Friday, October 29, 2021

CVE Announce - October 29, 2021 (opt-in newsletter from the CVE website)

 

 

 

 

 

 

 

 

 

  1. CVE Has a New Web Address and Website!

  2. Twenty Additional Organizations Added as CVE Numbering Authorities (CNAs)

  3. Our CVE Story: Becoming a CNA from an Industrial Vendor’s View

  4. Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems

  5. We Speak CVE Podcast – Three New Episodes!

  6. CVE in the News

  7. Keeping Up with CVE

 

 

CVE Has a New Web Address and Website!

 

Introducing the all-new CVE Program website at its new “CVE.ORG” web address: WWW.CVE.ORG. The new website includes many new features and is optimized for users.

 

This is the first step in transitioning from the old CVE.MITRE.ORG website. The phased quarterly transition process began today and will last for up to one year. During the quarterly transition, new releases of this website will occur every quarter, and the new CVE.ORG website will operate concurrently with the CVE.MITRE.ORG website. Upon completion of the phased transition, the CVE.MITRE.ORG website will be archived and retired.

 

Items moved to this new site will no longer be maintained on the old the website; for example, news, blogs, podcasts, and the list of CVE Numbering Authorities (CNAs). Examples of major items that will temporarily remain on the old CVE.MITRE.ORG site until later in the transition include the CVE List keyword search and the individual CVE List download files. CVE Records will be published on both sites during the transition.

 

Features of the new CVE website include:

 

  • A User-Focused Homepage – visit the homepage for the latest news, events, blogs, and podcasts; to learn about the program and access frequently used resources; for shortcuts to information based upon program role(s); and to start the process of becoming a CVE partner.
  • List of Partners – a new and improved way to find contact, scope, and other information about CNAs, CNA-LRs, Roots, and Top-Level Roots, this page provides direct access to all-new Partner Detail Pages that consolidates each individual partners’ pertinent CVE Program information into a single location. To access a partner’s details page, simply select the partner’s name in the table or use the provided table search feature to find the correct partner by searching for it by name, scope keyword(s), program role, or organization type.
  • Becoming a Partner – learn the benefits and minimal requirements for partnering with the CVE Program and view a walkthrough of the handful of easy steps for becoming a CNA, Root, or Top-Level Root partner.
  • CVE Record Lifecycle – see an overview of how a vulnerability is discovered, then assigned a CVE ID, and published onto the CVE List by a CNA partner.
  • Requesting CVE IDs – learn the step-by-step process for requesting CVE IDs from a CNA partner or a CNA-LR by selecting the orange “Request/Report” button in the upper right-hand corner of every page of the website, or from the “Resources” section of the main menu.
  • Requesting Updates to CVE Records – any updates to a record must be requested from the CNA partner that published the CVE Record; select the orange “Request/Report” button in the upper right-hand corner of every page of the website to learn the step-by-step instructions for determining the correct CNA and locating its contact information.
  • CVE List Search – a CVE ID lookup is conveniently located at the top of every page of the new website; a link to keyword search, which will temporarily remain on the old cve.mitre.org site until later in the transition, is also provided.
  • CVE List Downloads – while the download files will remain on the old cve.mitre.org site until later in the transition, convenient access to those files is provided from the new website.

 

Please take a look around and let us know what you think by commenting on Twitter or LinkedIn, or contact the CVE Program directly by using the CVE Request web form and selecting “Other” from the drop down.

Twenty Additional Organizations Added as CVE Numbering Authorities (CNAs)

 

Twenty additional organizations are now CNAs:

 

  1. ASUSTOR, Inc. for ASUSTOR issues only.
  2. Censys for all Censys products, and vulnerabilities discovered by Censys that are not in another CNA’s scope.
  3. Computer Emergency Response Team of the Republic of Turkey (TR-CERT) for vulnerability assignment related to its vulnerability coordination role.
  4. ForgeRock, Inc. for ForgeRock issues only.
  5. JFrog for all JFrog products (supported products and end-of-life/end-of-service products); vulnerabilities in third-party software discovered by JFrog that are not in another CNA’s scope; and vulnerabilities in third-party software discovered by external researchers and disclosed to JFrog (includes any embedded devices and their associated mobile applications) that are not in another CNA’s scope.
  6. FPT Software Co., Ltd. for all products and services developed and operated by FPT Software, as well as vulnerabilities in third-party software discovered by FPT Software.
  7. Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) for vulnerabilities discovered by GovTech CSG only that are not in another CNA’s scope.
  8. Indian Computer Emergency Response Team (CERT-In) for vulnerability coordination for vulnerabilities in all products reported to CERT-In in accordance with our vulnerability coordination role as a CERT. Vulnerability assignments for vulnerabilities impacting all products designed, developed, and manufactured in India.
  9. LG Electronics for LG Electronics products only.
  10. Okta for Okta issues only.
  11. MediaTek, Inc. for MediaTek product issues only.
  12. M-Files Corporation for all M-Files products only.
  13. NetMotion Software for NetMotion issues only.
  14. Palantir Technologies for Palantir products and technologies only.
  15. Ping Identity Corporation for all Ping Identity products (supported products and end-of-life/end-of-service products), as well as vulnerabilities in third-party software discovered by Ping Identity that are not in another CNA’s scope.
  16. Snow Software for all Snow Software products.
  17. Switzerland National Cyber Security Centre (NCSC) for the Switzerland Government Common Vulnerability Program.
  18. Thales Group for Thales branded products and technologies only.
  19. Western Digital for Western Digital products including WD, SanDisk, SanDisk Professional, G-Technology, and HGST only.
  20. Yugabyte, Inc. for Yugabyte products only.


CNAs are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities.

To date, 197 organizations from 32 countries participate in the CVE Program as CNAs. View the entire list of CNA partners on the new CVE website.

Our CVE Story: Becoming a CNA from an Industrial Vendor’s View

 

Guest author Klaus Lukas is Principal ProductCERT Services at Siemens AG, and Siemens is a CVE Numbering Authority (CNA).

 

Siemens is a global vendor of industrial products, services, and solutions for a broad variety of businesses. Especially in the industrial world, cybersecurity has gained increasingly more relevance for hardware, firmware, and software over the past years. This blog article will tell our story from establishing a company-wide Product Security Incident Response Team (PSIRT) to becoming an industrial CNA.

More than a decade ago, in the earliest days of Siemens ProductCERT, reported vulnerabilities were an exceptional and exciting experience. At that time, vulnerabilities were often an issue of IT and software vendors, but rarely affected industrial vendors like Siemens. The entire Operational Technologies (OT) world was still considering industrial environments as separated infrastructures, where vulnerabilities might not be exploited due to strong firewalls around factories’ infrastructure. In addition, lifetimes of industrial devices were often 20+ years, thus some devices were used over incredible time frames - viewed from an IT perspective. This has fundamentally changed over the last years; digitalization has become not just a buzzword, but now more and more, a reality. OT is now closely connected to external services and networks, and industrial equipment has become powerful devices with major parts in software. Thus, in OT environments, it was vital to adopt widely used software paradigms like vulnerability handling or publishing advisories to make our customers aware of fixed vulnerabilities. Acting as a central PSIRT for all Siemens products, we supported all of our businesses in this changing world, which is a quite challenging task considering the broadness of the Siemens product portfolio and the impressive organizational size of our globally acting company.

 

We started with the publication of our first advisories in 2011 on our ProductCERT web page, where we already used standards like CVE and Common Vulnerability Scoring System (CVSS) to offer valuable vulnerability information to our customers. Unlike the usual way in IT, we published our advisories in PDF format, which could be printed and read by OT staff, and later we also offered other formats like HTML and CVRF. At that initial time, we received most reports via other CERTs, and we saw quite fast, that we needed to obtain our CVE numbers directly from MITRE for practical reasons. Over the years we increased steadily the number of published advisories and became more and more transparent on our fixed vulnerabilities. We became known to the researchers and got more vulnerability reports from them directly. In 2017, we partnered with the CVE Program as a CNA and we were happy that we then were able to have a much easier handling of those CVE number bands, allowing us to increase automation on the advisories as well. At the end of 2018, we introduced our advisory day, and since then all advisories (with some exceptions of a few out-of-band publications) were issued in a regular monthly cycle. This allows our customers to apply all Siemens patches in the same maintenance window as other major software vendors. Considering the variety of our businesses, this was an enormous challenge and was only possible with the great support of our product development teams.

 

With increasingly more software in our industrial devices and with a huge effort in cybersecurity activities within our development departments, the number of published vulnerabilities will raise further on our ongoing transition journey to digitalization. Openness and transparency with vulnerability disclosures increases customer trust, and thus ProductCERT supports this heavily by comprehensive automation of our vulnerability handling and advisory publishing processes as well as by working on easier integration of our advisory information into our customers’ processes like the emerging Common Security Advisory Framework (CSAF) format. In 2021, the Cybersecurity and Infrastructure Security Agency (CISA) was designated a CVE Program Top-Level Root for industrial control systems and medical device vendors, where we fit very well with our product portfolio.

 

The collaboration with the CVE Program in the past decade helped us much to establish the processes and standards on company-scale for providing professional vulnerability handling as a large-scale industrial vendor. Our advisories and contained standards like CVE, CVSS, and Common Weakness Enumeration (CWE™) are now well-known to the cybersecurity community, within Siemens, and are made available to our customers via our published advisories. Our role as an industrial CNA matches perfectly with our digitalization and automation efforts.

Share this article or comment on Medium:
CVE Blog - Our CVE Story: Becoming a CNA from an Industrial Vendor’s View
CVE on Medium - Our CVE Story: Becoming a CNA from an Industrial Vendor’s View

Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems

 

Guest author Rob Cowsley is Cyber Security Architect at Gallagher, and Gallagher is the first New Zealand organization to be authorized as a CVE Numbering Authority (CNA).

 

As a responsible global security manufacturer, Gallagher acknowledges that the solutions we produced a decade ago were at the forefront of their time, but as security technology evolves, new vulnerabilities present themselves, and it’s how we manage these vulnerabilities today that matters most.

 

Our continuous improvement mindset, along with a need to streamline and simplify security vulnerability disclosures for the benefit of our customers, inspired our journey to assign CVE IDs to vulnerabilities affecting our product.

 

Prior to becoming an authorized CVE Numbering Authority (CNA), Gallagher actively assigned CVE IDs through the MITRE CNA of Last Resort to ensure identified vulnerabilities across Gallagher’s security solutions were disclosed. Now that we have the authority to publish our own security vulnerabilities through the CVE Program as CVE Records, we can better communicate this important information to our customers. Furthermore, it allows us to raise awareness of the work we are doing to improve the security of physical systems in an industry that can sometimes be wary of publicly disclosing a vulnerability.

 

Each year Gallagher releases two software versions of our security software, Command Centre. As part of this product cycle, we ensure that customers are aware of vulnerabilities from previous versions which have been resolved in new releases. In addition to this, we promptly provide maintenance releases to our customers after every software release to ensure all customers using new software have the latest security patches.

 

Most of our vulnerabilities are found internally through rigorous maintenance and testing. This includes a round of testing conducted by a third-party contractor for every major software release, and from there, they enter a triage process. As the vulnerabilities are being worked on, we look at the potential mitigations and risk involved using CVSS 3.1 to rank the severity of the vulnerability. As a CNA, we release a Security Advisory containing details of any identified vulnerabilities to our customers and list these publicly within a dedicated Security Advisory page on our website. Furthermore, our Responsible Disclosure Policy provides a space for those who wish to report a vulnerability to Gallagher’s internal Security Advisory Committee.

 

Our strong focus on addressing cyber security threats against physical security systems sees us championing efforts towards responsible vulnerability disclosure in market and educating our Channel Partners and customers about the importance of vulnerability publishing. As part of becoming an authorized CNA, our team underwent training for the CVE Program’s CNA processes and the CVE numbering scheme by the MITRE Top-Level Root and we also conducted an education process with our Channel Partners (security integrators).

 

Not only has the CVE Program greatly supported us with streamlining our communications to customers and empowering them to be proactive with their security system, but it has also reinforced our credibility and integrity as a manufacturer by demonstrating a level of maturity and trust as a responsible cyber vendor.

Share this article or comment on Medium:
CVE Blog - Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems
CVE on Medium - Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems

We Speak CVE Podcast – Three New Episodes!

 

The “We Speak CVE” podcast focuses on cybersecurity, vulnerability management, and the CVE Program.

Listen on YouTube, Buzzsprout, and on major podcast directories such as Spotify, Stitcher, Apple Podcasts, Google Podcasts, among others.

CVE Myths versus Facts (Part 1)

Three CVE Board members provide the truth and facts about the following myths about the CVE Program:

 

Myth #1: The CVE Program is run entirely by the MITRE Corporation
Myth #2: The CVE Program is controlled by software vendors
Myth #3: The CVE Program doesn’t cover enough types of vulnerabilities
Myth #4: The CVE Program is responsible for assigning vulnerability severity scores

 

CVE Working Groups, What They Are and How They Improve CVE

Our eighth episode is all about how community members actively engage in the six CVE Working Groups (WGs) to help improve quality, automation, processes, and other aspects of the CVE Program as it continues to grow and expand.

Managing Modernization and Automation Changes in the CVE Program

Kelly Todd of the CVE Program speaks with Lisa Olson of Microsoft about managing the modernization and automation changes currently underway in the CVE Program.



CVE in the News

 

Apple fixes security feature bypass in macOS (CVE-2021-30892), Help Net Security

 

Apache Web Server Path Traversal and File Disclosure Vulnerability (CVE-2021-41773), Security Boulevard

 

Microsoft asks admins to patch PowerShell to fix WDAC bypass, Bleeping Computer

 

Bug in Popular WinRAR Software Could Let Attackers Hack Your Computer, The Hacker News

 

IBM Patches Nine Security Flaws in IBM I, IT Jungle

 

VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access, The Daily Swig

Keeping Up with CVE

 

Follow us for the latest from CVE:

@CVEnew - Twitter feed of the latest CVE Records
@CVEannounce - Twitter feed of news and announcements about CVE
CVE-CWE-CAPEC - LinkedIn showcase page
CVE Blog - CVE main website
CVE Blog on Medium - Medium
We Speak CVE - Podcast
CVEProject - GitHub
CVE Documentation - GitHub
CVE Program Channel - YouTube
CVE Announce Newsletter - Email

If this newsletter was shared with you, subscribe by sending an email message to LMS@mitre.org with the following text in the SUBJECT of the message: “subscribe cve-announce-list” (do not include the quote marks). You may also subscribe on the CVE website at https://cve.mitre.org/news/newsletter.html. To unsubscribe, send an email message to LMS@mitre.org with the following text in the SUBJECT of the message “signoff cve-announce-list” (do not include the quote marks).

 

CVE® is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 2021, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. MITRE maintains CVE and provides impartial technical guidance to the CVE Board, CVE Working Groups, and CVE Numbering Authorities on all matters related to ongoing development of CVE.

 

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)