Here’s what to look for


Most people only take a cursory glance at Common Vulnerabilities and Threats (CVEs). You could look at the Common Vulnerability Scoring System (CVSS) score, see if the list of affected products is a problem for you, and move on.

Not surprising when there is more to see than ever. When you consider there was more than 14,000 CVEs and census published in 2021, it is impractical to examine them all. We’re well on our way to seeing nearly 40% more CVEs in 2021 than last year.

If you see a CVE that might apply to you, how do you know? What should you look for to determine if it’s worth your time?

Unfortunately, you can’t just read the title of a CVE and know if it’s safe to ignore it. There are actionable details in the CVE data that can help address your security concerns, including additional data points such as Common Platform Enumeration (CPE) specifics. It does take a little extra work, but it might be worth it if you identify a vulnerability and fix it before it’s exploited.

Let’s take a closer look at how you can get more out of a CVE.

Where do CVEs come from
When you hear about vulnerabilities, it’s often not nuances of software versions or other descriptions. Just saying “Microsoft Office Vulnerability” is a much more powerful heading than saying that only older versions are vulnerable. Those who write CVEs often know this but make no effort to be too descriptive because they see the notoriety that comes with “their” CVE making waves in the media.

There are no standards for what constitutes a CVE, just suggestions. With the popularization of CVE numbering authorities (CNA) like GitHub, any user can request a résumé and it will run through the automated system. There are 184 CNAs in 13 countries, but the MITER Corporation is the primary one. The fact that so many different CNAs produce CVE records has made standards even more difficult.

With more than 50 CVEs published daily, going through them all is unrealistic and some become useless because data points are missing or simply inaccurate. This has made the National Vulnerability Database (NVD) more of a “best effort” than the “source of the truth” that it is supposed to be.

For example, a description field in a CVE record can only be 500 characters long, which is not enough to fully describe what happened. Using the original security advisory that describes the vulnerability and other resources can help you understand why a vulnerability is important, but it still doesn’t tell you everything you need to know.

Read the advice
One reason CVEs require more than a cursory look is that advisories should contain useful data about whether there is a fix or patch to the CVE that may not be in the CVE record.

VMware is a company that does a great job posting a security advisory to share its remediation data.

How CPE data can help
Within a CVE, there is CPE data that is often the most telling role in explaining exactly what exactly is at risk.

There are four CPE data points in the JSON scheme invaluable in studying CVEs: VersionStartIncluding, VersionStartExcluding, VersionEndIncluding, and VersionEndExcluding. This allows you to narrow down the vulnerability to specific versions and, if your Configuration Management Database (CMDB) is up to date, cross-reference your execution to see if this is important to you.

A major problem is that the recorded CVE is not required include affected versions. One example is that when Microsoft switched to Chrome Edge, it stopped including versions in its CPE data, rendering its CPE data useless. In a perfect world, the NVD would make these four optional data points mandatory to help users better understand what is involved. If versions are not reported correctly, you have two options: either you consider every CVE that could affect your product and end up with false positives that clog your database, or you can ignore anything that is not specific and false negatives has what’s worse for your safety.

Make a commitment to dig deeper
By simply going beyond the CVE itself, you are investigating more than most. The deeper you dive into the available data, the better at troubleshooting issues that affect your security. Take advantage of the information and any tools that can help you.

The NVD offers an API That can help you look up a lot of this data that so many people ignore. Spending a few minutes researching which CVEs to deal with the most can be a major investment that will save a lot more time and money.


Leave A Reply