Tag: CVE
-
MITRE Got Popped; A Bit of Irony and Perspective
I know, “don’t kick someone when they are down“, but I have a history of working on a project that catalogs just such incidents. Yesterday, MITRE announced that they had been compromised by a nation-state actor, but didn’t provide much detail. Bleeping Computer reported that the compromise was due to a zero-day vulnerabilities in an…
-
A Glimpse Into the CISA KEV
On March 27, Elizabeth Cardona and Tod Beardsley gave a presentation at VulnCon 2024 about CISA’s KEV, or ‘Known Exploited Vulnerabilities’ list. This initiative was created as a result of BOD 22-01, which is a ‘Binding Operational Directive’ aimed at reducing the risk due to vulnerabilities that are known to be exploited in the wild,…
-
VulnCon: NVD Symposium, Answers, and More Concerns
Yesterday, at the first inaugural VulnCon, Tanya Brewer from the NVD gave a presentation that was listed on the agenda as “NVD Symposium”. At the talk, her slides began with a header “The National Vulnerability Database: Exploring Opportunities”. However, neither the symposium nor the opportunities were the primary topics that most people were interested in.…
-
The Linux CNA – Red Flags Since 2022
[2/28/2024 Update: A bit more info added at end regarding “almost any bug might exploitable“.] MITRE announced that The Linux Kernel Organization (Kernel.org, hereafter referred to as ‘Linux’) was officially a CVE Numbering Authority (CNA) on February 13, 2024 and via the CVE web site, that their advisories would be posted here. That means they…
-
2024 and Some Still Don’t Understand the CVE Ecosystem
[Update: Even before I publish this, I want to keep everything I wrote for now. But I believe this rebuttal is in response to trash written by SpiceWorks and a GPT.] The world of vulnerability disclosures is growing fast, for a variety of reasons I won’t get into. Suffice it to say my time is…
-
That Vulnerability is “Trending” … So What?
Yesterday, more than one organization reached out to my company asking why a particular vulnerability wasn’t in VulnDB yet. First, it had been less than 24 hours since publication in CVE/NVD, NVD hasn’t analyzed it as of the time of this blog, and it is in software no significant business would use. It’s part of…
-
Rebuttal? Not really… Comments on Curphey’s Latest Blog
I went into a LinkedIn post expecting to have to buy a new box of red sharpies to be honest, but I am pleasantly surprised at the conclusions regarding CVE / NVD, which I think are largely accurate. As grim a picture as is painted, they are still a bit too generous. I say that…
-
When CVE Typos Become Advisories
For those who follow me on Twitter, you may notice a considerable number of my Tweets are related to pointing out or confirming CVE IDs that are typos. Recently I ran into an interesting edge case where a typo CVE ID gained life of its own. Typically such typos gain life through aggregation blogs that…
-
Rebuttal: How to avoid headaches when publishing a CVE
On May 12, 2022, Adeeb Shah published an article on Help Net Security titled “How to avoid headaches when publishing a CVE”. Shah is a Senior Security Consultant with SpiderLabs, part of Trustwave. Note that it also appears on Trustwave’s blog and includes a second name in the byline, Bobby Cooke. For the sake of…
-
Rebuttal: A blended look at what makes the CVE program try to tick
A few days ago, Tod Beardsley published an article on SC Magazine titled “An inside look at what makes the CVE Program tick“. Overall the article is well-written and offers some insights into MITRE, CVE, and their “CNA” program or CVE Numbering Authorities. Beardsley does a good job enumerating some basics about the program, the…