CSIRT-IE Reports on Common Vulnerabilities and Exposures (CVEs)

Objective

CSIRT-IE primary focus, in regard to the following reports, is to identify vulnerable servers and services within the jurisdiction that may be exploited by publicly disclosed Common Vulnerabilities and Exposures (CVEs),  which have a severity rating of 'critical' or 'high' as indicated by their CVSSv3 Metrics.  CSIRT-IE seek to inform responsible network operators and constituents, based upon the IP address of the affected server or service,  by email and to provide advice and recommendations on how to reduce the threat posed by the CVE to the vulnerable servers or services.

Common Vulnerabilities and Exposures (CVEs)

The mission of the CVE Program is to identify, define, and catalogue publicly disclosed Common Vulneabilities and Exposures (CVEs).  

System used for reporting Common Vulnerabilities and Exposures (CVEs)

No. System Description
1. Common Vulnerabilities and Exposures (CVEs). CVEs identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures.

A vulnerability is a weakness which can be exploited to gain unauthorised access to a system or a network, execute code, install malware, and access internal systems to steal, destroy, or modify sensitive data.   If undetected, it could allow a threat actor to pose as a super-user or system administrator with full access privileges.

An exposure is a mistake that gives an attacker access to a system or network.   An exposure can allow an attacker to access personally identifiable information (PIL) and exfiltrate it.  Some of the largest breaches were the result of accidental exposure rather than sophisticated cyber attacks.

The CVE Program emerged from an initiative first launched in 1999 by the independent not-for-profit MITRE Corporation, called the CVE List.

The CVE List provided a method for publicly sharing information on cybersecurity vulnerabilities and exposures, which was adopted by the cybersecurity community.

Sortly afterwards, major operating system vendors and other oganisations from around the world began to include CVE identifiers (IDs) in their alerts.

CVEs are assigned a number known as a CVE identifier (ID) by the CVE Numbering Authorities (CNAs).  CNAs are software vendors, open source projects,  coordination centers,  bug bounty service providers, hosted services,  and research groups authorised by the CVE Program to assign CVE IDs to vulnerabilities and publish CVE Records within their own specific scopes of coverage.

A CVE identifier consist of a [Year] and a [Number].  The Year represents the year in which the vulnerability was reported.  The Number is a sequential number assigned by the CNA.

Details of CVEs are often withheld until the corresponding vendor can issue a patch or fix, ensuring that organisations can protect themselves once the information is made public.  Sharing of information in relation to CVEs can help to mitigate the publicly disclosed vulnerabilities and exposures in a fast and efficient manner and ensure that all organisations are protected.

CVE and the CVE logo are registered trademarks of the MITRE Corporation.   CVE is sponsored by the United States (U.S.) Department of Homeland Security (DHS),  Cybersecurity and Infrastructure Security Agency (CISA). CISA funds the Homeland Security Systems Engineering and Development Institute (HSSEDI), a DHS Federally Funded Research and Development Center (FFRDC) operated by the MITRE Corporation, to operate the CVE Program in cooperation with industry, government, and academic stateholders under a public/private partnership.

The Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) provides the means to capture the principal characteristics of a vulnerability and produce a numerical score to reflect its severity.

Systems used for reporting and assessing the severity of security vulnerabilities.

No. System Description
1. Common Vulnerabilities and Exposures (CVE). The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures.
2. The Common Vulnerability Scoring System (CVSS). CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities.  It provides a numerical (0-10) representation of the severity of an information security vulnerability.

CVSSv3.0 Ratings

No. Base Score Range Severity
1. 0.0 None
2. 0.1 - 3.9 Low
3. 4.0 - 6.9 Medium
4. 7.0 - 8.9 High
5. 9.0 - 10.0 Critical

Source of Information

The Shadowserver Foundation   is a Non-Governmental Organisation and one of the world's leading resources for internet security reporting and malicious activity investigation.  The Shadowserver Foundation works with national governments, network providers, enterprises, financial and academic institutions,  law enforcement agencies, and others, to reveal security vulnerabilities, expose malicious activity and help remediate victims.  The Shadowserver Foundation performs a scan of the entire IPv4 internet every day for Internet accessible servers and services and reports the security vulnerabilities found.  In 2022, the Shadowserver Foundation began to systematically rolling out IPv6 scanning of services.  Information on the Shadowserver Foundation Reports and the data contain therein can be found at:-  Shadowserver Foundation Reports

The Shadowserver Foundation Event Severity Levels

On the 12th Oct 2023, the Shadowserver Foundation introduced a new system of categorising events in their reports called Event Severity Levels, making it possible for recipients of their reports to filter events based upon the severity of the actual event reported.  The Shadowserver Foundation have also commenced applying a default severity level to their reports.

Event Severity Levels
No. Level Description
1. Critical. Highly critical vulnerabilities that are being actively exploited, where failure to remediate poses a very high likelihood of compromise.   For example, a pre-authorisation Remote Code Execution (RCE) or modification or leakage of sensitive data.
2. High. End of life systems, systems that you can log into with authentication that are meant to be internal (SMB, RDP), some data can be leaked.   Sinkhole events end up in this category.
3. Medium. Risk that does not pose an immediate threat to the system but can over time escalate to a higher severity.  For example, risk of participating in DDoS, unencrypted services requiring login, vulnerabilities requiring visibility into network traffic (Man-in-the-Middle (MITM) attack without being able to manipulate the traffic) to exploit, an attacker will need to know internal systems/infrastructure in order to exploit it.
4. Low. Deviation from best practice - little to no practical way to exploit, but setup is not ideal.  Vulnerabilities requiring MITM (including manipulating the traffic) to exploit.
5. Info. Informational only.  Typically no concerns.   However, this category includes the Device Identification report, which may include information on device types that should not be accessible on the public Internet, in which case the individual events in the report may be assigned higher severity levels.  Review in accordance with the organisation security policy.

Secure Information Sharing Sensor Delivery Event Network

The Secure Information Sharing Sensor Delivery Event Network  seeks to improve the cyber security posture of EU organisations and citizens through the development of increased situational awareness and the effective sharing of actionable information.  

CVE Reports

Additional Information

CVE Beta website