In this post I wanted to go over some of the findings I have found when doing research into how vulnerability scoring works with vulnerability databases.
CVE
The Common Enumeration of Vulnerabilities (CVE) List is a database of reported vulnerabilities maintained by the Mitre Corporation. Vulnerabilities found can be submitted by organizations and even individuals. Each vulnerability is given a CVE-ID number to identify by. This list of CVE-ID’s is used by many other databases for application use and scoring.
A CVE ID is a unique, alphanumeric identifier assigned by the CVE Program. Each identifier references a specific vulnerability. CVE IDs have the following format:
CVE prefix + Year + Arbitrary Digits
There is quite a bit of information on how those are assigned. Please refer to the Mitre website for more information on that. Just know that a CWE category is not used to assign the vulnerability.
Request for CVE-ID Process:
- Discover: A person or organization discovers a new vulnerability.
- Report: Discoverer reports a vulnerability to a CVE Program participant.
- Request: CVE Program participant requests a CVE Identifier (CVE ID).
- Reserve: The ID is reserved, which is the initial state of a CVE Record. The Reserved state means that CVE stakeholder(s) are using the CVE ID for early-stage vulnerability coordination and management, but the CNA is not yet ready to publicly disclose the vulnerability.
- Submit: CVE Program participant submits the details. Details include but are not limited to affected product(s); affected or fixed product versions; vulnerability type, root cause, or impact; and at least one public reference.
- Publish: Once the minimum required data elements are included in the CVE Record, it is published to the CVE List by the responsible CNA. The CVE Record is now available for download and viewing by the public.
The CVE-ID record within the Mitre website will have additional information depending upon the reporter such as: product status, patches available and references to the source code. This record is also available in JSON for other databases to score and for ease of use.
CWE
The Common Weakness Enumeration (CWE) List is a database of common software and hardware weakness types also maintained by the Mitre Corporation and the CWE community. They categorize weakness types into buckets non-dependent on the programming language or hardware used. These buckets or categories will be in a tree like structure or mapping on where they fall and how a vulnerability type will be coorelated with another. Vulnerability type records will have information such as:
- Descripton
- Extended Description
- Alternate terms
- Relationships with other vulnerabilities
- Background details, Application platforms
- Common Consequences
- Likelihood of Exploit
- Demostrative Examples from code or hardware
- Observed Examples
- Potential Mitigations
- Weakness Ordinalities
- Detection Methods
- Memberships
- Vulnerability Mapping Notes
- Notes, Taxonomy Mappings
- Related Attack Patterns
- References
- Content History
The introduction of new weaknesses is handled by the CWE community. The CWE Coummunity is an industry endorsed by major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions.
The CWE also has a variety of top hardware and software vulnerabilities lists. They things such as: analysis score, CVSS, KEV and potential mitigations to rank these lists.
The CWE List is used with other databases and security tools to categorize and perform analysis of the vulnerabilities found.
NVD
The National Vulnerability Database (NVD) is a database or list of scored CVE-IDs maintained by the US government NIST organization. National Institute of Standard and Technology (NIST) helps promote american innovation and industrial competitiveness by approving standards and research. So maintaining the NVD is just one of many things NIST does.
The NVD performs analysis on newly discovered CVE-IDs published to the CVE list. NVD staff will aggregate and analyze the description, references supplied and any additional data found publicly to that CVE-ID. The analysis will produce a impact metric called a (Common Vulnerability Scoring System - CVSS) score, vulnerability type associated with the (Common Weakness Enumeration - CWE) list, applicability statements called (Common Platform Enumeration - CPE).
The CVSS Score is an impact metric used across industries to the importance to the vulnerability. As of this writing, NVD is on the CVSS version 3.0 rating and are retiring version 2.0. The rating levels are listed below:
| Severity | Severity Score Range |
|---|---|
| None | 0.0 |
| Low | 0.1 - 3.9 |
| Medium | 4.0 - 6.9 |
| High | 7.0 - 8.9 |
| Critical | 9.0 - 10.0 |
To analyze the impact and to create that CVSS score, NVD has a created a calculator anyone can use. This calculator is also maintained by the First corporation and helps produce new calculators.
As far as categorization of the vulnerability to the CWE, the NVD makes use of a subset of the entire CWE List, which is enumerated by the CWE-1003 (Weaknesses for Simplified Mapping of Published Vulnerabilities) view. NVD analysts will associate the most specific CWE value within the CWE-1003 view based on the publicly available information at the time of analysis.
Lastly the Common Platform Enumeration is a dictionary of the software, packages, and systems related to the vulnerability found. It takes into consideration the URI used. It is an XML document used to check names against a system or another database.
KEV
The Known Exploited Databases(KEV) is a database or catalog of CVE-IDs known to be exploited out in the “wild”. It is maintained by the Cybersecurity & Infrastructure Security Agency (CISA). It was recently created for federal agencies to prioritize these vulnerabilities. This shouldn’t be seen as a replacement of the NVD database but used as an addition to it.
This catalog refers to NVD for it’s CVE-ID number and reference. The KEV looks mostly at what actions organizations can take to remediate this vulenrability. It also includes a due date for government agencies to patch or remediate this vulnerability.
AppSec Tools
For Application Security Tools such as SAST, SCA and DAST, many of them create their own databases based off CVE ID and CWE categories give their own score to them. This gives these tools the opportunity to place their own importance and analysis to them. This includes tools like: Blackduck, Snyk, Checkmarx, etc. Some are open databases while others are more proprietary. They will include additional features and tooling for the analysis done on the new CVE.
Conclusion
Hope this helps in identifing how these databases correlate and how to use them. A lot of this information can be overwhelming so it is good to understand the overall picture.