KEMBAR78
How to assign a CVE to yourself? | PPTX
RC
Uploaded byRamin Farajpour Cami
PPTX, PDF191 views

How to assign a CVE to yourself?

This document discusses Common Vulnerabilities and Exposures (CVE), which is a list of publicly disclosed computer security flaws identified by CVE IDs. It describes how CVE IDs are assigned by MITRE and partner organizations to vulnerabilities to help coordinate security efforts. The document also provides information on how individuals can request CVE IDs and outlines the goal of the CVE system to help address vulnerabilities in software and products.

Download to read offline
Whoami? • Security Researcher • Google, Apple, Twitter, Yahoo, Ebay, BlackBery, ... • Vulnerability Researcher at RavinAcademy • Open Source Contribute • Django, Wget, OpenConnect, libssh, ... • Windows/Linux System Programmer with Clang 2 • Twitter : @MF4rr3ll • Github : @raminfp
What is a CVE? 3 • CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number • Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.
How does the CVE system work? 4 • CVE is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security. • The National Vulnerability Database (NVD) is a database of publicly-known security vulnerabilities, and the CVE IDs are used as globally-unique tracking numbers.
How are CVE IDs Used? 5 • The CVE dictionary is enumerated with a CVE ID. The ID has the format CVE-year-number. • CVE IDs are assigned to specific vulnerabilities that occur in software. • Why software? • When security researchers are discussing vulnerabilities in a particular version of a software product, it is much more clear to refer to the vulnerability by the CVE ID than by the name and version of the software.
CVE Range 6
First CVE 7 • First CVE in the world • ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001 • Assigning CNA • MITRE Corporation
First CVE Microsoft 8 • First CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0007
Is the CVE ID range defined for an organization? 9 • NO, • Exmaple: • CVE-2014-0001 - Buffer overflow in client/mysql.cc in Oracle MySQL • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001 • CVE-2015-0001 - The Windows Error Reporting (WER) component in Microsoft Windows 8, Windows 8.1 • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0001
How are CVE IDs Assigned? 10 • MITRE is the primary maintainer of CVE,So primary assigner for CVE IDs. • MITRE has designated a small group of third party organizations as CVE Numbering Authorities (CNAs) • meaning these organizations have limited authority on assigning CVE IDs without MITRE
What’s is CNA? 11 • CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products, • CNA Program Worldwide • There are 146 organizations from 25 countries participating as CNAs as of November 20, 2020 • List of CAN • https://cve.mitre.org/cve/request_id.html#cna_participants
12 Diagram
How can I request a CVE ID? 13 • To request a CVE ID if the vulnerability is NOT public? • Contact the vendor that provides the vulnerability product, if the vendor is a CNA. (https://cve.mitre.org/cve/cna.html) • Request a CVE directly from MITRE by submitting the formcve.(https://cveform.mitre.org/ ) • if you have trouble reaching a vendor or require other assistance in coordinating and disclosing your vulnerability, feel free to contact us (the CERT/CC) for assistance (cert@cert.org) Or https://www.kb.cert.org/vuls/report/
DEMO 14 Submit request CVE
How can I request a CVE ID? (acknowledged) 15
CVE Assigned (Response) 16
17 Request CVE Of RedHat Team (secalert@redhat.com)
Delay in update CVE List 18 • It takes 30 minutes for the update to take place when you receive the email. • https://twitter.com/CVEnew • https://github.com/CVEProject/cvelist
Goal CVE 19 • Public vulnerability of software/product • Investigate the importance of vulnerability (SCORE) • Quick update by corporate (RedHat, Suse)
CVE-2019-20839 20 • https://ubuntu.com/security/CVE-2019-20839 • https://security-tracker.debian.org/tracker/CVE-2019- 20839 • https://www.suse.com/security/cve/CVE-2019-20839/ • https://www.rapid7.com/db/vulnerabilities/debian-cve- 2019-20839/ • https://access.redhat.com/security/cve/cve-2019-20839
Is each report approved for CVE? 21
Is each report approved for CVE? 22
Openwall Project 23 • Openwall GNU/*/Linux (or Owl for short) is a small security-enhanced Linux distribution for servers, appliances, and virtual appliances.
Openwall Malilist 24
Question? https://twitter.com/ravinacademy https://www.linkedin.com/company/ravin-academy/about/ https://t.me/ravinacademy info@ravinacademy.com

