CVE Announce e-newsletter — August 26, 2020
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Electronic Arts, F-Secure, Gallagher, Replicated, Synaptics, VDOO, and Zabbix Added as CVE Numbering Authorities (CNAs)
2. CVE Blog: “Our CVE Story: Rapid7”
3. Process for Assigning CVE IDs to End-of-Life (EOL) Products
4. CVE in the News
5. Keeping Up with CVE
Electronic Arts, F-Secure, Gallagher, Replicated, Synaptics, VDOO, and Zabbix Added as CVE Numbering Authorities (CNAs)
Seven additional organizations are now CNAs: (1) Electronic Arts, Inc. for EA issues only; (2) F-Secure for all F-Secure products and security vulnerabilities discovered by F-Secure in third-party software not in another CNA’s scope; (3) Gallagher Group Ltd. for all Gallagher security products only; (4) Replicated, Inc. for Replicated products and services only; (5) Synaptics, Inc. for Synaptics issues only; (6) VDOO Connected Trust Ltd. for all VDOO products (supported products and end-of-life/end-of-service products); Vulnerabilities in third-party software discovered by VDOO that are not in another CNA’s scope; Vulnerabilities in third-party software discovered by external researchers and disclosed to VDOO (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope; (7) Zabbix LLC for Zabbix products and Zabbix projects listed on https://git.zabbix.com/ only.
To date, 136 organizations from 24 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Entries to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To request a CVE ID number from a CNA, visit Request a CVE ID on the CVE website.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2020/news.html#August192020_Electronic_Arts_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#August102020_F-Secure_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#August102020_VDOO_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#July272020_Gallagher_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#July202020_Replicated_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#July142020_Zabbix_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2020/news.html#July072020_Synaptics_Added_as_CVE_Numbering_Authority_CNA
CVE Blog: “Our CVE Story: Rapid7”
Guest author Tod Beardsley of Rapid7 is a CVE Board Member as the CNA Coordination Working Group Liaison, and Rapid7 is a CNA.
Back in 2016, something new and exciting was afoot in the CVE Program and at Rapid7. After a particularly troubled period for the program, the CVE Program was looking for partners in its newest mandate to federate the CVE Program and share the load across new kinds of CVE Numbering Authorities (CNAs). Over its decades-spanning history, things in Coordinated Vulnerability land were getting, well, kind of out of hand. MITRE was (and still is) the “CNA of Last Resort (CNA-LR),” and, while a number of prominent tech companies were already signed up as CNAs, those companies really only issued CVE IDs against their own products.
By the mid-2010s, it became clear that these few tech companies were the source of only a tiny minority of CVE-able software. Turns out, every company is a tech company, pumping out their own applications and software stacks, and increasingly, this CNA of last resort became the CVE of first resort. CERT/CC and other national CERTS around the world could also issue CVEs, but they were primarily focused on matters of civilian government information security.
In the meantime, Rapid7 had established itself as a leading voice for the cause of free and open source security — not just software, but the philosophy of transparency when it comes to security issues and their mitigations. Both Rapid7 and the CVE Program felt that we would do well as natural partners in the mission to enumerate all common vulnerabilities, and in December of 2016, we were named a research CNA.
Becoming a CNA was particularly exciting for me, since coordinated vulnerability disclosure is kind of My Thing. From my teen days of running an underground BBS distributing security know-how in the 1980s (okay, they were hacking docs and how-tos on building red boxes) through my work as a technical lead on the Metasploit Framework, I’ve spent the balance of my life trying to educate people about the realities of hacking and security. Now, armed with a clutch of our very own CVEs, we could start distributing CVE IDs to all and sundry researchers who were doing the right thing by publishing valuable security research and Metasploit modules. This bit of coordination can be a huge hassle for individual researchers, so serving as a CNA for public researcher takes at least that part of the pain out of the coordinated vulnerability process.
It also meant that Rapid7 really had to ramp up and formalize our own internal vulnerability reporting processes. Software developers far prefer working on feature requests rather than patching up embarrassing bugs, but, after all, Rapid7 is a security company, so we all knew we had to lead by example here.
In other words, becoming a CNA forces us to actually practice what we preach with coordinated disclosure and own up to our own (fixed) vulnerabilities as they come up, and I think we’re a much better company for it. It’s like the difference between having a gym membership and having a trainer pestering you to actually go. Being a CNA gives us that external pressure to do the right thing we wanted to do anyway, and for that, I’m super grateful to be a part of the program.
