CVEs and responsible disclosures are both important items and steps to securing software and making the Internet a more secure place. At Triaxiom Security, we are very fortunate to see a wide array of different technologies, software, and environments when conducting various assessments for our clients. Because of this, it’s not uncommon to discover weaknesses in commercial off-the-shelf (COTS) software and open-source software being used on our clients’ external perimeter or internal network. In addition to informing clients during the deliverable phase of the assessment, we will also begin the process of a responsible disclosure with the vendor, and subsequently submit a CVE ID request to The MITRE Corporation when fixed and recognized by the vendor.
What are CVEs and Responsible Disclosures?
What is a CVE?
First, let’s address what a CVE is and what the process of getting an ID assigned looks like. CVE stands for Common Vulnerabilities and Exposures, and is a system which provides a reference-method for publicly known security vulnerabilities and exposures. When a security vulnerability is discovered and submitted to The MITRE Corporation through a CVE ID request, it is then reviewed by a CVE Assignment Team member. In my experience, the wait time for approval of a CVE can vary greatly from a matter of several hours to several weeks. As of writing this post, I am currently in a three week pending status for one CVE submitted for a cross-site scripting (XSS) vulnerability discovered while conducting an External Penetration Test. Once assigned, the CVE ID will be posted on MITRE’s CVE website and will have a severity score assigned to it and may have additional reference links with more information and vendor patch notes.
What is a Responsible Disclosure?
A responsible disclosure is the practice of notifying a vendor of a security issue discovered in one or more products. A disclosure should be concise and specific, and be forwarded to the best point-of-contact which can be found through the vendor’s website, social media, etc. If a valid point-of-contact cannot be found through open source means, an email to the company’s support or contact email address with an inquiry of who an email should be sent to may be sufficient enough. Typically, security researchers follow an accepted time frame of 90 days from the first notice of a security vulnerability to a vendor before releasing it publicly on the Internet. This time frame is largely based off of good faith efforts from the vendor to provide a fix, and therefore the timeline may be shifted based on communication and willingness to remediate.
What is the benefit?
By responsibly disclosing vulnerabilities, vendors have the opportunity to review the findings and make the appropriate changes to their products and push out updates to their users. Additionally, by submitting a CVE and having a unique ID assigned to the vulnerability, it can be catalogued in different databases such as the U.S. National Vulnerability Database (NVD).
By submitting responsible disclosures and seeking CVEs, we aim to take an extra step in securing our clients as well as any other users of the software containing vulnerabilities we identify. Below is an example of CVEs assigned based on findings from an assessment Triaxiom conducted.
Multiple XSS vulnerabilities discovered in Dundas BI versions up to 18.104.22.1681: