CVE Announce e-newsletter — February 14, 2021
Welcome to the latest issue of the CVE Announce e-newsletter. This newsletter is intended to keep you up to date on recent news about CVE, such as advancements in the program, new CNAs, CVE in the news, and more. Common Vulnerabilities and Exposures (CVE®) is the de facto international standard for vulnerability identification and naming. The CVE Board provides oversight and input into CVE’s strategic direction, ensuring CVE meets the vulnerability identification needs of the global technology community. CVE Numbering Authorities (CNAs) consist of vendors, open source projects, vulnerability researchers, hosted service providers, industry and national CERTs, and bug bounty programs authorized to assign CVE Identifiers (CVE IDs) to newly discovered issues and include the CVE IDs in the first public disclosure of the vulnerabilities.
Contents:
1. Samsung Mobile, Sophos, and WPScan Added as CVE Numbering Authorities (CNAs)
2. Introducing the “We Speak CVE” Podcast!
3. Our CVE Story: Learning to Embrace Recognition and Mitigations of Vulnerabilities as a Strength
4. Ken Munro of Pen Test Partners Joins CVE Board
5. CVE Program Report for Q4 Calendar Year 2020
Samsung Mobile, Sophos, and WPScan Added as CVE Numbering Authorities (CNAs)
Three additional organizations are now CNAs: (1) Samsung Mobile for Samsung Mobile Galaxy products, personal computers, and related services only; (2) Sophos Limited for Sophos issues only; and (3) WPScan for WordPress core, plugins, and themes.
To date, 152 organizations from 25 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To request a CVE ID number from a CNA, visit Request a CVE ID on the CVE website.
Read on CVE website or share:
https://cve.mitre.org/news/archives/2021/news.html#January132021_Sophos_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2021/news.html#January122021_WPScan_Added_as_CVE_Numbering_Authority_CNA
https://cve.mitre.org/news/archives/2021/news.html#January112021_Samsung_Mobile_Added_as_CVE_Numbering_Authority_CNA
Introducing the “We Speak CVE” Podcast!
Our new “We Speak CVE” podcast will focus on cybersecurity, vulnerability management, and the CVE Program.
In our first-ever episode, Tod Beardsley of Rapid7, Tom Millar of Cybersecurity and Infrastructure Security Agency (CISA), Chris Levendis of the CVE Program, and Dave Waltermire of National Institute of Standards and Technology’s (NIST) U.S. National Vulnerability Database (NVD) discuss how their organizations and the community all work together to advance the CVE Program’s mission to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities.
The podcast is available for free on the CVE website as an MP3 file, on the CVE Program Channel on YouTube, and on major podcast directories (Spotify, Stitcher, etc.).
Please give the podcast a listen and let us know what you think by commenting on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu. We look forward to hearing from you!
Our CVE Story: Learning to Embrace Recognitions and Mitigations of Vulnerabilities as a Strength
Guest Author Jonn Perez is a member of both the CVE Outreach and Communications and CNA Coordination Working Groups and Trend Micro is a CNA.
As a global security company, Trend Micro is definitely not a stranger to offensive vulnerability discovery and disclosure for bugs. Finding a vulnerability, reporting, and writing about it via responsible disclosure is something that we were very familiar with. Every so often, we would even drop an occasional 0-day if a vendor were not serious about addressing a critical security issue.
However, for some reason, whenever the shoe was on the other foot—meaning researchers came to us with possible vulnerabilities in our own technology—our previous inclination was to try and bury the news and hope it wouldn’t get many eyes.
Being an organization with both offensive and defensive vulnerability responsibilities definitely presents unique challenges. One thing that accelerated our need to better organize and handle incoming vulnerabilities was the acquisition of TippingPoint in late 2015, which included The Zero Day Initiative (ZDI) the world’s largest vendor-agnostic bug bounty program. Like TippingPoint’s previous parent (HP), the acquisition of ZDI put a bullseye squarely on the back of Trend Micro, and shortly thereafter we started to see an influx of vulnerabilities reported against several of our products.
Prior to the acquisition, the number of reported vulnerabilities per year was minimal. But one thing that became a constant was that researchers were not only expecting to be formally recognized via attribution in disclosure, they were expecting a CVE ID to be issued.
Interestingly enough, when ZDI was researching and negotiating to become a CVE Numbering Authority (CNA), they asked if Trend Micro would also be interested in potentially becoming a CNA (note: ZDI and Trend Micro act as completely separate entities when it comes to CVE ID assignments and vulnerability disclosure). As you can imagine, even though it was a slam dunk for ZDI to pursue becoming a CNA, it was not as obvious a path for Trend Micro’s vulnerability response team to pursue. From a defensive perspective, there was still a strong belief by some that trying not to draw attention to vulnerabilities via the exposure of issuing more CVE IDs was the way to go. Frankly, in the beginning, I admittedly was also in this camp.
