What is Common Vulnerabilities and Exposures (CVE)?
Common Vulnerabilities and Exposures (CVE) are a set of security threats that are included in a reference system that outlines publicly known risks. The CVE threat list is maintained by the MITRE Corporation, a nonprofit organization that runs federal government-sponsored research and development centers. CVE is sponsored by the U.S. Department of Homeland Security’s National Cyber Security Division (NCSD).
CVE defines vulnerabilities as a mistake within software code, which enables an attacker to gain direct unauthorized access to computer systems and networks and spread malware. This typically allows attackers to pose as system admins or superusers with full access privileges to corporate resources.
CVE defines exposure as errors in software code or configuration, which enable an attacker to gain indirect access to systems and networks. This could allow the attacker to lurk in computer networks and secretly gather sensitive data, user credentials, and customer information.
What Is the Goal of CVE?
CVE’s main goal is to help organizations improve their security defenses. It does this by identifying and providing a catalog of software or firmware vulnerabilities and making it available as a free dictionary.
Benefits of CVE
A typical CVE use case presents organizations with many benefits, both in terms of using and selling CVE-compatible products and services.
Benefits of Using CVE-compatible Product and Services
Organizations that adopt and deploy CVE-compatible products and services benefit from secure systems and networks. CVE enables security and IT operations (SecOps) teams to improve their organizations’ security posture. The key benefits include:
- The knowledge that products and services are trusted, capable of protecting the enterprise, and interoperable
- The ability to check whether compatible products have been examined for specific security issues
- Software vendors can provide alerts that verify whether the necessary updates have been installed and correct fixes have been applied
- The ability to compare the coverage of tools and services with CVE names
Benefits of Making Your Products and Services CVE-compatible
Making products and services CVE-compatible also offers multiple benefits, such as:
- Providing interoperability between products and services
- Signifying that an organization provides community standards that benefit customers
- Gaining an advantage over competitors
- Increasing return on investment (ROI) by focusing on the advanced aspects of a product
- Enabling customers to verify that correct fixes and updates have been applied
- 60,000+ CVE names and data are available to download and use for free from the CVE list
- Placing the CVE-compatible logo on websites and product packaging provides a purchase incentive for customers
How Does the CVE System Work?
The CVE list and system is maintained by the MITRE Corporation. It provides a standardized method for identifying known security vulnerabilities and exposures. CVE is designed to allow security tools and services to be compared and vulnerability databases to be linked. It provides standard IDs that enable security admins to quickly access information about specific threats.
Importantly, CVE listings only contain a vulnerability’s standard identifier number and status indicator, as well as a brief description and related references to advisories and reports. That means they do not include detailed technical information about the risk, fixes, or impact of the vulnerability. These details are listed in databases like the National Vulnerability Database (NVD) and CERT Coordination Center (CERT/CC) Vulnerability Notes Database (VND).
What Qualifies for a CVE?
CVE IDs get assigned to security flaws that meet specific criteria.
A security flaw has to be fixed of other identified bugs independently.
Acknowledged by the Affected Vendor OR Documented
The vendor has to acknowledge that a flaw exists and has a negative impact on organizations’ security. Alternatively, the bug reporter needs to share a vulnerability while demonstrating its negative impact and that it violates affected systems’ security policies.
Affecting One Codebase
Flaws that affect more than one codebase or product are given a separate, unique CVE. Those that affect shared libraries, protocols, and standards only get a single CVE if the code cannot be shared without being vulnerable.
How Is a Vulnerability or Exposure Added to CVE?
CVE identifiers are assigned by CVE Numbering Authorities (CNAs). There are around 100 CNAs that represent IT and security vendors and research organizations, while MITRE can also issue CVE.
CVE reports come from various sources, such as a researcher or vendor or users that discover a flaw. Information about the flaw is sent to a CNA, which assigns a CVE ID, writes a brief description with references, then posts the entry on the CVE website. Vendors will often keep discovered flaws secret until fixes have been developed or tested to reduce the chances of them being exploited by attackers.
Common Vulnerability Scoring System and Its Takeaways
Vulnerability severity can be evaluated in several ways. One of the most common is the Common Vulnerability Scoring System (CVSS), which is a set of open standards that assigns a severity rating from 0.0 to 10.0. CVSS is used by NVD and VND, but some security vendors have created their own systems.
Here are three key takeaways when it comes to CVE:
Know Your Deployments
The existence of a CVE does not necessarily mean it applies to an organization’s deployment. It is key to read each CVE to understand and validate whether it applies to applications, configurations, modules, and operating systems in organizations’ unique environments.
Practice Vulnerability Management
It is crucial for organizations to constantly practice vulnerability management, which means identifying, classifying, prioritizing, mitigating, and patching vulnerabilities. This helps them understand how security risks apply to their organization and prioritize any vulnerabilities they need to address.
Be Ready To Communicate
CVEs will have an impact on organizations’ systems because of the effects of vulnerabilities and the downtime required to identify, fix, and mediate them. It is crucial for organizations to communicate with their internal customers and share any vulnerabilities with their risk management teams and functions.
How Fortinet Can Help
The FortiGate next-generation firewalls (NGFWs) allow organizations to discover known vulnerabilities and emerging flaws in their systems and networks. FortiGate does this by filtering network traffic to protect against internal and external threats, as well as through features like packet filtering, Internet Protocol security (IPsec), network monitoring, and Internet Protocol (IP) mapping.
Fortinet NGFWs also feature advanced network inspection capabilities, which enable organizations to identify and block threats. Further, they enable organizations to evolve their security defenses in line with the threat landscape, helping them protect their networks even as new threats appear.
Fortinet Product Security Incident Response Team (PSIRT) Monthly Advisories.