‘If the organization is a CNA, they seem to get control over what vulnerabilities do or do not get CVE numbers’
ANALYSIS Security researchers have highlighted the potential pitfalls of allowing software vendors to assign their own vulnerability report IDs.
The Common Vulnerabilities and Exposures (CVE) system is a widely used list of records detailing security vulnerabilities.
The vulnerability identification project is managed by Mitre Corporation, a US non-profit that manages federally funded research and development centers.
Mitre is tasked with assigning CVE identification numbers for specific security vulnerabilities (CVE-2017-0143, for example).
However, some third-party software vendors are permitted to assign CVEs relating to vulnerabilities in their own products, without input from Mitre.
One such vendor is VMWare, which is a CNA – CVE Numbering Authority – “authorized to assign CVE IDs to vulnerabilities affecting products within their distinct, agreed-upon scope, for inclusion in first-time public announcements of new vulnerabilities”.
Last month, researchers from PT Swarm claimed they found an unauthenticated file read vulnerability in VMWare’s vCenter product, which they said was silently patched without an assigned CVE.
A tweet gained traction online, with other security researchers confirming that certain versions of vCenter were still vulnerable to exploitation.
In an email, VMWare told The Daily Swig that a CVE was not issued in this instance because the vulnerability was fixed internally.
A spokesperson said: “The vulnerability referred to in the tweet was found internally in 2017 as part of VMware’s Security Development Lifecycle, and subsequently fixed.
“Given that this was an internally-discovered vulnerability, a CVE was not issued. This vulnerability is not present in any current VMware vCenter builds.”
‘Failing of the system’
Under Mitre’s rules, a CNA does not have to assign a CVE if a security vulnerability is not made public, meaning that these vendors can quietly patch issues – even dangerous bugs, as in the case of VMWare – without informing its users or the security community.
This practice “sounds like a failing of the CVE system”, security researcher Jonathan Leitschuh wrote on Twitter.
“Sounds really irresponsible for a CNA to fail to issue a CVE for a vulnerability this serious,” he added.
“Because VMware is a CNA, I believe you can’t get a CVE issued by any other CNAs according to the CVE rules. Sounds like a failing of the CVE system.”
Leitschuh told The Daily Swig that this is not the first time he has encountered this issue.
He said: “I don’t have the full context on the situation, but here’s what I've been told as a security researcher that regularly discloses vulnerabilities to organizations.
“If the organization is a CNA, they seem to basically get control over what vulnerabilities do/do not get CVE numbers.
“I’ve had heated discussions with the Apache Software Foundation’s security team about CVE issuance for vulnerabilities I’ve found. They opted not to assign CVE numbers to certain vulnerabilities which I disagreed with.
“But since the Apache foundation is a CNA, I can’t go over their heads to a different CNA to get a CVE number issued.”
Kurt Seifried, a blockchain expert at the Cloud Security Alliance and CVE board member, told The Daily Swig that since CVE is voluntary, CNAs cannot be forced to publicly disclose bugs.
There are certain factors CNAs can use to bypass disclosure, said Seifried, one being that CNAs can claim that since a product has forced automatic updates, there is no need for a CVE.
He did note that the parent CNA – which is usually Mitre – can be appealed to. “It’s rare but it happens,” he said.
While having a ‘universal’ system such as CVE in place is an essential step in securing software for users and enterprises worldwide, allowing certain software vendors to assign their own vulnerability IDs does not appear to be a fully watertight solution.
There are currently 142 named CNAs based around the world, and this figure will no doubt continue to grow in tandem with the security industry over the coming months and years.
As it currently stands, the CVE process leaves the door open for any CNA to decline to assign a CVE for a critical vulnerability (perhaps under fear of negative press or loss of user trust), with the vendor choosing instead to silently patch the bug.
In lieu of any details about the flaw, a sysadmin may then neglect to apply the necessary patches in favor of mitigating against other publicly documented CVEs. This would leave their organization exposed to attack – something that defeats the entire purpose of the system.
Mitre told The Daily Swig in an email that while it does encourage CNAs to assign CVE IDs, it does not require it and vendors cannot be punished for failing to do so.
“The CNA rules do not require a CNA to assign a CVE ID for vulnerabilities that they do not intend to make public. The CVE program does encourage CNAs to assign CVE IDs and make vulnerabilities public in a responsible manner,” a spokesperson said.
“CNAs do not face penalties in cases where they choose not to assign a CVE ID. CVE is a voluntary program, making the imposition of penalties highly problematic.”