CVE In 5 mins – Hands on Guide

By January 9, 2020 CVE

Hello Guys, this blog post is to share my experience about my recent talk on “CVE in 5mins” at Null Bhopal. In this talk, I have tried to break the myth associated with CVE. I used to wonder how to get a CVE? There is always a “WoW” factory associated with it. In this blog, I am going to explain how easy it is to get CVE and get it registered under your name. This blog is based on my personal experience. One day while surfing Twitter, I saw a post on someone posting about a CVE they received. I started looking for a product where I could try hunting such that I could get a CVE for me. On twitter I saw someone posting about Dolibarr CRM. I gave a shot to this and started testing with a simple XSS payload. To my luck I was able to find 4 XSS’s within an hour and thus registered 4 CVE under my name.  At the end of this blog, I did write some of my personal tricks which could be very useful for obtaining a CVE Number.

Let’s start by understanding the difference between CVE and CWE.

MITRE is a government-funded organization that puts out standards to be used by the information security community. Two of the most popular of these are CWE and CVE, and they’re often confused by security practitioners. Here’s a simple distinction:

CWE stands for Common Weakness Enumeration, and has to do with the vulnerability—not the instance within a product or system.
CVE stands for Common Vulnerabilities and Exposures, and has to do with the specific instance within a product or system—not the underlying flaw.

Let’s quickly understand CVE is NOT:

A Vulnerability Mitigation
– CVE Id’s uniquely define vulnerabilities, so that mitigations can be efficiently applied.
A Vulnerability Database
– CVE allows Vulnerability Databases to be linked together under commonly used Id’s
A source for Vulnerability Risk, Impact, Fix, or Technical information
– Each CVE contains a Unique Id, Description, and References
A tool for Publicly disclosing Vulnerabilities
– CVE uses publicly disclosed Vulnerability Information as its source of Information

CVE is formatted as:

CVE-YYYY-NNNN
YYYY = Year the Vulnerability was made public
NNNN = Arbitrary Digits (can be 4,5,6 digits)

How to get a CVE?

Now let’s dive into the fun part and understand how to get a CVE registered under your Name. So, go through the steps closely to understand the working of it.

CVE Recipe:

• Find the Product:

The first and most important step is to find the right product. Ease of getting a CVE will totally depend on the type of product you choose and the type of knowledge you own in the InfoSec domain. These are some methods which I follow personally.

• NVD CVE listing page: https://nvd.nist.gov/vuln/full-listing
• Twitter account to look at http://twitter.com/threatmeter . The account uses a bot to dynamically update the latest CVE on the public database. While browsing through the tweets look out for the issue or the product which interests you the most. While reading the tweets from this account I stumbled upon a tweet which was an issue based on a CRM based Web Application. Hence, I chose this as my target.

• Check CVE Listing (Optional):

It is always good to look if the product has an existing CVE page or not. It’s a great sign to know if the security team backing that product really do care for security. Having a CVE page makes the process easy and faster.

• Find a Bug:

Go ahead and invest some time to find a bug. Depending on the product it can be as easy as solving BWAPP or DVWA.

• Report to Vendor:

Before you report please check if a CVE Id already exists for that bug or not. Once it’s confirmed that you got a new bug, start looking for their security email or any other kind of online form they could have for reporting a security issue. If the above options fail, it’s better to send the report on their Support Email and wait for a few days. If you don’t get a revert from the team, you create an issue on their GitHub page.
For to create an Issue on GitHub, head to their public repository and click the issues tab. On opening that, click on the New Issue button to file an issue. Add header as [bug] or [security] along with the title which would make the company easy to fix things on a priority basis.

Reporting Template

Description: XXX
Environment:
• Version:
• OS:
• Web server:
• PHP:
• Database:
• URL(s):
Payload: XXX
Steps to Reproduce: XXX

• Apply for CVE:

Once the vendor confirms the vulnerability you can go ahead and apply for CVE ID. Once you apply MITRE will send you a mail in a few days with reserved CVE ID. With this ID, you have to make a public disclosure of the bug (either your blog or even a GitHub repository or anywhere which can be publicly referenced by everyone). Once this is up the CVE ID will be published publicly.

• Create a public report:

Now if you have created an issue on GitHub. You can directly give that link to MITRE. If not create a public report without including Step to reproduce or any details so that attacker can easily reproduce that vulnerability. You can get a reference from https://verneet.com/publications/

Reporting Template

Description: XXX
CVE ID: XXX
Date of Disclosure: XXX
Vendor, Product –  XXX
Affected Product: XXX
Severity Rating: XXX
POC: XXX
Credit: XXX

• Send publication to MITRE:

Now simply send the public report to MITRE.

• Relax and enjoy your CVE

In few days that pending CVE number will get allocated to you and displayed publicly.

Tips:

There are some easy products you can try. They also have a very responsive security team:
• Dolibarr
• EspoCRM
• Vtiger CRM

Resource:

Null Talk PPT: https://null.co.in/event_sessions/2887-cve-in-5-mins
Learn more on CVE: https://cve.mitre.org/CVEIDsAndHowToGetThem.pdf

 

Thank you for reading my blog. If you have any queries please do comment below. Special thanks to Gaurav Narwani for helping out. He writes some awesome content go ahead and check @ https://gauravnarwani.com

//err0rr

Leave a Reply