More Related Content

PPTX
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
byF _
 
PDF
Hiding in Plain Sight: The Danger of Known Vulnerabilities
byImperva
 
PPTX
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
byOllie Whitehouse
 
PPTX
Malware Analysis
byRamin Farajpour Cami
 
PDF
Advanced red teaming all your badges are belong to us
byPriyanka Aash
 
PDF
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
PPTX
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
byAlienVault
 
PPTX
Common Techniques To Identify Advanced Persistent Threat (APT)
byYuval Sinay, CISSP, C|CISO
 
Hunting The Shadows: In Depth Analysis of Escalated APT Attacks
byF _
 
Hiding in Plain Sight: The Danger of Known Vulnerabilities
byImperva
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
byOllie Whitehouse
 
Malware Analysis
byRamin Farajpour Cami
 
Advanced red teaming all your badges are belong to us
byPriyanka Aash
 
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
byAlienVault
 
Common Techniques To Identify Advanced Persistent Threat (APT)
byYuval Sinay, CISSP, C|CISO
 

What's hot

PPTX
Persistence is Key: Advanced Persistent Threats
bySameer Thadani
 
PPTX
Python-Assisted Red-Teaming Operation
bySatria Ady Pradana
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PPTX
Understanding advanced persistent threats (APT)
byDan Morrill
 
PDF
Security precognition chaos engineering in incident response
byPriyanka Aash
 
PPTX
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
bygrecsl
 
PDF
Breaking and entering how and why dhs conducts penetration tests
byPriyanka Aash
 
PPTX
Down The Rabbit Hole, From Networker to Security Professional
bySatria Ady Pradana
 
PPTX
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
PPTX
Continuous Automated Red Teaming (CART) - Bikash Barai
byAllanGray11
 
PDF
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
byHITCON GIRLS
 
PDF
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
PDF
Hacking ble smartwatch
byidsecconf
 
PDF
(SACON) Wayne Tufek - chapter five - attacks
byPriyanka Aash
 
PDF
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
byHITCON GIRLS
 
PDF
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
PPT
Networking and penetration testing
byMohit Belwal
 
PPTX
What is Penetration Testing?
bybtpsec
 
PDF
Detect & Remediate Malware & Advanced Targeted Attacks
byImperva
 
PPTX
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 
Persistence is Key: Advanced Persistent Threats
bySameer Thadani
 
Python-Assisted Red-Teaming Operation
bySatria Ady Pradana
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
Understanding advanced persistent threats (APT)
byDan Morrill
 
Security precognition chaos engineering in incident response
byPriyanka Aash
 
Deploying a Shadow Threat Intel Capability at CaralinaCon on March 6, 2016
bygrecsl
 
Breaking and entering how and why dhs conducts penetration tests
byPriyanka Aash
 
Down The Rabbit Hole, From Networker to Security Professional
bySatria Ady Pradana
 
Ethical Hacking Conference 2015- Building Secure Products -a perspective
byDr. Anish Cheriyan (PhD)
 
Continuous Automated Red Teaming (CART) - Bikash Barai
byAllanGray11
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
byHITCON GIRLS
 
Overview of the Cyber Kill Chain [TM]
byDavid Sweigert
 
Hacking ble smartwatch
byidsecconf
 
(SACON) Wayne Tufek - chapter five - attacks
byPriyanka Aash
 
Birds of a Feather 2017: 邀請分享 Glance into the Enterprise InfoSec Field - Howard
byHITCON GIRLS
 
Getting Started With Hacking Android & iOS Apps? Tools, Techniques and resources
byOWASP Delhi
 
Networking and penetration testing
byMohit Belwal
 
What is Penetration Testing?
bybtpsec
 
Detect & Remediate Malware & Advanced Targeted Attacks
byImperva
 
IBM ridefinisce la strategia e l'approccio verso gli Avanced Persistent Threa...
byLuigi Delgrosso
 

Similar to How to assign a CVE to yourself?

