Dave Hughes
Where do they come from and what are they for?
The actual project for coordinating CVEs (Common Vulnerabilities and Exposures) is overseen by the MITRE corporation, a not-for-profit organization based in the U.S. According to Security Week, in 2021, more than 28,000 vulnerabilities were uncovered, and the average time to remediate a critical issue was 60 days. As new vulnerabilities arise, the CVE Numbering Authority (CNA) assigns a reference ID to the new CVE. CNAs can be considered stakeholders that, among others, include research groups and software vendors, such as Microsoft and Oracle. These parties are authorized to assign CVE IDs (in the format CVE-YYYY-NNNNNNN) to vulnerabilities.
What is in a CVE?
CVEs originate in compromised code, within a code defect — and the industry average for code defects is 15-50 errors per 1,000 lines of delivered code. While CVEs do not contain technical disclosures or information about fixes and their potential impacts, vendors naturally have an interest in keeping vulnerabilities discreet. Not only will there be less people trying to exploit the issue, but the longer a lid remains on the mechanism of exploitation, the more time vendors arguably have to find a proper resolution for it.
Of course, there is a moral quandary with this line of thinking. Attack vectors are worth a lot of money to the wrong person — and without the all the information, a company is unable to protect against one. So while software vendors scramble toward a fix, the secrets of a vulnerability could be getting traded for money on the dark web to criminals or even nation-state governments.
Needless to say, the more people who know about a problem, the more people there are who can work on a fix or on removing attack vectors that can exploit it. But what you don’t want to have is an organization that needs to shut down weak areas by detaching them from external access, particularly for an extended period of time that impacts business operations.
How long before the fix is released?
When it comes to security vulnerabilities, time is an important factor. Indeed, a CVE ID in its YYYY format can give an indication as to just how long a vendor has left a vulnerability out in the wild before it is made public. In a recent case, security researchers discovered CVE-2022–21445, which had a CVSS score of 9.8, and reported it to Oracle in October 2021. Oracle then released a fix as part of its April 2022 Critical Patch Update, six months after the initial report.
To give some food for thought: Whatever weakness was identified six months prior to that patch’s release has existed and been available for use even longer. It is just that less people, if anyone, knew about it.
What’s more, as with any patch, the “fix” might not be a silver bullet. Another patch might ultimately be required to close the hole. Then another patch and another, as the cycle perpetuates. This happens regularly, as with the Log4j issue of November 2021, wherein multiple releases were needed to provide an effective fix.
Because such occurrences are common in the technology industry, it is imperative not to solely rely upon vendor patches, as they often arrive too late and sometimes do not even provide their intended fixes. Thus, we should always be prepared for the next “Zero Day” and be resolute in maintaining our strong defensive posture.
At Spinnaker Support, we encourage our clients to use a Defense in Depth approach to holistically protect their systems from potential threat actors. For more information on protecting your system from vulnerabilities, please visit our webpage on Security and Vulnerability Management, or reach out to a representative.