The Common Vulnerabilities and Exposures system provides a reference-method for publicly known information-security vulnerabilities and exposures.
The system is maintained by the nonprofit organization MITRE, funded by NCSD, and was officially launched in 1999. In this article, we explain what it is all about.
Before the CVE system, communication about security vulnerabilities was difficult. “The security issue in Windows” could refer to hundreds of individual bugs. Trying to narrow down the exact bug by adding the subsystem was not sufficient.
To improve communication and avoid misunderstandings a vendor-neutral and uniform system for the management of vulnerabilities was required.
In 1999, this consistent numbering system for vulnerabilities was introduced: the CVE (Common Vulnerabilities and Exposures) system, which has since become the industry standard.
Vulnerabilities and Exposures
Vulnerabilities are weaknesses in a software or system that can be used to gain unauthorized access or perform unauthorized actions on a computer system. Exposures are caused by vulnerabilities and misconfiguration and can be actively exploited in cyber attacks.
Naming Scheme
The IDs in the CVE system follow the format CVE-YYYY-NNNNN. The pattern is familiar to everyone who has dealt with vulnerabilities and describe the specific issue with a software. Software updates refer to the CVE number to explain what is addressed in the update.
The initial CVE is always followed by the year YYYY in which the number was assigned to the vulnerability.
The last part of the ID was limited to four digits when the system was introduced but the 9999 unique IDs per year were insufficient. Since 2014 there is no limit and the length is defined by the demand of the respective calendar year.
Allocation
The uniform syntax of the CVE system was the first step to find a common ground for vulnerabilities. But to prevent IDs from being created and assigned in an uncontrolled manner, only certain organizations and persons, so-called CVE Numbering Authorities (CNAs), have the authority to assign an ID to a specific vulnerability.
There are three types of CNA entities:
- The MITRE itself functions as the primary CNA
- Various vendors assign CVE numbers for their products (e.g. Microsoft, Oracle, Google, etc.)
- Third-party coordinators such as CERT may assign CVE numbers for products not covered by other CNAs
Independent researchers who discover a vulnerability and want to report it will find the relevant contact point in the CNA overview on MITRE’s website.
Once a new vulnerability is reported, the CNA will reserve an ID and enter it into the MITRE maintained CVE list. Once the vulnerability is confirmed and a detailed description is provided, the CVE is officially assigned.
Additional Information and Scoring
The National Vulnerability Database (NVD) is an independent project launched in 2005 by the National Institute of Standards and Technology (NIST) and uses MITRE’s CVE list, but adds additional information to the rather brief descriptions, such as security risks or available updates.
For the infamous Heartbleed CVE for example, the NVD description provides information on how to fix it and a list of affected software versions.
One of the most important data the NVD provides is the so-called Common Vulnerability Scoring System (CVSS). Based on the path of attack and the complexity of the exploit, a scoring level from “Low” to “Critical” is assigned to each CVE.
Recap
CVE is free to use and publicly available to anyone interested in correlating data between different vulnerability or security tools, repositories, and services. Attackers only need to find a single vulnerability to gain unauthorized access to a system. Therefore, organizations need to protect themselves by swiftly addressing known vulnerabilities and exposures.
The CVE system provides the necessary infrastructure to match any software inventory against known weaknesses and the ID serves as the consistent identification characteristic for such vulnerability.