PPT
Common Vulnerabilities and Exposures details
bynizlin1
 
PPSX
Ids 004 cve
byjyoti_lakhani
 
PDF
Life of a CVE
byYadnyawalkya Tale
 
PPTX
AusCERT 2016: CVE and alternatives
byDavid Jorm
 
PDF
Cve trends 20170531
byKazuki Omo
 
PPT
pptAJECGYW9qopptAJECGYW9qopptAJECGYW9qopptAJECGYW9qo.ppt
byabhimannyubanerjee
 
PPT
2.Public Vulnerability Databases
byphanleson
 
PPTX
CVE_vs_CWE_Lecture_Presentation 1234.pptx
bybilalaptech14
 
PDF
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
PDF
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
PPTX
Classification of vulnerabilities
byMayur Mehta
 
PDF
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
PDF
Security trend analysis with CVE topic models
byThomas Zimmermann
 
PDF
Vulnerability 101, presented by Adli Wahid at AFSIG 2024.
byAPNIC
 
PDF
Lab 1 4-5
byRatzman III
 
PDF
Security Vulnerabilities in Modern Operating Systems
byCisco Canada
 
PDF
Open Source Security – A vendor's perspective
byMatthew Wilkes
 
PPT
The Top 10/20 Internet Security Vulnerabilities – A Primer
byamiable_indian
 
PDF
01-Induction cybersecurity and ethical hacking.pdf
bysyedmaliedu
 
PDF
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
byThe Linux Foundation
 
Common Vulnerabilities and Exposures details
bynizlin1
 
Ids 004 cve
byjyoti_lakhani
 
Life of a CVE
byYadnyawalkya Tale
 
AusCERT 2016: CVE and alternatives
byDavid Jorm
 
Cve trends 20170531
byKazuki Omo
 
pptAJECGYW9qopptAJECGYW9qopptAJECGYW9qopptAJECGYW9qo.ppt
byabhimannyubanerjee
 
2.Public Vulnerability Databases
byphanleson
 
CVE_vs_CWE_Lecture_Presentation 1234.pptx
bybilalaptech14
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
byCODE BLUE
 
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
Classification of vulnerabilities
byMayur Mehta
 
Vulnerability Assessment Report
byHarshit Singh Bhatia
 
Security trend analysis with CVE topic models
byThomas Zimmermann
 
Vulnerability 101, presented by Adli Wahid at AFSIG 2024.
byAPNIC
 
Lab 1 4-5
byRatzman III
 
Security Vulnerabilities in Modern Operating Systems
byCisco Canada
 
Open Source Security – A vendor's perspective
byMatthew Wilkes
 
The Top 10/20 Internet Security Vulnerabilities – A Primer
byamiable_indian
 
01-Induction cybersecurity and ethical hacking.pdf
bysyedmaliedu
 
LinuxCon NA 2015:Are today's FOSS Security Practices Robust Enough in the Clo...
byThe Linux Foundation
 

More from Ramin Farajpour Cami

PDF
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
PPTX
Bug bounty
byRamin Farajpour Cami
 
PDF
Linux kernel booting
byRamin Farajpour Cami
 
PPTX
Make own you kernel os
byRamin Farajpour Cami
 
PPTX
Linux kernel system call
byRamin Farajpour Cami
 
PPTX
Linux kernel development
byRamin Farajpour Cami
 
Combining AI with Red Teaming and Bug Bounty
byRamin Farajpour Cami
 
Bug bounty
byRamin Farajpour Cami
 
Linux kernel booting
byRamin Farajpour Cami
 
Make own you kernel os
byRamin Farajpour Cami
 
Linux kernel system call
byRamin Farajpour Cami
 
Linux kernel development
byRamin Farajpour Cami
 

Recently uploaded

PPTX
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Data Structure - 12 Graph
byAndiNurkholis1
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
PDF
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PPTX
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
PDF
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
PDF
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
PDF
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
PDF
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
Top Trends in Kubernetes Security: TalosCon 2025
byCheryl Hung
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Data Structure - 12 Graph
byAndiNurkholis1
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
Session 2 - Agentic Orchestration with UiPath Maestro
byDianaGray10
 
The Journey Is The Reward - Apple Maps Travel Companion
byJohn Andrews
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
Agentic AI Solutions and Services | Aeologic
byankitaeologic
 
KV Caching Strategies for Latency-Critical LLM Applications by John Thomson
byScyllaDB
 
A 4-Terminal Approach to Validating Charge Conservation in MOSFET Compact Models
byEalwan Lee
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
Application Monitoring and Observability: Elastic Stack Solution for Producti...
byPattabhi Amperayani
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
From Bots to Brains: Getting Started with Agentic Automation in UiPath
byUiPathCommunity
 
NSSHOEU-J 4x35mm² Cable Specification.pdf
byAnhui Feichun Special Cable Co., Ltd.
 
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 

How to assign a CVE to yourself?

