Tag: CVE

  • Rebuttal: How to avoid headaches when publishing a CVE

    Rebuttal: How to avoid headaches when publishing a CVE

    On May 12, 2022, Adeeb Shah published an article on Help Net Security titled “How to avoid headaches when publishing a CVE”. Shah is a Senior Security Consultant with SpiderLabs, part of Trustwave. Note that it also appears on Trustwave’s blog and includes a second name in the byline, Bobby Cooke. For the sake of […]

  • Rebuttal: A blended look at what makes the CVE program try to tick

    Rebuttal: A blended look at what makes the CVE program try to tick

    A few days ago, Tod Beardsley published an article on SC Magazine titled “An inside look at what makes the CVE Program tick“. Overall the article is well-written and offers some insights into MITRE, CVE, and their “CNA” program or CVE Numbering Authorities. Beardsley does a good job enumerating some basics about the program, the […]

  • CVE ID Created Date != Much of Anything

    CVE ID Created Date != Much of Anything

    Yesterday, SanSec published a blog post discussing the recent Adobe Commerce / Magento Open Source vulnerability that was discovered being exploited in the wild. In the blog, they said: Adobe has been aware of the issue since at least January 27th but decided to issue a patch on Sunday, which is highly unusual. They draw […]

  • CISA’s BOD 22-01: How to Prioritize 100 Vulnerabilities in Two Weeks

    [This was originally published on riskbasedsecurity.com, and had considerable edits/enhancements done by Curtis Kang.] CISA BOD 22-01 introduces the directive for government vendors to mitigate 292 CVE IDs, or 301 vulnerabilities, 100 of them within a short timeframe. It is well-meaning and brings potentially valuable focus, but it will put pressure on teams working with […]

  • An 83 Word Excuse Instead of a 1 Character Fix (NCSC.nl)

    The National Cyber Security Center of the Netherlands (NCSC.nl) has a curious take on sharing security information. On October 25, 2021 I contacted them to inform them of a simple typo in one of their advisories. I send mails or Tweets like this several times a week to researchers, vendors, and news outlets as CVE […]

  • Sharks Are Scary but Worry About Mosquitoes

    [This was originally published on RiskBasedSecurity.com and was included in the 2021 Mid Year Vulnerability QuickView Report.] It seems like every day that we hear about a new hack and read headlines that tell us that so-called advanced persistent threats (APT) are compromising major organizations. These APT and nation-state actors have incredible skill and seemingly […]

  • The Rundown: CVE IDs & RESERVED Status

    During the process of assigning a CVE ID, there is a time period between the assignment and the disclosure, and again between the disclosure and it becoming available on MITRE’s CVE site or NIST’s National Vulnerability Database (NVD). During this period, the ID will be shown as RESERVED. First, it is important to note that […]

  • The Rundown: CVE IDs & REJECT Status

    For analysts and practitioners that digest CVE regularly, you will likely be familiar with CVEs that are in REJECT status. If you are new to CVE or not familiar with some of the more gritty details, a CVE assignment may be rejected for various reasons. When that happens, it will receive a capitalized REJECT status: […]

  • The Rundown: CVE IDs, Meanings, & Assumptions

    For almost two decades, CVE has been considered an industry standard for vulnerability tracking. A CVE ID can be affiliated with many vulnerabilities, in a format like CVE-2014-54321. Note my choice in ID, from 2014 with a consecutive set of numbers. That is because I specifically chose a ‘sample’ CVE that was set aside as […]

  • SolarWinds: Sitting on Undisclosed Vulnerabilities

    [This was originally published on RiskBasedSecurity.com.] SolarWinds was in the news last year, as the victim of an attack that compromised its Orion Platform software by inserting a backdoor into it, allowing for remote code execution. This attack has had an incredible impact on the security industry and recently, interest in the SolarWinds breach has […]