Headline
Security Update Guide Supports CVEs Assigned by Industry Partners
Hi Folks, This month we are introducing a new data element for each CVE in the Security Update Guide, called Assigning CNA. First let me back up a bit and give some information about the CVE program. The purpose of a CVE is to uniquely identify a cybersecurity vulnerability. The CVE program was started back in 1999 and is funded by the US federal government, currently out of the Cybersecurity and Infrastructure Security Agency (CISA).
Hi Folks,
This month we are introducing a new data element for each CVE in the Security Update Guide, called Assigning CNA.
First let me back up a bit and give some information about the CVE program. The purpose of a CVE is to uniquely identify a cybersecurity vulnerability. The CVE program was started back in 1999 and is funded by the US federal government, currently out of the Cybersecurity and Infrastructure Security Agency (CISA). The MITRE Corporation is paid by CISA to administer the program. There is a board which consists of numerous cybersecurity-related organizations, including commercial security tool vendors, academia, research institutions, government departments and agencies, and other security experts, as well as end users of vulnerability information. Through open and collaborative discussions, the Board provides critical input regarding the data sources, product coverage, coverage goals, operating structure, and strategic direction of the CVE Program. Also, companies and agencies that designate vulnerabilities with CVEs can become a CVE Numbering Authority (CNA) which means that they are authorized to assign CVE IDs to vulnerabilities which are in their scope. Currently there are 151 CNAs from 25 different countries. You can read all of this information and more here: CVE - Home (mitre.org).
Microsoft has been an active participant in the CVE program since its inception, and became a CNA at the earliest opportunity. The first Microsoft CVE was CVE-1999-0007. Over the life of the program, we’ve issued over 7000 CVEs. More than half of those CVEs have been issued since the Security Update Guide was launched in 2016. This growth has fueled the requirements for the Guide and the API to allow our customers to digest the CVE information in a much more structured way.
Fast forward two decades and my, how the world has changed. The use of Open Source Software (OSS) has become ubiquitous. The days of closed, single source proprietary products are really behind us now. This can make the job of ensuring that vulnerabilities are patched in a complex enterprise environment quite challenging. It is with this thought in mind that we are introducing this new Assigning CNA field. We will use this field if a vulnerability has been identified and addressed in an Open Source Library that is bundled in a Microsoft product.
We have an example of such a third-party CVE in this month’s set of CVEs. CVE-2020-26870 documents a vulnerability in Cure53 DOMPurify which is open source software used by Visual Studio. The Assigning CNA for this was MITRE Corporation. After publishing a third-party CVE such as this one we will add a link to our documentation in the References section of that CVEin the official CVE List.
See previous blog about using the Security Update Guide here
In the Security Update Guide, you can see this Assigning CNA field on the CVE detail page as well as select it for viewing on the Vulnerabilities tab.
See more information about the Vulnerabilities Tab here
We will assign CVSS scores to these CVEs. An interesting thing to note about documenting a CVSS score for an OSS vulnerability: one implementation using an OSS library with a vulnerability may manifest a different score than others. For this reason, the score documented by NIST for a vulnerability like this may differ from a score that we will assign as the code is used by Visual Studio. If there is interest, we could expand on this in a future blog.
We will use this new Assigning CNA feature to identify other types of CVEs in a more transparent way as well. Many of you might be familiar with the advisory ADV200002 which we use to document vulnerabilities that Chrome has identified and removed in the open source Chromium software. With this new capability we will add those CVEs to the Security Update Guide directly and the Assigning CNA for them will be Chrome.
For those of you using the API, the Assigning CNA information is also included in the API. The Assigning CNA information is in the Notes section as Type 8.
CVRF Mindmap 1.1 Snippet
We hope that the addition of the Assigning CNA feature will help you in your risk analysis and vulnerability management.
Lisa Olson, Senior Security Program Manager, Microsoft Security Response Center
Related news
No exception handling vulnerability which revealed sensitive or excessive information to users.
Wyse Management Suite 3.8 and below contain an improper access control vulnerability. A authenticated malicious admin user can edit general client policy for which the user is not authorized.
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...