Tag: CVE
-
CVE Farming – Problem & Solution
Blog Origins In the last year or two, I have increasingly used the term “CVE farming” in conversations and LinkedIn posts [1]. This has led a few people to ask what it meant and I gave a very cliff notes version of the answer. I started taking notes for this blog a while back expecting…
-
MITRE’s Phoning in New CNAs
On December 17, 2024, MITRE announced five new CVE Numbering Authorities (CNA) on their Twitter feed as well as their news page. However, there were actually seven added according to the CNAs page based on tracking it daily. Last year, when I asked about a discrepancy in tracking the CNAs, MITRE promptly replied to clarify.…
-
CISA Weekly Bulletins FOIA Results
Did you know that CISA publishes a weekly bulletin of “new vulnerabilities”, and has for a long time? They tend to have anywhere from 350 up to almost 1,000 vulnerabilities depending on the volume of CVEs published. The bulletins are entirely based on CVE IDs being published, not when the disclosures happened (just like CVE…
-
Don’t Be a CVE Dummy
One of the aspects of vulnerability intelligence is monitoring various public sources for new vulnerabilities, especially ones with a Common Vulnerabilities and Exposures (CVE) ID. These numbers are designed to help communicate details about a specific vulnerability. “Hey, remember that remote code execution in Fortinet in May?” Unfortunately, that isn’t very specific as there were…
-
Was It Really GPAC? (No!) Getting a CVE Removed from CISA KEV
On October 3, 2024, Aquasec published a report about newly discovered malware named “perfctl”, targeting Linux servers. In it they cite the malware taking advantage of misconfigurations, as well as attempting to “exploit the Polkit vulnerability (CVE-2021-4043) to escalate privileges.” Only problem is that CVE-2021-4043 isn’t “the Polkit vulnerability”, which in itself is problematic since…
-
Known Exploited Vulnerabilities (KEV) Thoughts – Part Two
This is part two of my thoughts on Known Exploited Vulnerabilities (KEV), and where it gets a lot more interesting! Please see the first blog before starting here. Automation / Eagerness To Add Reading vulnerability disclosures can be a grueling mission full of frustrations. Poorly written advisories, missing technical details, and errors make the life…
-
Known Exploited Vulnerabilities (KEV) Thoughts – Part One
This is the first of two blogs with my thoughts on Known Exploited Vulnerabilities (KEV) tracking and the challenges that come with tracking them. Introduction On November 03, 2021, Cybersecurity and Infrastructure Security Agency (CISA) announced a Binding Operational Directives (BOD) titled “BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities“. This BOD established…
-
400 CNAs, Yay?
Introduction This week, or in the next two, we’re likely to see MITRE heralding the milestone of minting their 400th CVE Numbering Authority (CNA). These are, primarily, organizations that can assign a CVE ID without having to go to MITRE each time to obtain the ID. This is part of what MITRE calls a “federated”…
-
Thoughts on CISA’s “Vulnrichment” Initiative
As many in the vulnerability disclosure ecosystem are now aware, the Cybersecurity & Infrastructure Security Agency (CISA), announced a new program called “Vulnrichment” on LinkedIn yesterday. News about the program spread rapidly via news sites and private companies. In this statement and elsewhere, there are definitely some general questions to be asked out loud since…
-
Thoughts on Tom Alrich’s “Global Vulnerability Database”
Tom Alrich published a blog last year titled “The Global Vulnerability Database won’t be a “database” at all“. It is basically his outline for how to make an international database that many can contribute to, to replace the inadequate CVE / NVD database. He said he welcomes any comments and when it comes to vulnerability…