2024-11-11 –, WestIn - Partenkirchen
In the Information Security world, where many researchers crave to enhance their resume, the aid represented by the concepts of CVE and CVSS is paradoxally and slowly disrupting the vulnerability categorization and management process. Subject to disputed claims by the vendors and inflated severity ratings, the CVE assignment process has become a battleground for recognition, resulting in bogus submissions and unrealistic scores. That's why, for this paper, we have ironically coined the term "Mystical Vulnerabilities": security flaws that are not supposed to be so, but they get filed anyway, exploiting the lack of targeted inspection by MITRE or the NVD. This flawed system compels organizations to allocate resources based on CVE scores, and almost highlight the need for a "scoring system for the scoring system". A shift towards a more filter-oriented culture and more transparent CVE assignment practices is imperative to navigate the complexities of the arising cyber threats. This paper proposes mitigations to this problem, from a cultural change, to additional scoring systems out there for complementing and filtering CVEs, finishing with interesting clean sources and databases.
In the dynamic and ever-changing realm of Cyber Security, where both innocuous bugs and serious hidden threats keep spreading exponentially, vulnerability categorization is not a straightforward task at all. This paper will uncover the subset of vulnerabilities represented by the CVEs that defy conventional classification, and will shed light on the root causes for their generation, presenting some concrete examples, and proposing a series of aids that would avoid the security workforce and enthusiasts to fall into the trap, and would contribute to a stronger filter-oriented mindset. This paper coins the term “mystical” vulnerabilities/CVEs in order to better emphasize, on an ironic streak, the paradox represented by these occurrences that seemed outliers, but in reality they are way more than we can count, as we'll see in the next section.
To be more precise, we define as “mystical” two types of CVEs:
1) Vulnerabilities that carry disputed claims by their vendors, against the security researchers who filed them. They result in debates due to conflicting interpretations, highlighting the complexity of categorizing vulnerabilities, or even the researcher’s desire for notoriety;
2) Vulnerabilities that turn out to be rare, because of unconventional methods of exploitation, or their unpredictable impact.
At the heart of the discourse surrounding these "mystical" vulnerabilities lies the contentious process of CVE assignment. This process, intended to provide a standardized means of identifying and tracking vulnerabilities, ended up trapped in a labyrinth of conflicting interests and divergent interpretations. The CVE assignment process is fraught with challenges, coming from the lack of technical verification by the most notorious databases, like MITRE or the NVD, leading to the susceptibility of exploitation and manipulation by security researchers. To put it ironically, many Bug Bounties are becoming Beg Bounties [1], [2] seeking for recognition at all costs. Our exploration of these vulnerabilities will address the dynamics behind both definitions we gave above: one concerning the human side of the story (researchers aiming for fame, vendors struggling to dispute and protect their reputation), and the other one concerning the perplexities of the scoring system, and the need for a more nuanced approach in vulnerability assessment. As we navigate the easiness of CVEs filing, versus the complexity of proper vulnerability categorization, it becomes evident that a fundamental reevaluation of vulnerability management practices is imperative. We must transcend the limitations of current frameworks and embrace a granular approach that incorporates more solutions as filters to avoid entering the noise.
[1] https://www.troyhunt.com/beg-bounties/
[2] https://news.sophos.com/en-us/2021/02/08/have-a-domain-name-beg-bounty-hunters-may-be-on-their-way/?ref=troyhunt.com
Vulnerability, CVE, CVSS, NVD, MITRE, EPSS
Massimo is a passionate Cyber Security Analyst, currently working in the Deutsche Börse Group (Eurex Clearing) as an Associate Information Security Specialist. Previously collaborating with Kemetmueller Information Security on vulnerabilities research, their trends, and how to efficiently face the storm. In addition, he was formerly employed at the European Central Bank as an IT Security Trainee, where he took care of Vulnerability Management as well.
His approach in such a dynamic realm is complemented by a keen interest in Security Governance, IT Risk Management, and IT Compliance (especially with DORA and ISO 27001) in order to try to see the problems from a broader perspective.
His paper "Regulatory Compliance Verification: A Privacy Preserving Approach" was presented last year at the CSNet 2023 (IEEE ComSoc) conference in Montreal.
Two master's degrees in Cyber Security (ouch!) with minor in Digital Innovation & Entrepreneurship, and a lot of thirst for knowledge, desire to share, and make together the Internet a safer place!