- CVE and CVSS Briefing
CVE and CVSS Briefing
Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures, commonly known as CVEs, are recorded information and security issues that aim to create an easily accessible list of security threats for professionals. It's sponsored by the United States Department of Homeland Security, with the intent of beign readily available for security administrators who need information about specific security threats.
Assembling all of this information into one, trustworthy, organized place does a tremendous service to security experts, making the task of solving most security issues much less burdensome. CVE defines a vulnerability as "a mistake in software code that provides an attack with direct access to a system or network." Vulnerabilities create the possibility for an attacker to illegitimately gain access to a given system. Successful implementation of these vulnerabilities could result in damaged equipment, unwanted access privileges, or tampered data. The potential implications of this, depending on the targeted system, include damaged customer trust, financial loss, even loss of life.
Common Vulnerability Scoring System
The Common Vulnerability Scoring System is commonly known as CVSS. It's a free service that evaluates the severity of a given vulnerability, by assigning different categorical severity scores to vulnerabilities. The Base, Temporal and Environmental score categories range in ranking from 0 to 10. The combination of these scores create the CVSS score. Base Score considers factors like user interaction and attack complexity. Temporal score considers remediation level and exploitability. Environment score considers exploit availability and environment controls. When calculating these scores, the base score affects the temporal score, and both influence the calculation of the environmental score.
An example of the usefulness of CVEs and CVSSs when evaluating the security of a program are Symantec and Norton Antivirus. Their software is installed on high-level business and governmental machines, meaning updates must be approved and processed before being pushed to these devices. The ramifications of this implies that the described vulnerable software is still in widespread use on machines today.
Symantec Antivirus in 2016 alone had the following vulnerabilities:
- CVE-2016-2207 (CVSS v3 Base Score: 8.4) - Symantec Antivirus multiple remote memory corruption unpacking RAR
- CVE-2016-2208 (CVSS v3 Base Score: 9.1) - Symantec antivirus products use common unpackers to extract malware binaries when scanning a system. A heap overflow vulnerability in the ASPack unpacker could allow an unauthenticated remote attacker to gain root privileges on Linux or OSX platforms. The vulnerability can be triggered remotely using a malicious file (via email or link) with no user interaction.
- CVE-2016-2209 (CVSS v3 Base Score: 7.3) - Symantec: PowerPoint misaligned stream-cache remote stack buffer overflow
- CVE-2016-2210 (CVSS v3 Base Score: 7.3) - Symantec: Remote Stack Buffer Overflow in dec2lha library
- CVE-2016-2211 (CVSS v3 Base Score: 7.8) - Symantec: Antivirus remote memory corruption unpacking MSPACK Archives
- CVE-2016-3644 (CVSS v3 Base Score: 8.4) - Symantec: Heap overflow modifying MIME messages
- CVE-2016-3545 (CVSS v3 Base Score: 5.3) - Symantec: Integer Overflow in TNEF decoder
- CVE-2016-3646 (CVSS v4 Base Score: 8.4) - Symantec: missing bounds checks in dec2zip ALPkOldFormatDecompressor::UnShrink
In summary, these are very powerful tools, both for attackers and defenders. Anyone with knowledge of a systems's running software can take full advantage of CVE's repository of knowledge to target and carry out desired attacks or mitigations depending on the severity of the CVSS score.
- Acunetix. “Better Scan Results with CVSS, CVE and CWE.” Acunetix, 27 May 2014,
- Amdekar, Aniket. “Introduction to Common Vulnerability Scoring System.” Symantec, 24 May 2012,
- Cisco. “Common Vulnerability Scoring System Q & A.” Cisco, 6 Feb. 2017,
- “Common Vulnerabilities and Exposures.” CVE - About CVE, 14 Sept. 2017,
- “Common Vulnerability Scoring System (CVSS).” IBM Knowledge Center, IBM,
- “Current CVSS Score Distribution For All Vulnerabilities.” CVE Security Vulnerability Database.
Security Vulnerabilities, Exploits, References and More,
- CVE Details. “Current CVSS Score Distribution For All Vulnerabilities.” Number Of Security
Vulnerabilities By CVSS Scores,
- “CVS : Security Vulnerabilities.” CVS : Security Vulnerabilities,
- Czagan, Dawid. “Common Vulnerability Scoring System.” InfoSec Resources, 12 July 2013,
- Dominguez, Jordan. “Malware Analysis: Moving Beyond the CVSS Score.” Nopsec, 17 May 2016,
- Kidron, Marina. “CVSS V3: What's in a Name?” Skybox Security Blog, Skybox Security, 6 Aug. 2015,
- Leonhard, Woody. “More June Security Patch Bugs: You Can Patch an IE Flaw, CVE-2017-8529, or
Print inside IFrames-but Not Both.” Computerworld, Computerworld, 19 July 2017,
- Osborne, Charlie. “CVSS Scores Are Not Enough for Modern Cybersecurity Defense.” ZDNet, ZDNet, 7
- Red Hat. “Severity Ratings.” Red Hat Customer Portal, Red Hat,
- Rosand, Eric, and Andrew Glazzard. “Is It All Over for CVE?” Lawfare, 11 June 2017,
- Rouse, Margaret. “What Is Common Vulnerabilities and Exposures (CVE)? - Definition from
WhatIs.com.” Tech Target, Apr. 2015,
- Roytman, Michael. “What You Miss When You Rely on CVSS Scores.” Kenna Blog, Kenna Security, 26
- Scarfone, Karen. “Frequently Asked Questions.” FIRST - Forum of Incident Response and Security
- Department of Homeland Security. “Symantec and Norton Security Porducts Contain Criticacl
Vulnerabilities” US-CERT United States Computer Emergency Readiness Team,
- Toomey, Patrick. “CVSS – Vulnerability Scoring Gone Wrong.” Neohapsis Labs, 25 Apr. 2012,
- Zorz, Zeljka. “Infosec Pros Point at Problem with CVE System, Offer Alternative.” Help Net Security, 11 Mar. 2016,