-the-World-Health-Organization
CVE-IDs –
https://cve.mitre.org/cve
CVE-ID Syntax Change –
https://cve.mitre.org/cve/identifiers/syntaxchange.html
News page Article -
https://cve.mitre.org/news/index.html#may282015_CVE_Mentioned_in_Article_about_Approaches_to_Vulnerability_Naming_on_Christian_Science_Monitor
---------------------------------------------------------------
CVE Mentioned in Article about a Vulnerability Affecting "Millions" of Routers and Internet of Things (IoT) Devices on ZDNet
CVE is mentioned in a May 20, 2015 article entitled "NetUSB flaw leaves 'millions' of routers, IoT devices vulnerable to hacking" on ZDNet. The main topic of the article is that "Potentially millions of routers and Internet-of-Things devices have been placed at risk of hijacking due to a stack buffer overflow security flaw."
CVE is mentioned when the author states: "…the vulnerability,CVE-2015-3036, allows for an unauthenticated attacker on a local network to trigger a kernel stack buffer overflow which causes denial-of-service or permits remote code execution. In addition, some router configurations may allow remote attacks."
The author also explains how millions of routers and Internet of Things (IoT) devices could be affected: "KCode-developed NetUSB, used in a plethora of popular routers available commercially, is used to provide USB over IP functionality. USB devices including printers and flash drivers, plugged into a Linux-based system, can be granted network access over TCP port 20005 through the technology. Routers, access points and dedicated USB over IP boxes often use this proprietary software."
Visit CVE-2015-3036 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3036 to learn more about the issue cited above.
LINKS:
ZDNet article -
http://www.zdnet.com/article/netusb-flaw-leaves-millions-of-routers-iot-devices-vulnerable-to-hacking/
CVE-IDs –
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#may282015_CVE_Mentioned_in_Article_about_a_Vulnerability_Affecting_Millions_of_Routers_and_IoT_Devices_on_ZDNet
---------------------------------------------------------------
CVE Mentioned in Article about "Logjam" Vulnerability on SecurityWeek
CVE was mentioned in a May 21, 2015 article entitled "Hundreds of Cloud Services Potentially Vulnerable to Logjam Attacks: Skyhigh" on SecurityWeek. The main topic of the article is the "Logjam vulnerability, which is similar to the FREAK bug, is caused due to the way the Diffie-Hellman (DHE) key exchange has been deployed. The flaw can be exploited by a man-in-the-middle (MitM) attacker to downgrade TLS connections to weak, export-grade crypto, and gain access to the data passing through the connection."
CVE is mentioned when the author states: "Logjam (CVE-2015-4000) affects all servers that support 512-bit export-grade cryptography and all modern web browsers, for which patches are being released. The vulnerability initially affected over 8 percent of the top 1 million HTTPS websites, and more than 3 percent of the browser trusted sites."
Visit CVE-2015-4000 at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000 to learn more about "Logjam.
LINKS:
SecurityWeek article -
http://www.securityweek.com/hundreds-cloud-services-potentially-vulnerable-logjam-attacks-skyhigh
CVE-IDs –
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#may282015_CVE_Mentioned_in_Article_about_Logjam_Vulnerability_on_SecurityWeek
---------------------------------------------------------------
CVE-IDs Used throughout Websense's "Threat Report 2015"
CVE-IDs are mentioned throughout Websense, Inc.'s "Threat Report 2015" to uniquely identify many of the vulnerabilities referenced in the report text.
According to Websense's "Websense 2015 Threat Report: Cybercrime Gets Easier, Attribution Gets Harder, Quality over Quantity and Old becomes the New" press release on April 8, 2015, the report "looks at how threat actors are gaining capabilities through the adoption of cutting-edge tools instead of technical expertise. Redirect chains, code recycling and a host of other techniques are allowing these actors to remain anonymous, making attribution time consuming, difficult and ultimately unreliable. Widespread use of older standards in lieu of newer and more secure options continues to leave systems vulnerable and exposed. A brittle infrastructure allows threats to expand into the network framework itself, including the code base of Bash, OpenSSL, and SSLv3."
According to the press release, "In 2014, 99.3 percent of malicious files used a Command & Control URL that has been previously used by one or more other malware samples. In addition, 98.2 percent of malware authors used C&C's found in five other types of malware."