If you’re reading this, and thinking about becoming a CNA to score those sweet security gains, click here to get started; it really is pretty healthy for you, your products, and ultimately, your customers, and as an added bonus, the people involved are some of the kindest and smartest people around the coordinated disclosure scene. It's really a pleasure to work with the CVE Program on this, and I’m looking forward to many more years in this partnership.
Tod Beardsley
Director of Research
Rapid7
Comments or Questions?
If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Read on CVE website or share:
https://cve.mitre.org/blog/August182020_Our_CVE_Story_Rapid7.html
Process for Assigning CVE IDs to End-of-Life (EOL) Products
The mission of the CVE Program is to identify, define, and catalog publicly disclosed vulnerabilities, regardless of the status of the software in question. Issuing CVE IDs for software that has reached EOL supports this mission.
As part of issuing a CVE ID, many vendors perform due diligence to validate and remediate disclosed vulnerabilities for supported products. By definition, EOL products are typically no longer supported by vendors. Vendors are under no obligation to validate vulnerability reports in EOL software, which is cost prohibitive in that expertise may not be available, it may disrupt release schedules for supported products, or other legitimate business justifications. However, to be consistent with the CVE Program mission, publicly disclosed vulnerabilities may warrant CVE assignment, even in cases where the product was out-of-scope for CVE assignment by the vendor CNA.
The CVE Program has established a set of “program principles” related to assigning CVE IDs to EOL products that applies to all program participants. The principals guided the development of a policy that balances the legitimate equities of CVE Numbering Authorities (CNAs) and the CVE Program.
CVE Program Principles for EOL Products
- CVE IDs may be assigned for vulnerabilities in EOL products.
- There are no expectations of vendors to either investigate or correct vulnerabilities reported in EOL products.
- Vendor CNAs have the first “right-of-refusal” in issuing CVE IDs for their products but cannot stop the assignment of a CVE ID if deemed appropriate by the program.
- If a Vendor CNA does not assign, the CNA of Last Resort (CNA-LR) will work with both parties (Vendor CNA and the Reporter) to determine whether or not to assign a CVE ID to a vulnerability in an EOL product.
- CVE IDs assigned for EOL products are to be tagged with an Unsupported When Assigned tag. This will enable community stakeholders to rapidly identify CVE records for EOL products.
Vulnerability Reporters who wish to request a CVE ID for EOL software will be required to provide some means of depicting how the issue was discovered and proof of the vulnerability’s existence to the vendor/CNA and the CVE Program.
The CVE Program does not require, and vendors are under no obligation, to validate, test, or fix vulnerabilities discovered in EOL products. Products entering EOL status is a reality of the software world; and while vendors have different EOL policies, software products eventually are replaced by new products. However, many organizations run EOL products. Therefore, consistent with the CVE Program mission, should valid vulnerabilities be reported to the CVE Program and be publicly disclosed, the CVE Program will assign a CVE ID to serve the needs of those still running EOL products. It is important for those running EOL products to know they are vulnerable, and that no patch will be forthcoming. Issuing CVE IDs for EOL products provides the means for alerting the community to an EOL vulnerability as well as for providing information for how those running EOL software can upgrade to a supported product.
For detailed information about the CVE Program’s transparent EOL policy, visit the CVE Program’s End of Life Vulnerability Assignment Process on the CVE website.
Read on CVE website or share:
https://cve.mitre.org/blog/July312020_Process_for_Assigning_CVE_IDs_to_End_of_Life_EOL_Products.html
CVE in the News
6 Factors to Consider in Evaluating CVE Importance
https://securityboulevard.com/2020/08/6-factors-to-consider-in-evaluating-cve-importance/
New Vulnerability Could Put IoT Devices at Risk
https://securityintelligence.com/posts/new-vulnerability-could-put-iot-devices-at-risk/
Potential Apache Struts 2 RCE flaw fixed, PoCs released
https://www.helpnetsecurity.com/2020/08/17/cve-2019-0230/
Citrix Urges Patch of Critical XenMobile Server Vulnerabilities
https://healthitsecurity.com/news/citrix-urges-patch-of-critical-xenmobile-server-vulnerabilities
TeamViewer flaw could be exploited to crack users’ password
https://www.helpnetsecurity.com/2020/08/06/cve-2020-13699/
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Entries
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVEProject - GitHub
CVE Documentation - GitHub
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2020, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment