Common Vulnerabilities a

r. Jyoti Lakhani
Exposures (CVE)
 Common Vulnerabilities and Exposures (CVE)

A list of publicly disclosed information security vulnerabilities

 and exposures

CVE was launched in 1999 by the MITRE corporation to identify

and categorize vulnerabilities in software and firmware.

CVE provides a free dictionary for organizations to improve

their cyber security.

MITRE is a nonprofit that operates federally funded research and

development centers in the United States.
r. Jyoti Lakhani
 Vulnerability

A vulnerability is a weakness which can be exploited in a cyber

attack to gain unauthorized access to or perform unauthorized
actions on a computer system. Vulnerabilities can allow attackers
to run code, access system memory, install different types of
malware and steal, destroy or modify sensitive data. 
r. Jyoti Lakhani
 Exposure

An exposure is a mistake that gives an attacker access to a system

or network. Exposures can lead to data breaches, data
leaks and personally identifiable information (PII) being sold on
the dark web. In fact, some of the biggest data breaches were
caused by accidental exposure rather than sophisticated cyber
attacks.
r. Jyoti Lakhani
 Goal of CVE

The goal of CVE is to make it easier to share information about

known vulnerabilities across organizations. 

CVE does this by creating a standardized identifier for a given

vulnerability or exposure. CVE identifiers or CVE names allow
security professionals to access information about
specific cyber threats across multiple information sources using
the same common name.
r. Jyoti Lakhani
Benefits of CVE

CVE allows organizations to set a baseline for evaluating the

coverage of their security tools. CVE's common identifiers allow
organizations to see what each tool covers and how
appropriate they are for your organization. 
CVE means security advisories that can for vulnerabilities and
check for threats can use CVE information to search for known
attack signatures to identify particular vulnerability exploits as
part of any digital forensics process. 
Look for security tools with CVE compatibility rather than
proprietary vulnerability assessments, it's a great way to reduce
your organization's cyber security risk.
r. Jyoti Lakhani
 Who manages CVE?

MITRE maintains the CVE dictionary and CVE website, as well as

the CVE Compatibility Program. The CVE Compatibility Program
promotes the use of standard CVE identifiers issued by
authorized CVE numbering authorities (CNAs).

Who sponsors CVE?

CVE is sponsored by the U.S. Department of Homeland Security

(DHS) Cybersecurity and Infrastructure Security Agency (CISA)
and US-CERT.
r. Jyoti Lakhani
 Can anyone use CVE?

Yes, CVE is free to use and publicly accessible. CVE is designed to

allow anyone to correlate data between different
vulnerabilities, security tools, repositories and services. 

Anyone can search, download, copy, redistribute, reference and

analyze CVE as long as they don't modify any information.
r. Jyoti Lakhani
 What is a CVE entry?
A CVE entry describes a known vulnerability or exposure.

Each CVE entry contains a standard identifier number with status

indicator (i.e. "CVE-1999-0067", "CVE-2014-12345", "CVE-2016-
7654321"), a brief description and references related vulnerability
reports and advisories. 

Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion

is the year the CVE ID was assigned or the year the vulnerability
was made public. 
Unlike vulnerability databases, CVE entries do not include risk,
impact fix or other technical information.
r. Jyoti Lakhani
 Is CVE a vulnerability database?

CVE isn't a vulnerability database. CVE is designed to allow

vulnerability databases and other tools to be linked together. It
also facilitates comparisons between security tools and services. 
Check out the US National Vulnerability Database (NVD) that uses
the CVE list identifiers and includes fix information, scoring and
other information.
r. Jyoti Lakhani
 Can hackers use CVE to attack my organization?

The short answer is yes but many cybersecurity professionals believe the
benefits of CVE outweigh the risks:

CVE is restricted to publicly known vulnerabilities and exposures.

It improves the shareability of vulnerabilities and exposures within the

cybersecurity community.

Organizations need to protect themselves and their networks by fixing all

potential vulnerabilities and exposures while an attacker only needs to find a
single vulnerability and exploit it to gain unauthorized access. This is why a list
of known vulnerabilities is so valuable and an important part of network
security.

The growing agreement for the cybersecurity community to share information is

reducing the attack vector of many cyber attacks. This is reflected in widespread
acceptance that the CVE Board and CVE Numbering Authorities (CNAs) are key
organizations in cybersecurity.
r. Jyoti Lakhani

As a concrete example, many believe the ransom ware WannaCry, which spread

through the EternalBlue vulnerability, would have had less impact if the
 What is the CVE Board?

The CVE Board is comprised of cyber security organizations

including security tool vendors, academia, research institutions,
government departments and agencies,  security experts and
end-users of vulnerability information. 

The CVE Board provides critical input regarding data sources,

product coverage, coverage goals, operating structure and
strategic direction of the CVE program. 

All CVE Board discussions can be found via their email discussion

archives and meeting archives. The CVE Board Character is also
publicly accessible. 
r. Jyoti Lakhani
 What are CNAs?

CVE Numbering Authorities (CNAs) are organizations that

identify and distribute CVE id numbers to researchers and
vendors for inclusion in public announcements of new
vulnerabilities. CNAs include software vendors, open source
projects, coordination centers, bug bounty service providers and
research groups.

CNAs are a federated systems that helps identify vulnerabilities

and assigns them an ID without directly involving MITRE which
is the primary CNA.
r. Jyoti Lakhani
 Who are CNAs?

There are currently 104 CNAs in 18 countries including many

household names like Microsoft, Adobe, Apple, Cisco, Google,
Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla,
Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian,
Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and
Salesforce.

What is a root CNA?

MITRE serves as the primary CNA while root CNAs cover a

certain area or niche.
In many cases, a root CNA is a major company like Apple who
posts vulnerabilities about its own products. In other cases, the
root CNA may be focused on open source vulnerabilities. 
r. Jyoti Lakhani
 Where is the latest version of the CVE list?

The latest version of the CVE list can always be found

on cve.mitre.org. While the CVE list is free, it can be hard to know
which vulnerabilities affect your organization without additional
tools. This is why many organizations now use tools that monitor
for changes in the CVE list that affect them. 

New CVE identifiers are added daily.

Look for sophisticated tools that automatically monitor

you and your vendors for vulnerabilities. Managing third-party
risks and fourth-party risks is a fundamental part of information
risk management and your information security policy.
Make vulnerability management part of your vendor risk
management, third-party risk management framework and cyber
r. Jyoti Lakhani

security risk assessment processes.

 How is a vulnerability or exposure added to CVE?

CVEs are added when a researcher finds a flaw or design oversight

in software or firmware. The vendor does not have to see it as a
vulnerability for it to be listed as a CVE. That said, the researcher
may be required to provide evidence of how it could be used as
part of an exploit.

The stronger the claim, the more likely it will be added to CVE and
the more likely it will have a high Common Vulnerability Scoring
System score in vulnerability databases.  

Potential CVEs reported by established vendors or other trusted

parties will generally be added to the CVE list quickly.
r. Jyoti Lakhani
 Does CVE list all known vulnerabilities and exposures?

CVE does not list all known vulnerabilities and exposures. The
goal of CVE is to be comprehensive and it is. Given the scale of
vulnerabilities and exposures, it's likely an impossible task for
one system to contain everything. 

What is the Common Vulnerability Scoring System (CVSS)?

The Common Vulnerability Scoring System (CVSS) is a set of open

standards for assigning a number to a vulnerability to assess its
severity. CVSS scores are used by the NVD, CERT, UpGuard and
others to assess the impact of a vulnerability.
CVSS scores range from 0.0 to 10.0. The higher the number the
higher degree of severity.
r. Jyoti Lakhani