The runtime environments and software stacks used to implement communication-enabled digital products and front- and back-end platforms contain numerous security vulnerabilities that cyber attackers can exploit. Some vulnerabilities are discovered during the development and market launch phase and are rectified immediately. Others only come to light at a later stage. Many remain undetected. One hundred percent cyber-secure products and solutions that prove to be free of vulnerabilities over their entire life cycle are virtually impossible with the current state of technology.
Vulnerabilities in IT, OT/ICS and IoT hardware and software, as well as cloud platforms, have been dealt with relatively openly for a number of years. Organizations and cybersecurity researchers around the world are searching for vulnerabilities. If they find one, it is often reported as part of the CVE program to authorized MITRE partners, who carry out further assessments and classifications, assign a unique CVE identifier and ensure publication in a database system that can be viewed by anyone via the Internet as part of a responsible disclosure procedure (see table). In addition, since Stuxnet at the latest, intensive work has been underway in the USA to completely digitize the entire CVE database plus the associated supplements (CVSS, CWE, CPE) and even to be able to use it automatically in the future via corresponding application interfaces (APIs).

What are CVEs?

Due to complex software stacks and hardware platforms, practically all application components also contain cyber security vulnerabilities. The known vulnerabilities are assigned an ID as a Common Platform Enumeration (CVE) and published. Users can use this knowledge to continuously test and improve their own application.

© SSV

The abbreviation CVE stands for "Common Vulnerabilities and Exposures". Vulnerabilities" refers to generally known security gaps and weaknesses in computer systems. In this context, "exposures" means "revealing" or "uncovering".
Behind the CVE idea is a comprehensive programme that was created by US security organizations at the end of 1999 to record IT security vulnerabilities and publish them in a standard data format. This provides a reference system for the continuous improvement of cyber security. Numerous international partners are now involved in the CVE program as part of a hierarchical organizational structure. The MITRE Corporation, a service provider of the US government, serves as the root organization. Security gaps and vulnerabilities are recorded worldwide by so-called CNAs (CVE Numbering Authorities). A CVE partner program exists for this purpose. Among other things, it includes a special boarding process to integrate new members.

An example of a CVE would be the NFC-based credit card terminal of an electronic cash register system A from manufacturer B, which allows an attacker to read the customer credit card and pin input data of a payment process. Once this vulnerability has been discovered, reported and checked within the CVE organization structures, it is assigned a registration number in the format "CVE-yyyy-nnnn". In this CVE ID, "yyyy" is the year of publication and "nnnn" is the consecutive numbering of all publications in the year in question (however, there are sometimes longer periods of time between the discovery of a vulnerability and the CVE publication). A short description is created for each new vulnerability and supplemented with additional information. The final CVE data set (record) is compiled by a CNA in accordance with the organizational specifications and stored in the freely accessible CVE database with the product and manufacturer name. A vulnerability can then be clearly referenced via the CVE ID. The entire CVE database can be queried and searched on the Internet via various websites (e.g. the combination "manufacturer = GNU" and "product = Glibc"). Manufacturer and product names, for example, can be used as search terms. The CVEs are also available as JSON objects on GitHub for integration into special tools.

CVE-based vulnerability analysis

Any developer, operator or user can identify and assess the known vulnerabilities for a specific hardware or software component online, even without extensive specialist knowledge. To do this, CVE queries are first carried out using manufacturer or product names, for example via www.cvedetails.com or the ICS Advisory Project. Let's assume that an overview of security vulnerabilities needs to be created for the control module of a networked OT application. CVEs are then searched for on the Internet using the manufacturer name X or product name XYZ-100. In this fictitious example, we only find CVE-2018-17900 (Unsecure Credentials). The website for this CVE ID explains that the embedded web server of an XYZ-100 does not adequately protect a user's credentials. This enables a potential attacker to misuse the XYZ-100 product, for example for remote access. According to the Internet, the CVE ID found has a CVSS score of 9.8 (critical) and belongs to CWE category 522 (CWE-522: Insufficiently Protected Credentials). In other words, the XYZ-100 product transmits or stores authentication data using insecure methods that are particularly susceptible to unauthorized use. With this new knowledge, however, there is now a certain need for action, for example for an XYZ-100 software update or a virtual patch.
A list of CPEs can also be found for CVE-2018-17900, for example in the form "cpe:2.3:o:XZY-100 ..., cpe:2.3:o:XZY-500 ..., cpe:2.3:h:XZY-ABC ...". It makes it clear that several products from a certain software version have the same vulnerability. Alphanumeric indicators of a MITRE ATT&CK matrix can also be assigned to a CVE ID. In this case, these would be

The author: Klaus-Dieter Walter is a member of the management board at SSV Software Systems.

© SSV

T1190 (Exploit Public-Facing Application): An attacker could exploit a vulnerability in the HTTP web server of a board connected to the Internet to access the local network where the board is located.
T1552 (Unsecured Credentials): Cyber attackers could search compromised systems and find credentials stored insecurely. This associated data is stored, for example, as plain text files on a system.
T1078 (Valid Accounts): The attacker can gain access to existing user accounts in order to misuse them for various tasks (with the help of compromised authentication data, other resources may also be usable within a networked application).

The CVE, CVSS, CWE and CPE notation is relatively abstract overall. By mapping individual CVEs to the MITRE ATT&ACK methodology, the possible effects of the respective CVE ID become much easier to understand.

Cybersecurity Glossary

Some important technical terms and special abbreviations for systematically dealing with cybersecurity vulnerabilities and helpful sources of information.