What is a CVE? Common Vulnerabilities and Exposures Explained
Common Vulnerabilities and Exposures (CVE) was launched in 1999 by the MITRE corporation to identify and categorize vulnerabilities in software and firmware. CVE provides a free dictionary for organizations to improve their cyber security. MITRE is a nonprofit that operates federally funded research and development centers in the United States.
The Difference: Vulnerabilities vs. Exposures
A vulnerability is a weakness that can be exploited in a cyberattack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access system memory, install different types of malware and steal, destroy or modify sensitive data.
An Exposure is a mistake that gives an attacker access to a system or network. Exposures can lead to data breaches, data leaks, and personally identifiable information (PII) being sold on the dark web.
In fact, some of the biggest data breaches were caused by accidental exposures rather than sophisticated cyber attacks.
What is the Goal of CVE?
The goal of CVE is to make it easier to share information about known vulnerabilities so that cybersecurity strategies can be updated with the latest security flaws and security issue
CVE does this by creating a standardized identifier for a given vulnerability or exposure. CVE identifiers (also called CVE names or CVE numbers) allow security professionals to access information about specific cyber threats across multiple information sources using the same common name.
What is the Common Vulnerability Scoring System (CVSS)?
The Common Vulnerability Scoring System (CVSS) is a set of open standards for assigning a number to a vulnerability to assess its severity. CVSS scores are used by the NVD, CERT and others to assess the impact of a vulnerability.
A CVSS score ranges from 0.0 to 10.0. The higher the number the higher degree of security severity.
Who Manages CVE?
MITRE maintains the CVE dictionary and CVE website, as well as the CVE Compatibility Program. The CVE Compatibility Program promotes the use of standard CVE identifiers issued by authorized CVE numbering authorities (CNAs).
Who Sponsors CVE?
CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and US-CERT.
What are the Benefits of referring to CVEs?
The CVE database allows organizations to set a baseline for evaluating the coverage of their security tools. CVE’s common identifiers allow organizations to see what each tool covers and how appropriate they are for your organization.
Security advisories can reference CVE vulnerability information to search for known attack signatures and remediate critical exploits as part of any digital forensics process.
Look for security tools with CVE compatibility rather than proprietary vulnerability assessments, it’s a great way to reduce your organization’s cybersecurity risk.
Is CVE a Vulnerability Database?
CVE isn’t a vulnerability database. CVE is designed to allow vulnerability databases and other tools to be linked together. It also facilitates comparisons between security tools and services.
Check out the US National Vulnerability Database (NVD) that uses the CVE list identifiers and includes fix information, scoring and other information.
Does the CVE Database List All Known Vulnerabilities and Exposures?
CVE does not list all known vulnerabilities and exposures. The goal of CVE is to be comprehensive and it is. Given the scale of vulnerabilities and exposures, it’s likely an impossible task for one system to contain everything.
Can Anyone Use CVE?
Yes, CVE is free to use and publicly accessible. CVE is designed to allow anyone to correlate data between different vulnerabilities, security tools, repositories and services.
Anyone can search, download, copy, redistribute, reference and analyze CVE as long as they don’t modify any information.
What is a CVE Entry?
A CVE entry describes a known vulnerability or exposure.
Each CVE entry contains a standard identifier number with status indicator (i.e. “CVE-1999-0067”, “CVE-2014-12345”, “CVE-2016-7654321”), a brief description and references related vulnerability reports and advisories.
Each CVE ID is formatted as CVE-YYYY-NNNNN. The YYYY portion is the year the CVE ID was assigned or the year the vulnerability was made public.
Unlike vulnerability databases, CVE entries do not include risk, impact fix or other technical information.
Can Hackers Use CVE to Attack My Organization?
The short answer is yes but many cybersecurity professionals believe the benefits of CVE outweigh the risks:
- CVE is restricted to publicly known vulnerabilities and exposures.
- It improves the shareability of vulnerabilities and exposures within the cybersecurity community.
- Organizations need to protect themselves and their networks by fixing all potential vulnerabilities and exposures while an attacker only needs to find a single vulnerability and exploit it to gain unauthorized access. This is why a list of known vulnerabilities is so valuable and an important part of network security.
- The growing agreement for the cybersecurity community to share information is reducing the attack vector of many cyber attacks. This is reflected in widespread acceptance that the CVE Board and CVE Numbering Authorities (CNAs) are key organizations in cybersecurity.
As a concrete example, many believe the ransomware WannaCry, which spread through the EternalBlue vulnerability, would have had less impact if the vulnerability was publicly shared.
What is the CVE Board?
The CVE Board is comprised of cybersecurity organizations including security tool vendors, academia, research institutions, government departments and agencies, security experts and end-users of vulnerability information.
The CVE Board provides critical input regarding data sources, product coverage, coverage goals, operating structure and strategic direction of the CVE program.
All CVE Board discussions can be found via their email discussion archives and meeting archives. The CVE Board Character is also publicly accessible.
What are CNAs?
CVE Numbering Authorities (CNAs) are organizations that identify and distribute CVE id numbers to researchers and vendors for inclusion in public announcements of new vulnerabilities. CNAs include software vendors, open source projects, coordination centers, bug bounty service providers and research groups.
CNAs are a federated systems that helps identify vulnerabilities and assigns them an ID without directly involving MITRE which is the primary CNA.
Who are CNAs?
There are currently 104 CNAs in 18 countries including many household names like Microsoft, Adobe, Apple, Cisco, Google, Hewlett Packard Enterprise, Huawei, IBM, Intel, Mozilla, Oracle, Red Hat, Siemens, Symantec, VMWare, Atlassian, Autodesk, Cloudflare, Elastic, GitHub, Kubernetes, Netflix and Salesforce. You can see the full list of CVE numbering authorities here.
What is a Root CNA?
MITRE serves as the primary CNA while root CNAs cover a certain area or niche.
In many cases, a root CNA is when a major company – like Apple – posts vulnerabilities about its own products. In other cases, the root CNA may be focused on open source vulnerabilities.
Where is the Latest Version of the CVE list?
The latest version of the CVE list can always be found on cve.mitre.org. While the CVE list is free, it can be hard to know which vulnerabilities affect your organization without additional tools. This is why many organizations now use tools that monitor for changes in the CVE list that affect them.
New CVE identifiers are added daily. Look for sophisticated tools that automatically monitor you and your vendors for vulnerabilities. Managing third-party risks and fourth-party risks is a fundamental part of information risk management and your information security policy. Make vulnerability management part of your vendor risk management, third-party risk management framework and cyber security risk assessment processes.
How is a Vulnerability or Exposure Added to CVE?
CVEs are added when a researcher finds a flaw or design oversight in software or firmware. The vendor does not have to see it as a vulnerability for it to be listed as a CVE. That said, the researcher may be required to provide evidence of how it could be used as part of an exploit.
The stronger the claim, the more likely it will be added to CVE and the more likely it will have a high Common Vulnerability Scoring System score in vulnerability databases.
Potential CVEs reported by established vendors or other trusted parties will generally be added to the CVE list quickly.