Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3456
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: CVE (Common Vulnerability and Exposures) list and explanation  (Read 16308 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Have you wonder what this CVE and CCE numbers is related to in the security reports?
Her is the answer and explanation!

"Common Vulnerabilities and Exposures (CVE)"
"Common Configuration Enumeration (CCE)"




CVE (Common Vulnerability and Exposures) list and explanation

Link to CVE (Common Vulnerability and Exposures) website
Link to CCE (Common Configuration Enumeration) website


About CVE

Introduction
 
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities, while its Common Configuration Enumeration (CCE™) provides identifiers for security configuration issues and exposures.
 
CVE’s common identifiers make it easier to share data across separate network security databases and tools, and provide a baseline for evaluating the coverage of an organization’s security tools. If a report from one of your security tools incorporates CVE Identifiers, you may then quickly and accurately access fix information in one or more separate CVE-compatible databases to remediate the problem.
 
CVE is:
 •One name for one vulnerability or exposure
•One standardized description for each vulnerability or exposure
•A dictionary rather than a database
•How disparate databases and tools can "speak" the same language
•The way to interoperability and better security coverage
•A basis for evaluation among tools and databases
•Free for public download and use
•Industry-endorsed via the CVE Editorial Board and CVE-Compatible Products

Why CVE
CVE was launched in 1999 when most information security tools used their own databases with their own names for security vulnerabilities. At that time there was no significant variation among products and no easy way to determine when the different databases were referring to the same problem. The consequences were potential gaps in security coverage and no effective interoperability among the disparate databases and tools. In addition, each tool vendor used different metrics to state the number of vulnerabilities or exposures they detected, which meant there was no standardized basis for evaluation among the tools.
 
CVE’s common, standardized identifiers provided the solution to these problems.
 
CVE is now the industry standard for vulnerability and exposure names. CVE Identifiers provide reference points for data exchange so that information security products and services can speak with each other. CVE Identifiers also provides a baseline for evaluating the coverage of tools and services so that users can determine which tools are most effective and appropriate for their organization’s needs. In short, products and services compatible with CVE provide better coverage, easier interoperability, and enhanced security.



How CVE Works
The process of creating a CVE Identifier begins with the discovery of a potential security vulnerability.

The information is then assigned a CVE Identifier by a CVE Numbering Authority (CNA) and posted on the CVE List on the CVE Web site by the CVE Editor. As part of its management of CVE, The MITRE Corporation functions as Editor and Primary CNA.
 
The CVE Editorial Board oversees this process.


Each CVE Identifier includes:

•CVE Identifier number (i.e., "CVE-1999-0067").
•Brief description of the security vulnerability or exposure.
•Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).


Read more about CVE her


Terminology

Below are the CVE Initiative’s definitions of the terms "Vulnerability" and "Exposure":
 
Vulnerability
 
An information security "vulnerability" is a mistake in software that can be directly used by a hacker to gain access to a system or network.
 
CVE considers a mistake a vulnerability if it allows an attacker to use it to violate a reasonable security policy for that system (this excludes entirely "open" security policies in which all users are trusted, or where there is no consideration of risk to the system).
 
For CVE, a vulnerability is a state in a computing system (or set of systems) that either:
 •allows an attacker to execute commands as another user
•allows an attacker to access data that is contrary to the specified access restrictions for that data
•allows an attacker to pose as another entity
•allows an attacker to conduct a denial of service
 

Examples of vulnerabilities include:
 •phf (remote command execution as user "nobody")
•rpc.ttdbserverd (remote command execution as root)
•world-writeable password file (modification of system-critical data)
•default password (remote command execution or other access)
•denial of service problems that allow an attacker to cause a Blue Screen of Death
•smurf (denial of service by flooding a network)
 
Review vulnerabilities on the Common Vulnerabilities and Exposures (CVE) List.

 
Exposure
 
An information security "exposure" is a system configuration issue or a mistake in software that allows access to information or capabilities that can be used by a hacker as a stepping-stone into a system or network.
 
CVE considers a configuration issue or a mistake an exposure if it does not directly allow compromise but could be an important component of a successful attack, and is a violation of a reasonable security policy.
 
