Category: InfoSec
-
400 CNAs, Yay?
Introduction This week, or in the next two, we’re likely to see MITRE heralding the milestone of minting their 400th CVE Numbering Authority (CNA). These are, primarily, organizations that can assign a CVE ID without having to go to MITRE each time to obtain the ID. This is part of what MITRE calls a “federated”…
-
Almost Zero Value in “Zero Progress on Zero-Days”; a Rebuttal
The following blog is general comments and a rebuttal of sorts to the following paper: “Zero Progress on Zero-Days: How the Last Ten Years Created the Modern Spyware Market” by Mailyn Fidler, Assistant Professor, University of New Hampshire, Franklin Pierce School of Law [Link] Unfortunately, I can’t easily cut and paste from this PDF which…
-
GVD Discussion – Round Two
Tom Alrich published a blog titled “The Global Vulnerability Database wonโt be a โdatabaseโ at all” on November 10, 2023. In the blog Tom lays out some ideas for how this “database” would operate and the advantages he sees. I didn’t see this blog until early May and posted my “Thoughts on Tom Alrichโs โGlobal…
-
Two Definitions of Zero Day Apparently
What is a “zero day vulnerability”? It’s a term that is frequently used in the vulnerability disclosure ecosystem. I have blogged on this topic frequently and reading some of this will give more history and context, so I won’t rehash everything. If you read one blog, make it “No One Will Burn A Zero Day…
-
Thoughts on CISA’s “Vulnrichment” Initiative
As many in the vulnerability disclosure ecosystem are now aware, the Cybersecurity & Infrastructure Security Agency (CISA), announced a new program called “Vulnrichment” on LinkedIn yesterday. News about the program spread rapidly via news sites and private companies. In this statement and elsewhere, there are definitely some general questions to be asked out loud since…
-
Thoughts on Tom Alrich’s “Global Vulnerability Database”
Tom Alrich published a blog last year titled “The Global Vulnerability Database wonโt be a โdatabaseโ at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability…
-
MITRE Got Popped; A Bit of Irony and Perspective
I know, “don’t kick someone when they are down“, but I have a history of working on a project that catalogs just such incidents. Yesterday, MITRE announced that they had been compromised by a nation-state actor, but didn’t provide much detail. Bleeping Computer reported that the compromise was due to a zero-day vulnerabilities in an…
-
A Glimpse Into the CISA KEV
On March 27, Elizabeth Cardona and Tod Beardsley gave a presentation at VulnCon 2024 about CISA’s KEV, or ‘Known Exploited Vulnerabilities’ list. This initiative was created as a result of BOD 22-01, which is a ‘Binding Operational Directive’ aimed at reducing the risk due to vulnerabilities that are known to be exploited in the wild,…
-
VulnCon: NVD Symposium, Answers, and More Concerns
Yesterday, at the first inaugural VulnCon, Tanya Brewer from the NVD gave a presentation that was listed on the agenda as “NVD Symposium”. At the talk, her slides began with a header “The National Vulnerability Database: Exploring Opportunities”. However, neither the symposium nor the opportunities were the primary topics that most people were interested in.…
-
The Linux CNA – Red Flags Since 2022
[2/28/2024 Update: A bit more info added at end regarding “almost any bug might exploitable“.] MITRE announced that The Linux Kernel Organization (Kernel.org, hereafter referred to as ‘Linux’) was officially a CVE Numbering Authority (CNA) on February 13, 2024 and via the CVE web site, that their advisories would be posted here. That means they…