Security vulnerabilities are weaknesses in an application stack that attackers exploit during a cyber attack to obtain unauthorized access. Common attack patterns involve leveraging these security risks to install malware, access/alter sensitive data and run malicious code on the target system. Similar to vulnerabilities in software, exposures are security threats that provide attackers access to internal systems and networks. Attackers rely on such exposures in software systems to orchestrate data leaks that lead to the compromise of sensitive information. This article discusses the Common Vulnerabilities and Exposures (CVE) as a community-driven vulnerability database that offers a centralized list of publicly-known vulnerabilities for sharing information between security teams.
Common Vulnerabilities and Exposures is a catalog built to standardize the identification of known cyber threats. CVE is a free reference list for security teams looking to bolster their attack surface monitoring and threat intelligence efforts. All potential threats included in the database are assigned with CVE identifiers and standardized names. CVE details also offer resourceful insights into the design of a comprehensive security policy and periodic security reports. Used as a standard format for information sharing among cross-functional teams, the list is often considered the starting point in implementing cybersecurity strategies for commercial organizations.
Common Vulnerabilities and Exposures Examples
Some of the most exploited software security vulnerabilities and exposures listed in the CVE database include:
The CVE-2014-3566 vulnerability, also known as the Padding Oracle On Deprecated Legacy Encryption (POODLE), typically affects all internet-facing systems that support SSL 3.0 and rely on CBC mode ciphers. In such vulnerable applications, a hacker can launch a man-in-the-middle attack by eavesdropping on encrypted communications. When the cryptographic algorithm is paired with a block cipher, malicious cyber actors leverage padding oracle attacks to decrypt the cipher, gaining access to sensitive information within encrypted packets such as cookies, passwords, and other authentication mechanisms. The POODLE vulnerability’s severity rating is considered low, with a CVSS score of 3.4.
Dirty CoW (Dirty copy-on-write) or CVE-2016-5195 is a vulnerability that affects all Linux kernel versions of 2.x through 4.8.2, allowing the software to write into read-only files. The vulnerability affects a race condition within the Linux kernel’s functions to implement copy-on-write memory mappings. This vulnerability allows attackers to exploit incorrect handling of the copy-on-write feature to access system memory and escalate privileges.
The Dirty CoW vulnerability is attributed to a high CVSS score (7.8) as it leads to complete information disclosure, total compromise of system integrity, and complete shutdown of the target system.
Apache Log4j is a Java-based utility to log information for application debugging. While Log4j libraries are used to write log data into a database or log file, security analysts and vulnerability researchers have discovered several vulnerabilities in Log4j components that could lead to an exploit. Some of these include:
- CVE-2022-23307: This represents a deserialization flaw in the Apache Chainsaw component of Apache Log4j 1.2.x., allowing hackers to send malicious requests with serialized data. Because of the flaw, the server deserializes the malformed request when running the Chainsaw component, subsequently facilitating arbitrary code execution. Because of the severe consequences of such attacks, the security flaw is attributed to a high CVSS score of 8.8.
- CVE-2021-44228: Popularly known as the Log4Shell vulnerability, this flaw leverages Log4j’s interaction with Java Naming and Directory Interface (JNDI) and Lightweight Directory Access Protocol (LDAP) servers. The flaw enables hackers to control log message parameters in products that enable message lookup substitution, allowing them to orchestrate remote code execution on the target LDAP servers or leak sensitive data through the JNDI API. The CVE database attributes a critical severity rating with the highest CVSS score of 10 for this exposure.
Proxylogon, primarily CVE-2021-26855, is a server-side request forgery attack on the Microsoft Exchange server that is orchestrated by bypassing authentication systems and masquerading as an administrator. The flaw is used in chain attacks that allow remote code execution on the affected exchange server, giving malicious actors unlimited access to mailboxes, stored credentials, and sensitive files.
Proxylogon is a pre-authenticated vulnerability that allows hackers to execute code remotely without logging or authenticating it to the server. As a result, the vulnerability is rated as critical with a CVSS score of 9.8.
Proxylogon attacks are also used in combination with other potential vulnerabilities of an application stack. These include:
- CVE-2021-26858: A post-authentication write flaw that enables the hacker to write a file to any path on the exchange server
- CVE-2021-26857: An insecure deserialization security flaw that lets the attacker perform remote code execution as a default SYSTEM account
- CVE-2021-27065: A file-writing vulnerability that allows the attacker to arbitrarily set names and file paths on the affected exchange server. By inserting malicious code components into the files, adversaries can perform arbitrary code execution attacks on the vulnerable server.
Common Vulnerabilities and Exposures Database – The Purpose it Solves
The CVE database is a government initiative funded by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The database of vulnerabilities lists 179,222 critical vulnerabilities that simplify the analysis of vulnerability trends, subsequently helping with proactive threat identification and mitigation.
The database offers a centralized list of publicly known information security issues along with the level of severity and impact of vulnerabilities. These details help organizations refine their threat intelligence while helping with the automation of vulnerability management, bug bounty programs, and security analysis.
Quick Note: CVE entries in the database mostly include CVE identifiers, their respective official names, and a brief description. Additional technical information, including impact details and mitigation plans, can be cross-referenced from other vulnerability databases such as the CCE Vulnerability Database and National Vulnerability Database.
Who publishes CVE details?
Details of CVE are developed and published by a CVE Numbering Authority (CNA), an organization assigned a specific scope of responsibility to identify and publish cybersecurity vulnerabilities. Some prominent CVE numbering authorities include Adobe Systems, Android, AppCheck, Cisco Foundation, and IBM Corporation.
What is the difference between CVE and CVSS?
The CVE is a community-developed database that lists known instances of flaws and exposures in software systems.
CVSS, on the other hand, provides a numerical score for each CVE entry with the degree of severity for all cybersecurity risks.