“It’s going to add too much overhead,” “we are going to get a ton of bad press,” and “we are going to experience a huge surge in case volume” were the chorus of initial pushback that was offered up. But as we begrudgingly started to investigate what the steps were to become a CNA and the benefits, a lightbulb went off:
We would be able to not only control our own destiny, but could show our customers and the security industry that we are not afraid of our faults and weaknesses and can learn and grow stronger from them.
Again, because of our experience with offensive research, we know quite well that even with the best of intentions and the best security coding practices—vulnerabilities are a reality of code development. There are always new and novel ways that researchers (and the bad guys) can analyze code and find weaknesses. By owning up to them and being able to resolve them via responsible disclosure, we can much better protect our customers and users by limiting their exposure as best as possible. Because CVE is the de facto standard (e.g., the “common language” of vulnerability disclosures)—we can ensure that we can effectively communicate to our users the need to mitigate and patch.
Once we became a CNA, it wasn’t just a matter of integrating CVEs into our regular disclosure process—that part was pretty straightforward. In the beginning, the whole process of having to do an additional CVE ID submission with a specific format in additional to our regular security bulletins seemed like it was adding extra overhead; but in retrospect, by frontloading the work—meaning ensuring that our own security bulletins used most of the required CVE ID submission information—we were able to improve the quality of our own bulletins as well as streamlining the overall disclosure process. CVEs are great in that they can just as easily be used for internal cataloging as well as external disclosure.
A lot of the real value we realized in the program was in the interactions with other CNAs—many of our peers (and competitors), as well as those beyond our own industry. Joining some of the ample workgroups in the CVE Program has allowed us to share ideas and realize that some of the challenges we faced were not unique to us. The combination of the largest companies and smaller ones allows many voices to be heard—as well as the inclusion of vulnerability hunters and research organizations that give us insight into what they are looking for and their struggles with vendors such as ourselves. The CNA program is comprised of an organized group of like-minded security professionals, and it is very easy to contribute to, and gain a lot in return. The experiences not only have improved our overall vulnerability response, but we have been able to apply some of our learnings to enrich our overall proactive secure development processes to stamp out potential issues in early development stages.
As security breaches and exploits become an all-too-common headline in recent days, vulnerability discovery and disclosure are an increasingly important and very visible part of the landscape. Accepting and owning up to flaws, as well as learning from the experiences of mitigating them, allows you to become even stronger and more mature.
Being part of a community such as the CNA program tells your customers and your peers that you are serious about vulnerability management and mitigation, as it helps add extra credibility to your words and actions. Becoming a CNA enabled us to not only continue to learn and grow as an organization, but also gives us the opportunity to show leadership in the security community and industry.
Jonn Perez
Sr. Director, Vulnerability Response (PSIRT) & Global Programs
Trend Micro, Inc.
February 1, 2021
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu to contact the CVE Program. We look forward to hearing from you!
Read on CVE website or share on Medium:
https://cve.mitre.org/blog/February012021_Our_CVE_Story_Learning_to_Embrace_Recognition_and_Mitigations_of_Vulnerabilities_as_a_Strength.html
https://medium.com/@cve_program/our-cve-story-learning-to-embrace-recognition-and-mitigations-of-vulnerabilities-as-a-strength-4eda79e1f921
Ken Munro of Pen Test Partners Joins CVE Board
The CVE Program is pleased to welcome Ken Munro of Pen Test Partners (PTP) LLP as the newest member of the CVE Board. Ken will provide the Board with a research community perspective and help enhance collaboration between the CVE Program and that community.
About Ken
Ken is a security researcher, partner, and founder of UK’s largest independent penetration testing firm, PTP. He is a strong advocate of responsible disclosure and manages over 200 vulnerability disclosures per year. Ken regularly blogs on security topics ranging from car hacking, IoT security, and vulnerability analysis. With nearly 25 years of experience, he is a lobbyist for the regulation IoT technology in Europe, and has extensive experience working within government and industry in the United States. Ken is active within the security community, most notably in aviation, IoT, and auto, and co-organized the Aviation and Maritime villages at DEFOC. PTP research on child’s toys and smart watches have resulted in increased regulation worldwide, notably by US Senator Jackson (CA) as the inspiration behind California Senate Bill 327. As well as German Telecommunications Regulator (BNetzA) banning “My Friend Cayla” doll and various smart tracker watches in Germany. PTP is recently attributed with working closely with UK Government and law enforcement to debunk fraudulent 5G “Diffusers” scams which market regular USB drives as personal protection devices against “dangerous 5G” signals. As demonstrated in his TED Talk, Ken is a captivating speaker who is able to connect with his audience and leave them feeling included in even the most complex security discussions. He is a regular speaker at events held by industry bodies and associations to include: TED, FIRST, DEFOC and Infosecurity Europe to name a few.
About the CVE Board
The CVE Board includes members from numerous cybersecurity-related organizations including commercial security tool vendors, academia, research institutions, government departments and agencies, and other prominent security experts, as well as end-users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE Program.
Comments or Questions?
If you have any questions about this article, please comment on the CVE Blog on Medium or use the CVE Request Web Form and select “Other” from the dropdown menu. We look forward to hearing from you!
