Big companies can panic for the wrong CVE. However, the entire concept of CVE can sound new to small companies or solo developers. Yet, knowing what is a CVE and how to address it can give you an edge – at any level. In this post, we explain what is a CVE (Common Vulnerabilities and Exposures), why it is important, and how to deal with it.
What is a CVE?
CVE is the acronym of Common Vulnerabilities and Exposures. Here, we are talking about security issues. Thus, CVE is a document that lists such security issues.
But let’s dive deeper. What does “Common” means inside the acronym? It means that the vulnerabilities are common to multiple companies and organizations. In fact, you can think of it as vulnerabilities that everybody has.
Now that we have an idea, we can start to focus on what types of security issues we are dealing with. What is a vulnerability or exposure? And why do these CVEs are so widespread?
What is a vulnerability?
For a CVE, vulnerability is an unwanted behavior in a system. Not all unwanted behaviors count as CVE, but only the ones that allow for unintended usage. This may seem a little tricky at first, but it is a formal way to say something very trivial.
If a malicious user can leverage a feature of a software or system to make it do things that its creator didn’t think about, that’s the vulnerability. A few examples will clear any doubt for sure.
Imagine a website where you can buy things online. If the “Purchase” button is blue, but it had to be green, that’s an unwanted behaviour. Still, that’s not a vulnerability. Nobody can exploit the fact that the button is green.
However, if in the same application, I can add products to the cart, remove them during check out, pay nothing and still submit the order (and get the product), that’s a vulnerability. I made the system do something it was not designed for, ship products without payment.
Why a CVE is common?
Now that we can identify a vulnerability, we can start to ponder why CVEs are common.
CVE does not describe implementation issues, but they describe issues in systems. For example, if you configure your password on your Windows PC to be “password”, that’s your fault – not a vulnerability in Windows.
Instead, CVEs describe vulnerabilities that are embedded in a system, software, or program. They are in the code (or, rarely, in the hardware). If you have that system, you get the vulnerability as well.
Since many companies and people will have that system, many people will have that vulnerability. That’s why they are common.
Addressing a CVE
Be informed
Before anything else, you need to receive the CVE. In fact, you need to receive the document that presents the vulnerabilities. That is easy, as CVEs are public and free to access.
This allows you to get the CVE quickly, but it also allows an attacker to get it, and to potentially exploit it.
To get any CVE, you need to look MITRE website. That’s the official place when you can get them. There are many authorities that can publish CVE documents, all approved by MITRE.
The MITRE publishes those vulnerabilities inside a GitHub repository, and you can search in it. Inside that repository, you find all the CVEs grouped by year, starting from 1999. Each CVE is a JSON file so that you can automatically parse it.
Anatomy of a CVE
At first, the content of a CVE may not look so
{
"CVE_data_meta": {
"ASSIGNER": "sirt@juniper.net",
"DATE_PUBLIC": "2019-01-09T17:00:00.000Z",
"ID": "CVE-2019-0003",
"STATE": "PUBLIC",
"TITLE": "Junos OS: A flowspec BGP update with a specific term-order causes routing protocol daemon (rpd) process to crash with a core."
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Junos OS",
"version": {
"version_data": [
{
"affected": "<",
"platform": "SRX Series",
"version_name": "12.1X46",
"version_value": "12.1X46-D77"
},
{
"affected": "<",
"version_name": "12.3",
"version_value": "12.3R12-S10"
},
{
"affected": "<",
"platform": "SRX Series",
"version_name": "12.3X48",
"version_value": "12.3X48-D70"
},
{
"affected": "<",
"platform": "EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100",
"version_name": "14.1X53",
"version_value": "14.1X53-D47"
},
{
"affected": "<",
"version_name": "15.1",
"version_value": "15.1R3"
},
{
"affected": "<",
"version_name": "15.1F",
"version_value": "15.1F3"
},
{
"affected": "<",
"platform": "SRX Series",
"version_name": "15.1X49",
"version_value": "15.1X49-D140"
},
{
"affected": "<",
"platform": "EX2300/EX3400",
"version_name": "15.1X53",
"version_value": "15.1X53-D59"
}
]
}
}
]
},
"vendor_name": "Juniper Networks"
}
]
}
},
"configuration": [
{
"lang": "eng",
"value": "The following maximal parent* configuration is required:\n set protocols bgp group [FLOWSPEC]\nand\n set policy-options policy-statement\n set routing-options flow term-order\n\nSpecific child* relationship configuration details vary by implementation which may introduce this vulnerability.\n\n*\"parent\" and \"child\" as in a parent-child tree structure relationship within the CLI.\n"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "When a specific BGP flowspec configuration is enabled and upon receipt of a specific matching BGP packet meeting a specific term in the flowspec configuration, a reachable assertion failure occurs, causing the routing protocol daemon (rpd) process to crash with a core file being generated. Affected releases are Juniper Networks Junos OS: 12.1X46 versions prior to 12.1X46-D77 on SRX Series; 12.3 versions prior to 12.3R12-S10; 12.3X48 versions prior to 12.3X48-D70 on SRX Series; 14.1X53 versions prior to 14.1X53-D47 on EX2200/VC, EX3200, EX3300/VC, EX4200, EX4300, EX4550/VC, EX4600, EX6200, EX8200/VC (XRE), QFX3500, QFX3600, QFX5100; 15.1 versions prior to 15.1R3; 15.1F versions prior to 15.1F3; 15.1X49 versions prior to 15.1X49-D140 on SRX Series; 15.1X53 versions prior to 15.1X53-D59 on EX2300/EX3400."