The report also states that "Threat actors are blending old tactics, such as macros, in unwanted emails with new evasion techniques. Old threats are being "recycled" into new threats launched through email and web channels, challenging the most robust defensive postures. Email, the leading attack vector a decade ago, remains a very potent vehicle for threat delivery, despite the now dominant role of the web in cyberattacks. For example: In 2014, 81 percent of all email scanned by Websense was identified as malicious. This number is up 25 percent against the previous year. Websense also detected 28 percent of malicious email messages before an anti-virus signature became available."
The free report is available for download at http://www.websense.com/content/websense-2015-threat-report.aspx?intcmp=hp-promo-en-2015-threat-report.
LINKS:
Report -
http://www.websense.com/content/websense-2015-threat-report.aspx?intcmp=hp-promo-en-2015-threat-report
CVE-IDs –
https://cve.mitre.org/cve
News page article -
https://cve.mitre.org/news/index.html#may72015_CVE_Identifiers_Used_throughout_Websenses_Threat_Report_2015
---------------------------------------------------------------
CVE Mentioned in "How to Get the CVSS Right" Article on Dell's Tech Page One Blog
CVE and CVSS are the main topics of an April 17, 2015 article entitled "How to Get the CVSS Right" on Dell's Tech Page One Blog. The main topic of the article is how to use the "Common Vulnerability Scoring System (CVSS) … a free and open industry standard for assessing the severity of computer system security vulnerabilities. Currently in version 2, with an update in version 3 in development, CVSS attempts to establish a measure of how much concern a vulnerability warrants, compared to other vulnerabilities, so efforts can be prioritized. The scores are based on a series of measurements, called metrics. The scores range from 0 to 10. High vulnerabilities are those with a base score in the range 7.0-10.0, medium in 4.0-6.9 and 0-3.9 are low."
CVE is mentioned at the beginning of the article, when the author states: "For anyone dealing with software vulnerabilities, the CVE and CVSS are often their first stops in finding out the scope and details, and just about everything else they need to know about the specific vulnerability."
A CVSS calculator for scoring CVE-IDs is available on the U.S. National Vulnerability Database at https://nvd.nist.gov.
LINKS:
Article -
https://techpageone.dell.com/technology/how-to-get-the-cvss-right/
CVE-IDs –
https://cve.mitre.org/cve
CVSS calculator -
https://nvd.nist.gov
News page article -
https://cve.mitre.org/news/index.html#april232015_CVE_Mentioned_in_How_to_Get_the_CVSS_Right_Article_on_Dells_Tech_Page_One_Blog
---------------------------------------------------------------
ALSO IN THIS ISSUE:
* CVE Mentioned in Article about Vulnerabilities in Hospira Drug Pumps on SC Magazine
* CVE Mentioned in Article about WebKit Vulnerabilities in Safari Browser on ThreatPost
* CVE and CVSS Mentioned in SANS' "Cyber Threat Intelligence: Who's Using it and How?" Report
* "CVE-2015-1835" Cited in Numerous Security Advisories and News Media References about the Apache Cordova Android Vulnerability
* "CVE-2015-3456" Cited in Numerous Security Advisories and News Media References about the VENOM Vulnerability
* CVE Mentioned in Article about Attackers Exploiting Known but Unpatched Vulnerabilities on TechWeekEurope
* CVE Mentioned throughout Article about Verizon's "2015 Data Breach Investigations Report" on Computerworld
Read these stories and more news at https://cve.mitre.org/news.
---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing
Managing Editor: Steve Boyle, Cyber Security Technical Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org) maintains CVE and provides impartial technical guidance to the CVE Editorial Board and CVE Numbering Authorities on all matters related to ongoing development of CVE.
To unsubscribe from the CVE-Announce e-newsletter, open a new email message and copy the following text to the BODY of the message "SIGNOFF CVE-Announce-List", then send the message to: listserv@lists.mitre.org. To subscribe, send an email message to listserv@lists.mitre.org with the following text in the BODY of the message: "SUBSCRIBE CVE-Announce-List".
Copyright 2015, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. CVE is sponsored by US-CERT (www.us-cert.gov) in the office of Cybersecurity and Communications (www.dhs.gov/office-cybersecurity-and-communications) at the U.S. Department of Homeland Security (www.dhs.gov).
For more information about CVE, visit the CVE Web site at https://cve.mitre.org or send an email to cve@mitre.org.
