Tracking Vulnerabilities

Websites/cve/cwe

Vulnerability Databases

There are two main sites that provide you details about vulnerabilities. These are public sites, so anyone can access them and they are used to track vulnerabilities. They are able to be searched based on many different types of parameters. I recommended learning to use these sites and getting comfortable with them in order to be more efficient at gain information about the vulnerability. These sites will provide you with a CVE/CWE, CVSS, details about the vulnerability and possible solutions to fix it.

https://nvd.nist.gov/vuln

https://cve.mitre.org/cve/search_cve_list.html

New CVE Numbering Authority

You should also keep track of who is a CVE Numbering Authority (CNA) as new ones can be added. For example, just this summer VULSec Labs was added as a new CNA!

https://www.cve.org/Media/News/item/news/2023/08/15/VULSec-Labs-Added-as-CNA

What is a CVE?

CVE stands for Common Vulnerability and Exposures. It is a standardize naming scheme and identification method that is publicly known for tracking vulnerabilities and exposures. CVE IDs follow a specific format: "CVE-YYYY-NNNN," where YYYY represents the year of assignment and NNNN is a sequential number. For example, "CVE-2023-0281" would be an example CVE ID. Having this naming convention makes it easy to determine when the vulnerability was found (at least the year). It also helps with being able to continue to research it as you have a common identification to use in your research.

What is a CWE?

CWE stands for Common Weakness Enumeration. This is a community driven initiative that provides a catalog of common software weaknesses and vulnerabilties. The purpose of CWE is to provide a common naming scheme for identifying, describing and catagorizing weaknesses in software that could lead to security vulnerabilities or issues. CWE are commonly used by software developers to improve the security of the software.

What is a CVSS?

CVSS stands for Common Vulnerability Scoring System. This is used to assess and understand the severity and impact a vulnerability could have. There are several parts that go into calculating a CVSS score. This course is not going to go into those details as we do not need to know how to calculate a CVSS score. Though, if you want to learn how to a CVSS score is calculated a blog post on BeyondScurity.com provides great details.

CVSS v3.0 Ratings

CVSS Score of None (0.0) - this means that the vulnerability has little to no impact and will not pose a significant risk to the system.

CVSS Score of Low (0.1 to 3.9) - this means that the vulnerability has a relatively low impact. If this vulnerability is exploited it would have limited consequences and poses a low risk.

CVSS Score of Medium (4.0 to 6.9) - this means that the vulnerability being assessed has a moderate impact or severity. This means we should start to think about fixing this vulnerability as it is a notable risk. A CVSS Score of Medium also says that this vulnerability has the potential to be exploited and could lead to significant impacts.

CVSS Score of High (7.0 - 8.9) - this means that the vulnerability being assessed has a high impact or severity. This means we should really consider fixing this vulnerability ASAP as it is a significant risk to our network. If this vulnerability is exploited it could lead to serve impacts. Some of the fixes that should be done quickly are apply patches or apply mitigation techniques to minimize the risk associated with this vulnerability.

CVSS Score of Critical (9.0 - 10.0) - I am not sure if these one even needs an explanation. It is critical, so it will have severe impact on the network and environment. This vulnerability requires immediate attention to try and mitigate the risk associated with this vulnerability. If this vulnerability is exploited it could have major impact on systems and data!

Keep in mind that even though we have a CVSS score that rates the impact/severity of a vulnerability this is only one aspect that needs to be considered when determining which ones to fix. For example, if a system has a high vulnerability, but is not exposed to the internet you might not place as high of a priority on fix it as you would a server that has a medium CVSS score that is public facing. Companies have limited resources (people hours for example) to solve all these, so we need to keep that in mind when making suggestions on fixing vulnerabilities.

searchsploit

Using Kali Linux we have the ability to use a command line tool called searchspoit. This will allow us to search Exploit DB, another great site we should familiarize ourselves with to learn about other exploits.

You can also learn more about it by reading this PDF.