Real People + Real Protection

CYBERSECURITY ISN'T SEXY... UNTIL IT SAVES YOUR BACON

The LockDown Blog

Cybersecurity updates, warnings, strategies, tools, and recommendations, first and foremost.

But I love puns, have weird thoughts, and I bake, cook, and drink a lot. I mean I live in a California Wine Country with a thriving spirits, bitters, and mixers culture.

Come for the security... stay for the fun life things.

~ Angela Payton, Securista

EVERY DAY SOMEONE GETS HACKED. YOU DON'T HAVE TO BE THAT SOMEONE.

Server Room

Lesson for Today: CVEs

March 06, 20242 min read

What are CVEs?

CVE stands for Common Vulnerability and Exposures

NVD stands for National Vulnerability Database

Currently, there are over 200,000 CVE records available in the NVD

CVEs are given a rating using the Common Vulnerability Scoring System (CVSS). The base score is composed of six metrics which can be used to calculate a severity score of 0-10. These metrics are:

  • Access vector – The way in which a vulnerability can be exploited (e.g., locally or remotely). Remotely ranks higher.

  • Attack complexity – How difficult a vulnerability is to exploit. The more difficult, the lower the score.

  • Authentication – How many times an attacker has to use authentication credentials to exploit the vulnerability. The higher the number, the lower the score.

  • Confidentiality – How much sensitive data an attacker can access after exploiting the vulnerability. Access large amounts, the higher the score.

  • Integrity – How much and how many files can be modified as a result of exploiting the vulnerability. The more modified, the higher the score.

  • Availability – How much damage exploiting the vulnerability does to the target system (e.g. reduced performance/functionality). The more damage, the higher the score.

With the most dangerous CVEs, the metric most often used is not the CVSS score, but rather how commonly a CVE has been exploited. Or what is more commonly called “Out In The Wild” which means the exploit was used before patch updates could happen. Remember, most Zero-Day CVEs are caught before they're ever deployed to the public.

Because there have been vulnerabilities exploited in the wild, the Cybersecurity and Infrastructure Security Agency (CISA) now maintains a Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog currently contains over 800 entries.

Why are they important?

CVEs are not malicious code created by bad actors.

CVEs are vulnerabilities within legitimate code used in any computing software. Often, CVEs occur in source code or fundamental coding blocks.

The most recent two that ranked high on the NVD scale was CVE-2023-4863 and CVE-2023-44487.

CVE-2023-4863: Heap buffer overflow in libwebp in Google Chrome prior to 116.0.5845.187 and libwebp 1.3.2 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

and

CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly.

While patching has been ongoing, it could take years for all the patching work to be completed.

blog author image

Ange "Gos" Payton

The Securista - Online Cybersecurity DefendHer for the Kickass Woman Entrepreneur

Back to Blog

summary of their amazing result

"A Really Strong Testimonial That confirms the powerful transformation That is waiting."

Lorem ipsum dolor sit amet, consectetur adipisicing elit. Autem dolore, alias, numquam enim ab voluptate id quam harum ducimus cupiditate similique quisquam et deserunt, recusandae. Lorem ipsum dolor sit amet, consectetur adipisicing elit. Autem dolore, alias.

- Jane awesome

FOR SUPPORT OR QUESTIONS, PLEASE EMAIL US AT [email protected]

© 2023 COPYRIGHT securistacybersquad.com

ALL RIGHTS RESERVED