An "exposure" describes a state in a computing system (or set of systems) that is not a vulnerability, but either:
 •allows an attacker to conduct information gathering activities
•allows an attacker to hide activities
•includes a capability that behaves as expected, but can be easily compromised
•is a primary point of entry that an attacker may attempt to use to gain access to the system or data
•is considered a problem according to some reasonable security policy
 

Examples of exposures include:
 •running services such as finger (useful for information gathering, though it works as advertised)
•inappropriate settings for Windows NT auditing policies (where "inappropriate" is enterprise-specific)
•running services that are common attack points (e.g., HTTP, FTP, or SMTP)
•use of applications or services that can be successfully attacked by brute force methods (e.g., use of trivially broken encryption, or a small key space)
 
Review exposures on the Common Configuration Enumeration (CCE) List.


About CCE

Introduction
 
The CCE List provides unique identifiers to security-related system configuration issues in order to improve workflow by facilitating fast and accurate correlation of configuration data across multiple information sources and tools.

For example, CCE Identifiers are included for the settings in Microsoft Corporation’s Windows Server 2008 Security Guide and 2007 Microsoft Office Security Guide; are the main identifiers used for the settings in the U.S. Federal Desktop Core Configuration (FDCC) data file downloads; and provide a mapping between the elements in configuration best-practice documents including the Center for Internet Security’s (CIS) CIS Benchmark Documents, National Institute of Standards and Technology’s (NIST) NIST Security Configuration Guides, National Security Agency’s (NSA) NSA Security Configuration Guides, and Defense Information Systems Agency’s (DISA) DISA Security Technical Implementation Guides (STIGS).

In addition, CCE is also one of six existing open standards used by NIST in its Security Content Automation Protocol (SCAP) program, which combines "a suite of tools to help automate vulnerability management and evaluate compliance with federal information technology security requirements." Numerous products have been validated by NIST as conforming to the CCE component of SCAP.

Why CCE

When dealing with information from multiple sources, use of consistent identifiers can improve data correlation; enable interoperability; foster automation; and ease the gathering of metrics for use in situation awareness, IT security audits, and regulatory compliance. For example, Common Vulnerabilities and Exposures (CVE®) provides this capability for information security vulnerabilities.

Similar to the CVE effort, CCE assigns a unique, common identifier to a particular security-related configuration issue. CCE identifiers are associated with configuration statements and configuration controls that express the way humans name and discuss their intentions when configuring computer systems (see CCE Editorial Policies for detailed content decisions). In this way, the use of CCE-IDs as tags provide a bridge between natural language, prose-based configuration guidance documents and machine-readable or executable capabilities such as configuration audit tools.

Each entry on the CCE List contains the following five attributes:
•CCE Identifier Number – "CCE-2715-1"
 •Description – a humanly understandable description of the configuration issue
 •Conceptual Parameters – parameters that would need to be specified in order to implement a CCE on a system
 •Associated Technical Mechanisms – for any given configuration issue there may be one or more ways to implement the desired result
 •References – pointers to the specific sections of the documents or tools in which the configuration issue is described in detail
 
Currently, CCE is focused solely on software-based configurations. Recommendations for hardware and/or physical configurations are not supported. Refer to the CCE List for more information.
 
Read more about CCE her
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info


Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Re: CVE (Common Vulnerability and Exposures) list and explanation
« Reply #1 on: 18. April 2012., 09:54:03 »
Perhaps this topic would be something to nail to the top for easy access and use? ;)
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: CVE (Common Vulnerability and Exposures) list and explanation
« Reply #2 on: 18. April 2012., 21:24:24 »
Perhaps this topic would be something to nail to the top for easy access and use? ;)

"Sticked" in to "Latest Security News & Alerts" area.  ;)


Annarose

  • Guest
Re: CVE (Common Vulnerability and Exposures) list and explanation
« Reply #3 on: 22. June 2022., 11:10:59 »
Thank you for sharing a very meaningful article, I think it will be very helpful for me and everyone. Play  mahjong online free

anna

  • Guest
Re: CVE (Common Vulnerability and Exposures) list and explanation
« Reply #4 on: 10. August 2022., 05:56:46 »
rocket bot royale Thank you for producing such a fascinating essay on this subject. This has sparked a lot of thought in me, and I'm looking forward to reading more.

Samker's Computer Forum - SCforum.info

Re: CVE (Common Vulnerability and Exposures) list and explanation
« Reply #4 on: 10. August 2022., 05:56:46 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising