Recently a news came up, that a bug hunter named Bhavuk Jain, has found a bug inside the “sign in with apple” auth request made by different third party application. This bug allowed the user’s full apple account takeover. The apple is the one of the most secured multi-national brand, and has always focused on the security of it’s users. When bhavuk found this bug and reported it to the apple, he was rewarded with a bounty of $100,000, after the bug was fixed and CVE was allocated to it.
So today’s article is gonna be about what actually are CVEs…
What is CVE & CVE identifiers?
CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this “common enumeration.”
CVE Identifiers are unique, common identifiers for publicly known information security vulnerabilities. Each CVE Identifier includes all of the following:
- CVE identifier number.
- Indication of “entry” or “candidate” status.
- Brief description of the security vulnerability or exposure.
- Any pertinent references (i.e., vulnerability reports and advisories or OVAL-ID).
- CVE Identifiers are used by information security product/service vendors and researchers as a standard method for identifying vulnerabilities and for cross-linking with other repositories that also use CVE Identifiers.
How is CVE is allocated to the vulnerability?
Now you see the process begins with the discovery of a potential security vulnerability or exposure. The information is then assigned a CVE ID by a CVE Numbering Authority (CNA), the CNA writes the Description and adds any References, and then the completed CVE Entry is posted on the CVE website by the CVE Team.
With my experience, I have noticed CVE approach is to create separate CVE Entries for independently fixable vulnerabilities, except when they are the result of a library, protocol, or standard, but some evil minds may think of it as a database to get records of previous vulnerabilities. CVE List Rules are the guidelines the CVE Program uses to ensure that CVE Entries are created in a consistent fashion, independent of which CNA is doing the creation, include the following: CVE Counting Rules, CVE Information Format, and Process to Correct Counting Issues.
Why CVEs are important?
The CVE’s main purpose is to standardize the way each known vulnerability or exposure is identified. Standard IDs allow security administrators to access technical information about a specific threat across multiple CVE-compatible information sources.
So think for a moment that we don’t have CVEs, then how are we gonna manage the vulnerability inside the systems, and more importantly how are we gonna link it to the history of patches and changes made to the service/software/site/system. Well, clearly we need CVEs as much as we want nobody to hack our systems or digital banking accounts.