CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?

guest · Nov 3, 2020

CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?
‘If the organization is a CNA, they seem to get control over what vulnerabilities do or do not get CVE numbers’
November 3, 2020
https://portswigger.net/daily-swig/...wn-vulnerability-ids-actually-hinder-security

Security researchers have highlighted the potential pitfalls of allowing software vendors to assign their own vulnerability report IDs.

The Common Vulnerabilities and Exposures (CVE) system is a widely used list of records detailing security vulnerabilities, each containing a technical description and severity score.
Mitre is tasked with assigning CVE identification numbers for specific security vulnerabilities (CVE-2017-0143, for example).
Click to expand...

However, some third-party software vendors are permitted to assign CVEs relating to vulnerabilities in their own products, without input from Mitre.

One such vendor is VMWare, which is a CNA – CVE Numbering Authority – “authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities”.
Click to expand...

‘Failing of the system’
Under Mitre’s rules, a CNA does not have to assign a CVE if a security vulnerability is not made public, meaning that these vendors can quietly patch issues – even dangerous bugs, as in the case of VMWare – without informing its users or the security community.

This practice “sounds like a failing of the CVE system”, security researcher Jonathan Leitschuh wrote on Twitter.
Click to expand...

CNA-do attitude
There are currently 142 named CNAs based around the world, and this figure will no doubt continue to grow in tandem with the security industry over the coming months and years.
As it currently stands, the CVE process leaves the door open for any CNA to decline to assign a CVE for a critical vulnerability (perhaps under fear of negative press or loss of user trust), with the vendor choosing instead to silently patch the bug.
Click to expand...

Log in or Sign up

CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?

guest Guest

Log in or Sign up

CNAs and CVEs – Can allowing vendors to assign their own vulnerability IDs actually hinder security?

guest Guest

Useful Searches