  • 2.
    Whoami? • Security Researcher •Google, Apple, Twitter, Yahoo, Ebay, BlackBery, ... • Vulnerability Researcher at RavinAcademy • Open Source Contribute • Django, Wget, OpenConnect, libssh, ... • Windows/Linux System Programmer with Clang 2 • Twitter : @MF4rr3ll • Github : @raminfp
  • 3.
    What is aCVE? 3 • CVE, short for Common Vulnerabilities and Exposures, is a list of publicly disclosed computer security flaws. When someone refers to a CVE, they mean a security flaw that's been assigned a CVE ID number • Security advisories issued by vendors and researchers almost always mention at least one CVE ID. CVEs help IT professionals coordinate their efforts to prioritize and address these vulnerabilities to make computer systems more secure.
  • 4.
    How does theCVE system work? 4 • CVE is overseen by the MITRE corporation with funding from the Cybersecurity and Infrastructure Security Agency, part of the U.S. Department of Homeland Security. • The National Vulnerability Database (NVD) is a database of publicly-known security vulnerabilities, and the CVE IDs are used as globally-unique tracking numbers.
  • 5.
    How are CVEIDs Used? 5 • The CVE dictionary is enumerated with a CVE ID. The ID has the format CVE-year-number. • CVE IDs are assigned to specific vulnerabilities that occur in software. • Why software? • When security researchers are discussing vulnerabilities in a particular version of a software product, it is much more clear to refer to the vulnerability by the CVE ID than by the name and version of the software.
  • 6.
  • 7.
    First CVE 7 • FirstCVE in the world • ip_input.c in BSD-derived TCP/IP implementations allows remote attackers to cause a denial of service (crash or hang) via crafted packets • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0001 • Assigning CNA • MITRE Corporation
  • 8.
    First CVE Microsoft 8 •First CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0007
  • 9.
    Is the CVEID range defined for an organization? 9 • NO, • Exmaple: • CVE-2014-0001 - Buffer overflow in client/mysql.cc in Oracle MySQL • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0001 • CVE-2015-0001 - The Windows Error Reporting (WER) component in Microsoft Windows 8, Windows 8.1 • Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0001
  • 10.
    How are CVEIDs Assigned? 10 • MITRE is the primary maintainer of CVE,So primary assigner for CVE IDs. • MITRE has designated a small group of third party organizations as CVE Numbering Authorities (CNAs) • meaning these organizations have limited authority on assigning CVE IDs without MITRE
  • 11.
    What’s is CNA? 11 •CVE Numbering Authorities (CNAs) are organizations from around the world that are authorized to assign CVE IDs to vulnerabilities affecting products, • CNA Program Worldwide • There are 146 organizations from 25 countries participating as CNAs as of November 20, 2020 • List of CAN • https://cve.mitre.org/cve/request_id.html#cna_participants
  • 12.
  • 13.
    How can Irequest a CVE ID? 13 • To request a CVE ID if the vulnerability is NOT public? • Contact the vendor that provides the vulnerability product, if the vendor is a CNA. (https://cve.mitre.org/cve/cna.html) • Request a CVE directly from MITRE by submitting the formcve.(https://cveform.mitre.org/ ) • if you have trouble reaching a vendor or require other assistance in coordinating and disclosing your vulnerability, feel free to contact us (the CERT/CC) for assistance (cert@cert.org) Or https://www.kb.cert.org/vuls/report/
  • 14.
  • 15.
    How can Irequest a CVE ID? (acknowledged) 15
  • 16.
  • 17.
    17 Request CVE OfRedHat Team (secalert@redhat.com)
  • 18.
    Delay in updateCVE List 18 • It takes 30 minutes for the update to take place when you receive the email. • https://twitter.com/CVEnew • https://github.com/CVEProject/cvelist
  • 19.
    Goal CVE 19 • Publicvulnerability of software/product • Investigate the importance of vulnerability (SCORE) • Quick update by corporate (RedHat, Suse)
  • 20.
    CVE-2019-20839 20 • https://ubuntu.com/security/CVE-2019-20839 • https://security-tracker.debian.org/tracker/CVE-2019- 20839 •https://www.suse.com/security/cve/CVE-2019-20839/ • https://www.rapid7.com/db/vulnerabilities/debian-cve- 2019-20839/ • https://access.redhat.com/security/cve/cve-2019-20839
  • 21.
    Is each reportapproved for CVE? 21
  • 22.
    Is each reportapproved for CVE? 22
  • 23.
    Openwall Project 23 • OpenwallGNU/*/Linux (or Owl for short) is a small security-enhanced Linux distribution for servers, appliances, and virtual appliances.
  • 24.
  • 25.