-
Has CWE Jumped the Shark?
The Common Weakness Enumeration (CWE) is a MITRE run, community-developed list of common software and hardware weaknesses (Wikipedia Page). The project defines a “weakness” as “a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities.” This taxonomy has several uses but they tend to…
-
Reason #283 Why InfoSec Has Failed
For those familiar with my social media, you know that I have frequently said that our industry is failing the commons. InfoSec represents a huge market, companies get paid exorbitant amounts of money, salaries can border on the ridiculous, and the concept of researchers being famous for their work is still alive. Meanwhile, vulnerabilities are…
-
Why Don’t You Fix CVE?
Historically when I pointed out problems in anything, I wasn’t the best at offering solutions. Sometimes I simply had none because the problem was complex and the solutions I came up with were problematic themselves. Other times I had ideas, but they were fairly high-level and abstract and I didn’t want to be like the…
-
CVE Farming – Problem & Solution
Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting…
-
MITRE’s Phoning in New CNAs
On December 17, 2024, MITRE announced five new CVE Numbering Authorities (CNA) on their Twitter feed as well as their news page. However, there were actually seven added according to the CNAs page based on tracking it daily. Last year, when I asked about a discrepancy in tracking the CNAs, MITRE promptly replied to clarify.…
-
CISA Weekly Bulletins FOIA Results
Did you know that CISA publishes a weekly bulletin of “new vulnerabilities”, and has for a long time? They tend to have anywhere from 350 up to almost 1,000 vulnerabilities depending on the volume of CVEs published. The bulletins are entirely based on CVE IDs being published, not when the disclosures happened (just like CVE…
-
Don’t Be a CVE Dummy
One of the aspects of vulnerability intelligence is monitoring various public sources for new vulnerabilities, especially ones with a Common Vulnerabilities and Exposures (CVE) ID. These numbers are designed to help communicate details about a specific vulnerability. “Hey, remember that remote code execution in Fortinet in May?” Unfortunately, that isn’t very specific as there were…
-
Was It Really GPAC? (No!) Getting a CVE Removed from CISA KEV
On October 3, 2024, Aquasec published a report about newly discovered malware named “perfctl”, targeting Linux servers. In it they cite the malware taking advantage of misconfigurations, as well as attempting to “exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges.” Only problem is that CVE-2021-4043 isn’t “the Polkit vulnerability”, which in itself is problematic since…
-
Known Exploited Vulnerabilities (KEV) Thoughts – Part Two
This is part two of my thoughts on Known Exploited Vulnerabilities (KEV), and where it gets a lot more interesting! Please see the first blog before starting here. Automation / Eagerness To Add Reading vulnerability disclosures can be a grueling mission full of frustrations. Poorly written advisories, missing technical details, and errors make the life…
-
Known Exploited Vulnerabilities (KEV) Thoughts – Part One
This is the first of two blogs with my thoughts on Known Exploited Vulnerabilities (KEV) tracking and the challenges that come with tracking them. Introduction On November 03, 2021, Cybersecurity and Infrastructure Security Agency (CISA) announced a Binding Operational Directives (BOD) titled “BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities“. This BOD established…