}
]
},
"exploit": [
{
"lang": "eng",
"value": "Juniper SIRT is not aware of any malicious exploitation of this vulnerability."
}
],
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incomplete assertion \nCWE-617: Reachable Assertion\nDenial of Service\n\nCAPEC:\n.262 Manipulate System Resources\n.262.607 Obstruction\n.262.607.582 Route Disabling\n.262.607.582.584 BGP Route Disabling \n"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://kb.juniper.net/JSA10902",
"refsource": "CONFIRM",
"url": "https://kb.juniper.net/JSA10902"
},
{
"name": "106544",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106544"
}
]
},
"solution": [
{
"lang": "eng",
"value": "The following software releases have been updated to resolve this specific issue: 12.1X46-D77, 12.3R12-S10, 12.3X48-D70, 14.1X53-D47, 15.1F3, 15.1R3, 15.1X49-D140, 15.1X53-D59, 16.1R1 and all subsequent releases.\n"
}
],
"source": {
"advisory": "JSA10902",
"defect": [
"1116761"
],
"discovery": "USER"
},
"work_around": [
{
"lang": "eng",
"value": "Disable BGP flowspec.\nThere are no other available workarounds for this issue."
}
]
}
After some information describing the CVE itself, you can find the details of the vulnerability. First, it tells you that it affects the vendor Juniper Networks on the product Junos OS, up to several version (you see "affected": "<" , meaning that all versions before the one mentioned are affected).
In the configuration block, it describes what is the configuration you need to have on that system for the vulnerability to exist.
It then gives a generic assessment on how complex is to exploit the attack, and what is its impact (see cvss).
Finally, it provides a solution – which in most cases is upgrading to a higher version like in this case. It also provides a workaround, like disabling the feature that generates the vulnerability. This can be viable if you are not using the feature, and may not if you need it.
Take action
Before you decide a course of action, you need to assess
The impact you see in the CVE is generic. It is merely the impact you have on the affected system. Instead, you need to look at the impact the CVE has on your company, on your implementation.
For example, imagine you own a device that is found to have a high vulnerability. The attacker can take control of the system, and it is even easy to do. The impact looks high. However, that depends on many factors. Is that system exposed to the Internet, or in a secure network? Does it host only test data or sensitive data?
You are the only one who can know what are the impacts inside your organization. Based on that, you can decide what to do with the CVE. Mainly, you have three options.
- Do not treat the CVE, and live with the vulnerability.
- Use the workaround.
- Apply the solution.
The higher the impact on your organization, the more you should orient yourself to apply the solution. To decide that, you also need to evaluate the risks of applying the solutions, as well as the efforts. For example, changing versions may need an upgrade and restart, and this may stop your business. You need to take into account everything when taking action.
In a nutshell
Let’s wrap things up a little bit. A CVE is a document that describes security issues on systems of common vendors, that many companies have. CVEs are published frequently by the MITRE, and you can find them here.
Each CVE is a JSON file, which means you can easily parse them with any programming language. In each, you see the systems affected and its affected versions. You can also find a proposed workaround and a solution, which oftentimes is the upgrade.
However, you are the only one who can decide what to do with a CVE in your organization. You need to see what is the impact on your organization, depending on how you use the impacted system. Based on that, you can plan a course of action.
Are you currently addressing CVEs in your organization? Did you ever get an attack that exploited a CVE? Let me know in the comments.
