1. NOTICE: CVE List Content Updates Unavailable from 6:00am-11:00pm (EDT) on June 14
2. Wordfence Added as CVE Numbering Authority (CNA)
3. Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities
4. CVE Global Summit – Spring 2021
NOTICE: CVE List Content Updates Unavailable from 6:00am-11:00pm (EDT) on June 14
The CVE Program is upgrading the infrastructure used to add CVE List content to the CVE website. As a result, from 6:00 a.m. through 11:00 p.m. (EDT) on June 14, 2021 any data that is updated daily on a periodic basis (e.g., CVE List, @CVEnew tweets, download files) will not be updated. Normal operations are scheduled to resume on June 14, 2021 at 11:00 p.m. (EDT).
Previously published CVE List content on the CVE website will remain accessible, as will all other website content, during the upgrades. In addition, submissions via the CVE Request Web Form and GitHub (CVE Numbering Authorities (CNAs)-only) may still be made during this time but will be processed once the upgrade is completed. We apologize for any inconvenience. Please contact us with any comments or concerns.
This announcement was also posted to Twitter and LinkedIn.
Read on the CVE website or share:
NOTICE: CVE List Content Updates Unavailable from 6:00am-11:00pm (EDT) on June 14
Wordfence Added as CVE Numbering Authority (CNA)
Wordfence is now a CVE Numbering Authority (CNA) for WordPress Plugins, Themes, and Core Vulnerabilities discovered by, or reported to, the Wordfence/Defiant team. In addition, Wordfence’s Root is the MITRE Top-Level Root.
To date, 170 organizations from 28 countries participate in the CVE Program as CNAs. CNAs are organizations from around the world that are authorized to assign CVE Identifiers (CVE IDs) to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.
To request a CVE ID number from a CNA, visit Request a CVE ID.
Read their announcement articles on the CVE website or share:
Wordfence Added as CVE Numbering Authority (CNA)
Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities
Guest author Endika Gil-Uriarte is Chief Strategy Officer (CSO) at Alias Robotics, and Alias Robotics is a CNA.
Robots are becoming mainstream. We see robots every day in our daily lives. The systems that used to be found only in industrial environments are rapidly evolving to professional and consumer-related environments. The latest industrial robotics technologies have evolved faster than ever, and cybersecurity has not been at the core. The advent of the Internet of Things (IoT), industry 4.0, and its connectivity have changed the game forever.
Alias Robotics is a robot cybersecurity company founded in 2018. The company is composed of a team of robotics and cybersecurity experts who created RIS, the Robot Immune System. RIS is an Endpoint Protection Platform that protects robots against malware.
Alias Robotics became a CVE Numbering Authority (CNA) in February 2020. Since then, more than 30 CVE IDs have been issued and referenced, and all of them affect robots or robotic components. Most of the reported vulnerabilities were found during our internal security research. Robot security is a relatively new niche of cybersecurity; therefore, Alias Robotics collaborates with different robot cybersecurity researchers on discovering, providing triage, and certifying vulnerabilities. We also have an email address for those security researchers who wish to send us their findings. We want to encourage a robot security community that runs away from the paradigm of “security by obscurity.”
In case there is a novel robot vulnerability, we differentiate between our discoveries and those reported to us by researchers. In the first case, Alias Robotics is continuously looking for robot security vulnerabilities in client-related projects, and most of our work must remain private due to the confidentiality we owe our clients.
If our team finds a vulnerability on a non-confidential project, we immediately report it (via a secure channel) to the robot manufacturer so they can fix it. When the manufacturer responds and acknowledges it, we typically make it public after 90 days in the Robot Vulnerability Database (RVD), aiming for full transparency in the security process and also incentivizing prompt fixing of issues. Sadly, this is not always the case.
When a third-party researcher reports a vulnerability to us, we assign a CVE ID, and the issue is triaged. Once our team verifies the report and ensures its reliability and reproducibility, we publish the CVE Record for the vulnerability.
At Alias Robotics, we are now working on opening new collaborations to report more vulnerabilities and work on solving them.
Endika Gil-Uriarte
Chief Strategy Officer
Alias Robotics
Read on CVE website or share on Medium:
Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities, CVE Blog
Our CVE Story: From Robot Security Research to Managing Robot Vulnerabilities, Medium
CVE Global Summit – Spring 2021
Members of the CVE community recently gathered together virtually for the “CVE Global Summit – Spring 2021” to discuss CVE and cybersecurity, best practices, lessons learned, new opportunities, and more.
The CVE Program holds global summits twice per year, in the spring and fall. Summit participants include representatives from CVE Numbering Authorities (CNAs), CVE Board members, and CVE Working Group participants. Members of the wider cybersecurity community are welcome to participate by requesting to join one or more of these three CVE Working Groups—Automation, Outreach and Communications, and Quality—to help shape CVE work flow and other processes, as well as to attend future global summits.
A Collaborative Community Event Focused on Improving CVE
The summit is a way for the community to regularly collaborate on specific topics in a focused manner. Discussions are always informative, and many sessions result in lively and interesting discussion among community members. Sessions focused on lessons learned benefit CNAs and all community members by providing useful takeaways, while sessions focused on real-world challenges often result in creative recommendations from community member that directly impact and enhance the CVE Program.
Topics the community discussed at the “CVE Global Summit – Spring 2021” included:
Day 1
- Summit Welcome and Update on CVE Federation
- NVD’s CVMAP
- Dissecting .Net Vulnerabilities
- Enhancing CVE Identification - The Yocto Project Example
- Authoritative CVE STIX Objects
- JPCERT/CC Root Activities
Day 2
- How Red Hat operates as a CNA
- CVE JSON Schema Version 5.0
- NIS2 and CVE
- Inside the Apache CNA and How We Handle Over 300 Subprojects
- CWE, CAPEC, and ATT&CK Updates
- Considering CVEs for Malware
- Relationships Between CVE IDs and Vulnerability Abstraction
We thank everyone who participated in this two-day virtual event.
Interested in Joining the CVE Community?
You can become a member of the CVE community by joining a Working Group or by encouraging your organization to partner with the CVE Program as a CNA. CVE Working Groups that welcome members of the general public include Automation (AWG), Outreach and Communications (OCWG), and Quality (QWG).
To start the process, please use the CVE Request Web Form and select “Other” from the dropdown menu to express how you would like to be involved. We look forward to hearing from you!
Read on CVE website or share on Medium:
CVE Global Summit – Spring 2021, CVE Blog
CVE Global Summit — Spring 2021, Medium
Follow us for the latest from CVE:
@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Documentation - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email
If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).
CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2021, The MITRE Corporation. CVE is a registered trademark, and the CVE logo is a trademark, of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to
No comments:
Post a Comment