Assigning a CVE ID to Zero-Day Vulnerability

Whenever finding a new vulnerability in a software product, it's advisable that a researcher first notifies the company responsible for the product and gives them time to fix the identified vulnerabilities. I've found multiple vulnerabilities in Pfsense firewall and reported them to the Pfsense security team. They were very pleased and helpful regarding the newly found vulnerabilities and they fixed them in less than a week. I have to say that I was positively surprised about vulnerabilities being fixed so quickly, because it's often the case that a few months pass before anybody even takes a look at the security report.

Requesting a Vulnerability

After the company responsible fixes the found vulnerabilities, a researcher can request a CVE ID for the newly found vulnerabilities, if the party responsible didn't already do that. The very first thing a researcher has to do is to visit cve.mitre.org to read the descriptive process of requesting a CVE ID for newly found vulnerability.

On the same page, we can also observe the information about a PGP key, which can be used to encrypt or sign the email message.

cve1

In order to search for that key, we have to go to http://http-keys.gnupg.net/ and input 0xAF9AF9AC into the input box, which will present us with the result as shown below.

cve2

Next, we can import the key into our keystore by running the “gpg –search-keys” command, which will give us an option of importing the key if found.

# gpg --search-keys 0xAF9AF9AC
gpg: searching for "0xAF9AF9AC" from hkp server keys.gnupg.net
(1) MITRE CVE Numbering Authority <cve-assign@mitre.org>
2048 bit RSA key AF9AF9AC, created: 2013-08-19
Keys 1-1 of 1 for "0xAF9AF9AC". Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key AF9AF9AC from hkp server keys.gnupg.net
gpg: key AF9AF9AC: public key "MITRE CVE Numbering Authority
<cve-assign@mitre.org>" imported
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 6 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 6u
gpg: next trustdb check due at 2033-10-29
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

To verify whether the key has been successfully imported, we can use the “gpg –list-keys” command as shown below. We can see that the key was updated in September 2013, which is consistent with the informative message from the web page.

# gpg --list-keys
/home/user/.gnupg/pubring.gpg
--------------------------------
pub 2048R/AF9AF9AC 2013-08-19 [expires: 2015-08-19]
uid MITRE CVE Numbering Authority <cve-assign@mitre.org>
sub 2048R/C3DE9A01 2013-08-19 [expires: 2015-08-19]

After the key has been imported, we can send an encrypted/signed email to the Mitre corporation notifying them about the found vulnerabilities. Typically a set of distinct findings (different security vulnerabilities) can be combined into a smaller set of CVE Ids. The two main factors that would require separate CVE Ids are the following:

1. Different Vulnerability Types: when different vulnerabilities are found, a separate CVE ID is assigned to each of them.

2. Different Affected Versions: when two similar vulnerabilities that would normally be grouped in a single CVE ID are found in different product versions, they are each given their own CVE ID.

Whenever reporting a vulnerability it's advised that you provide a vulnerability description somewhere on the internet. In some cases, the company responsible for the product will do that for you, like the Pfsense security team did for me here. After the Mitre corporation studies the vulnerabilities, they will respond with appropriate CVE IDs assigned to each of the vulnerabilities – most probably, some vulnerabilities will be grouped together into a single CVE ID.

Conclusion

After finding a security vulnerability in arbitrary product, it's responsible to disclose the vulnerability to the company responsible for that product. After the vulnerability gets fixed and a patch released, a security researcher can disclose the vulnerability details and requests the CVE IDs, which uniquely identify the vulnerabilities.

When looking for security vulnerabilities in Pfsense firewall, I've found a few vulnerabilities for which I received 10 CVE ID. I hope when finding new vulnerabilities in software products, you'll do the responsible thing and report the vulnerability to the responsible party to give them time to fix the vulnerability prior to releasing it on the internet.

Comments