CVE and CVSS are some of the most commonly misunderstood features of patching. In this article, we will explore the differences and showcase how they can affect your patching technique. Although many IT managers are familiar with these terms CVE and CVSS, some IT professionals still don’t understand the difference between them. CVE and CVSS are synonymous with software vulnerabilities, patching and operating systems.
The CVE is known as Common Vulnerabilities and Exposures. It’s a special identifier that is used by vendors such as Adobe, Microsoft and others to catalog individual security vulnerabilities where patches are provided as a resolution. For instance, every page of a book has a distinctive number and this helps to find a solution to the problem of finding the information on each page of a book quickly.
Generally, all CVE numbers appear in this form: CVE-nnnn-nnnn. With this, you will see scope for millions of vulnerabilities. Since CVE number is not owned by any specific software vendor, clients should be assured of complete protection. It’s an independent and unbiased database for all vendors to publish their vulnerabilities.
It also means that vendors must publish transparent content to these databases. This will offer some assurance to the data accuracy. Every company that wants to publish its vulnerability announcement must become a CNA (CVE Numbering Authority) before its participation is considered dependable.
Vendors will include necessary and relevant information within each CVE record. For instance,
The CVSS (Common Vulnerability Scoring System) is an independently assigned score that is based on different factors to know the importance of vulnerability. To compare CVSS scores, we will take a look at how Microsoft scores their vulnerabilities.
Microsoft Rating System:
Note: Microsoft approach self-certifies vulnerabilities in its products.
Generating the CVSS scores is complex. However, it takes into consideration the following vital questions:
Each of the above or more are arranged in a subscore that’s calculated together. The CVSS score will then be calculated out of 10. Industry professionals believe this offers a way to know the priority of how quickly you must take action if any of these vulnerabilities exist in your environment.
CVSS calculation:
None 0.0
Low 0.1-3.9
Medium 4.0-6.9
High 7.0-8.9
Critical 9.0-10.0
If a vulnerability is detected and it’s left unpatched, it will cause a big risk of having it exploited by attackers. The attacks against known vulnerabilities spike within hours and days after the patches are released. Therefore, it’s important to know how vital the vulnerability is.
Take any vulnerability scores likely and start searching for independently assessed ratings, such as the Common Vulnerability Scoring System (CVSS). Every month NIST/US-CERT makes use of CVSS to rate most patch updates the day they are released. This offers a good idea of the risk level for a particular vulnerability to your business.
Downtime for businesses can be costly. A unique approach to patching is to have a special window of downtime each month to update systems. If there is any issue with patch, compatibility and systems need to be rolled back and this prolongs the downtime and can affect a business.
CVE is a term that classifies vulnerabilities. The glossary evaluates vulnerabilities and makes use of the CVSS to analyze the threat level of a vulnerability. CVSS is most often used for ranking the severity of vulnerabilities.
The CVE glossary is a project devoted to tracking and cataloging vulnerabilities in consumer hardware and software. It’s maintained by the MITRE Corporation with funding from the United States Division of Homeland Security. Vulnerabilities are collected and grouped using SCAP (Security Content Automation Protocol). SCAP assesses vulnerability information and assigns each vulnerability a special identifier.
Once evaluated and identified, vulnerabilities are listed in the publicly available MITRE glossary. After the listing is done, vulnerabilities are analyzed by the National Institute of Standards and Technology (NIST). All analysis information and vulnerability will be listed in NIST’s National Vulnerability Database (NVD).
The CVE glossary was made as a model of communication and source of dialogue for the tech and security industries. CVE identifiers offer standardized vulnerability information and unify communication among security experts.
CVSS is the total score assigned to a vulnerability while CVE is a list of all publicly disclosed vulnerabilities that include the CVE ID, dates, comments and description. The CVSS score is not reported in the CVE listing. You must use the NVD to find assigned CVSS scores.
The CVE list feeds into the NVD. Therefore, the two are synchronized at all times. The NVD offers enhanced information that’s beyond what’s in the CVE list, which includes severity scores and patches availability. NVD also provides easy tools that can be used to search for a wide range of variables. NVD and CVE are both sponsored by the Government of the United States and are available for free.
Session Management Attacks - Part two
Jenny R August 14, 2022Vulnerability Scanners 101: The Basics of Vulnerability Scanning
Wilson Corbett August 12, 2022CISAnalysis 12 August 2022
Kent Weigle August 12, 2022Cybersecurity Awareness
acephale 4w August 12, 2022The UK’s Interesting (and Important) Strategy for National Cybersecurity
Paul Lighter August 12, 2022