Read on CVE website or share on Medium:
https://cve.mitre.org/blog/February122021_Ken_Munro_of_Pen_Test_Partners_Joins_CVE_Board.html
https://medium.com/@cve_program/ken-munro-of-pen-test-partners-joins-cve-board-7529c8198494
CVE Program Report for Q4 Calendar Year 2020
The CVE Program’s quarterly calendar year (CY) summary of program milestones and metrics for Q4 CY 2020 is below.
Q4 CY 2020 Milestones
9 CVE Numbering Authorities (CNAs) Added
Nine new CNAs were added: Coalfire Labs (USA), Cyber Security Works (India), Joomla! Project (USA), LINE (Japan), Logitech (Switzerland), Mitsubishi Electric (Japan), NLnet Labs (Netherlands), Secomea (Denmark), and WhiteSource (USA).
CVE Program Terminology Updated
In December, the CVE Program announced that new terminology would be implemented across the CVE website and on CVE’s social media platforms. The changes, including replacing the term CVE Entry with CVE Record, replacing the term Populated with Published as a state of CVE Records, updating the definition of the term Reserved but Public (RBP), and adding a new Top-Level Root CNA role, among others, were made to optimize CVE content on the website for users and to ensure clear and concise communications with the community.
New CVE Logo Implemented
The new CVE logo, which was chosen by the community in a contest held in 2020, was posted on the main CVE website and social media channels in December.
Three “Our CVE Story” Articles Published on CVE Blog
Published on the CVE Blog in October, “Our CVE Story: CVE IDs for Simplifying Vulnerability Communications” was written by CVE Quality Working Group co-chair Chandan Nandakumaraiah of Palo Alto Networks; published in November, “Our CVE Story: The Gift of CVE” was written by CVE community member GS McNamara of Forcepoint; and published in December, “Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information” was written by CVE Outreach and Communications Working Group member Milind Kulkarni of NVIDIA. All three organizations are CNAs. Also, CVE Blog articles are also now co-posted on Medium.
Q4 CY 2020 Metrics
Metrics for Q4 CY 2020 published CVE Records and reserved CVE IDs are included below. Annual metrics are also included in the charts for year-to-year comparisons.
Terminology
- Published – When a CNA populates the data associated with a CVE ID as a CVE Record, the state of the CVE Record is Published. The associated data must contain an identification number (CVE ID), a prose description, and at least one public reference.
- Reserved – The initial state for a CVE Record; when the associated CVE ID is Reserved by a CNA.
- Reserved but Public (RBP) – An RBP is a CVE ID in the “Reserved” state that is referenced in one or more public resources, but for which the details have not be published in a CVE Record.
Published CVE Records
As shown in the table below, CVE Program production was 4,387 CVE Records for CY Q4-2020. There were 18,395 total CVE Records published in 2020, a 6% increase over 2019 in which 17,309 total CVE Records were published. This includes all CVE Records published by all CNAs.
Comparison of Published CVE Records by Year for All Quarters (figure 1)
Reserved CVE IDs
The CVE Program tracks reserved CVE IDs. As shown in the table below, 11,392 CVE IDs were in the “Reserved” state in Q4 CY 2020. In 2020, there were 30,680 total CVE IDs in the Reserved state, a 21% increase over 2019, in which 24,179 total CVE IDs were in the Reserved state. This includes all CVE IDs reserved by all CNAs.
Comparison of Reserved CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q4 CY 2020 (figure 2)
Finally, the CVE Program also tracks RBPs. As shown in the table below, the number of RBPs decreased 65% (-954) in Q4 CY 2020 compared to this same time last year.
Comparison of Reserved but Public (RBP) CVE IDs by Year for All Quarters - All CNAs Year-to-Date Q4 CY 2020 (figure 3)
All CVE IDs Are Assigned by CNAs
All of the CVE IDs cited in the metrics above are assigned by CNAs. CNAs are software vendors, open source projects, coordination centers, bug bounty service providers, hosted services, and research groups authorized by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage. CNAs join the program from a variety of business sectors; there are minimal requirements, and there is no monetary fee or contract to sign.
Currently, 152 organizations from 25 countries are actively participating in the CVE Program as CNAs. Learn how to become a CNA.
Comments or Questions?
If you have any questions about this article, please use the CVE Request Web Form and select “Other” from the dropdown menu.
We look forward to hearing from you, but more importantly, we look forward to your participation in the CVE Program!
CVE in the News
Attackers Exploit Critical Adobe Flaw to Target Windows Users, Threatpost
Users of IoT products from three major vendors at risk of DoS attacks data leaks, SC Magazine
Millions Of Devices Exposed To DNSpooq Vulnerabilities Allowing DNS Hijacking, Latest Hacking News
Top 10 Open Source Vulnerabilities In 2020, Security Boulevard
Apache Software Foundation Security Report: 2020, Apache Foundation
Keeping Up with CVE
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Documentation - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
Common Vulnerabilities and Exposures (CVE®) is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2021, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.
No comments:
Post a Comment