How to register and publish a Common Vulnerabilities and Exposures (CVE)
Hello Hackers, I’m MrEmpy, I’m 17 years old. Welcome to my article teaching how I created a CVE.
What is a CVE?
Common Vulnerabilities and Exposures or popularly known as CVE, is a database that has several records of failures found in company products. These vulnerabilities found are assigned an ID number, for example:
CVE-YYYY-NNNN
After the word “CVE”, we have the year that the CVE was published, then the identification number that can be composed of a box of 4 to 5 numbers. With this ID we can find the description of a vulnerability that occurs in a product.
Reporting the vulnerability to the enterprise:
When I found a vulnerability in one of a company’s products, I looked for a support or security email address to report the finding. Upon finding it I went into my email box and started describing the vulnerability found.
The FLEX 1085 Web hardware is vulnerable to an HTML injection attack that allows the injection of arbitrary HTML code.
This was the description given by me about the failure, it was very simple because it was my first time reporting a security issue.
The main points of my report were summary, steps to reproduce, impact, mitigation and additional information. In the first topic I described the vulnerability, as shown in the example above. In the second topic I brought the proof of concept (PoC) demonstrating how to exploit the flaw, I created a detailed walkthrough. Third topic I described what security impact this vulnerability had on your customers. Fourth thread I commented on how the problem could be resolved, I always add this thread to help developers fix the vulnerability, the more information you are on the product, the better your comment will be. Fifth topic I add some information about used firmware version and model.
After reporting the security issue, I waited a few days for a response to my email, 30 days passed after the report and no news, another 30 days passed and no response. I follow a policy of disclosing a vulnerability after 90 days if I don’t get a response, if I get a response, I would ask the company if I could fully disclose the vulnerability or just file a CVE on the case, as I haven’t had answer after 4 months I decided to publish it.
Note: if the company had a Responsible Disclosure Program (RDP) or Vulnerability Disclosure Policy (VDP), it is mandatory to follow their policy, never do anything outside the given policy.
Disclosure:
First platform where I disclosed the vulnerability was in the Exploit Database. I wrote an email to submit@offsec.com with a template similar to the other exploits released. I sent the email on Sunday, November 21, 2022, on November 23, I received an email saying that the fault had been disclosed.
When I looked for it I saw that they had already been published. After that I looked up how to apply for a CVE, I found articles commenting on how to apply, but the first time I tried to report on cveform.mitre.org I was unsuccessful.
Applying for a CVE:
In March 2022 I found a site called VulDB, where it stored a list of security flaws, I created an account on the site and started browsing through it until I found a vulnerability submission part.
“VulDB is an authorized CNA (CVE Numbering Authorities) which is allowed to assign and disclose CVEs to all new vulnerabilities.”
This sentence caught my attention, I was still lost on the subject of requesting a CVE. As mentioned above, CVE Numbering Authorities, or CNA, is an organization that is allowed to assign CVE to vulnerabilities found. After that I started to prepare my report about the security breach and send it to them on March 5, 2022.
Check this box if you want them to add a CVE about their find.
After the vulnerability report for VulnDB, on March 13, 2022 the submission was accepted and was already public. There was not much detail in the description due to lack of information given to the organization to assemble the description.
On March 23, 2022 I received an email about the CVE requests, they asked me to confirm the CVE request. The other day after my confirmation, I received the CVE ID in another email sent by them.
On March 29th my CVE was registered in Mitre.
It was a pleasure to have achieved this goal. Hope you get your CVE too.