SBN

CNAs Intelligence

On June 2 2021, Fluid Attacks was admitted as a CNA by Mitre.
A CVE Numbering Authority or CNA, is responsible of
emitting CVE IDs to vulnerabilities found in software.
Mitre leaves to the CNA the right to determine whether
certain issue can be considered a vulnerability. That means
that as a CNA, we have the discretion to flag an issue as
a vulnerability based on whether there’s a violation of the
security policy of the application, if there’s any negative
impact on the product and the analysis of the
product owner regarding the issue.

The other variable is the word Software. Mitre limits
the scope of CVE assignment to software that is
licensable and it’s publicly available, either paid or
free. Also, each CNA has a scope. Some CNAs assign CVE
IDs only to their own products (Microsoft, Apple, Adobe,
for example).
Our scope is any software that is not under the scope
of other CNAs, which means that we can’t assign CVE IDs
to products from Microsoft for example, but still the
universe of software is huge.

Having the ability to emit CVE IDs, our Research Team
have created a Disclosure Policy
which we follow to talk to a vendor privately once we have
identified a possible vulnerability on their software.
In an ideal world, the vendor would acknowledge the
vulnerabilities, create fixes and inform us during a
defined period of time after which we make public the
vulnerability on our Advisories
page. More information of our disclosure process
is detailed here

To this date, we have emitted 76 CVE IDs but we wanted
to check our performance with similar CNAs. Let’s
first see the process of gathering the information.

Gathering the data

As mentioned before, every CNA has a defined scope,
but there is additional metadata associated to the CNAs.

Claroty

Mitre provides certain ways to interact with their
information. Red Hat created a
tool
which can be used to check basic information of the CNA,
reserve CVE IDs and list the IDs published and reserved,
among other tasks.

aroldan ~  $ cve org
Fluid Attacks — Fluid Attacks
├─ Roles: CNA
├─ Created: Wed Jun  2 19:49:20 2021
└─ Modified:    Fri May  5 03:13:21 2023
aroldan ~  $ cve list | grep PUBLISHED | wc -l
      76
aroldan ~  $ cve list | head -2
CVE ID           STATE       OWNING CNA      RESERVED BY                                RESERVED ON
CVE-2022-0698    PUBLISHED   Fluid Attacks   [email protected] (Fluid Attacks)   Mon Feb 21 02:32:28 2022
aroldan ~  $ cve show CVE-2022-0698
CVE-2022-0698
├─ State:   PUBLISHED
├─ Owning CNA:  Fluid Attacks
├─ Reserved by: [email protected] (Fluid Attacks)
└─ Reserved on: Mon Feb 21 02:32:28 2022

But it is limited only to the current CNA, which is
identified using certain secret parameters.

Other information can be seen on the
List of Partners

List of Partners

As can be seen, Fluid Attacks organization type is
Researcher.
To check our performance with other Researcher CNAs, we
must first filter out what other CNAs has the same type.
A CNA can have multiple types:

Airbus

Airbus for example is both a Vendor and a Researcher,
and its scope includes Airbus products as well as
third-party software.

However, we just want to check CNAs that ONLY has the
type Researcher, just like us.

That List of Partners has a filter field but it’s not
very advanced. But if we use simple tools, we see that
the List of Partners page is actually a client-side
application bundled into a JS file:

GetJS

That JS script has actually little code, but has embedded a
JSON with all the CNAs information:

ParseJS1

With some simple filters, the JSON can be extracted
from the JS:

aroldan ~  $ curl -s https://www.cve.org/js/app.3611fa3b.js  | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp
[
   {
      "CNA" : {
         "TLR" : {
            "organizationName" : "MITRE Corporation",
            "shortName" : "mitre"
         },
         "isRoot" : false,
         "roles" : [
            {
               "helpText" : "",
               "role" : "CNA"
            }
         ],
         "root" : {
            "organizationName" : "n/a",
            "shortName" : "n/a"
         },
         "type" : [
            "Vendor"
         ]
      },
      "cnaID" : "CNA-2009-0001",
      "contact" : [
         {
            "contact" : [
               {
                  "label" : "Adobe security contact page",
                  "url" : "https://helpx.adobe.com/security/alertus.html"
               }
            ],
...

And with the extracted JSON, queries can be made directly.
First, let’s list the number of CNAs:

aroldan ~  $ curl -s https://www.cve.org/js/app.3611fa3b.js  | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq -c '.[]' | wc -l
     288
aroldan ~  $

Nice, to the date of this writing, there are 288 CNAs active.

As we can search now with any filter, let’s check the
Fluid Attacks CNA metadata:

aroldan ~  $ curl -s https://www.cve.org/js/app.3611fa3b.js  | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq '.[] | select (.organizationName == "Fluid Attacks")'
{
  "CNA": {
    "TLR": {
      "organizationName": "MITRE Corporation",
      "shortName": "mitre"
    },
    "isRoot": false,
    "roles": [
      {
        "helpText": "",
        "role": "CNA"
      }
    ],
    "root": {
      "organizationName": "n/a",
      "shortName": "n/a"
    },
    "type": [
      "Researcher"
    ]
  },
  "cnaID": "CNA-2021-0020",
  "contact": [
    {
      "contact": [],
      "email": [
        {
          "emailAddr": "[email protected]",
          "label": "Email"
        }
      ],
      "form": []
    }
  ],
  "country": "Colombia",
  "disclosurePolicy": [
    {
      "label": "Policy",
      "language": "",
      "url": "https://fluidattacks.com/advisories/policy/"
    }
  ],
  "organizationName": "Fluid Attacks",
  "resources": [],
  "scope": "Vulnerabilities in third-party software discovered by Fluid Attacks that are not in another CNA’s scope",
  "securityAdvisories": {
    "advisories": [
      {
        "label": "Advisories",
        "url": "https://fluidattacks.com/advisories/"
      }
    ],
    "alerts": []
  },
  "shortName": "Fluid Attacks"
}

Cool. Now we can find all the CNAs that has only the
Researcher type:

aroldan ~  $ curl -s https://www.cve.org/js/app.3611fa3b.js  | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq -c '.[] | select ( .CNA.type == ["Researcher"])' | wc -l
      16
aroldan ~  $

Surprisingly out of the 288 current CNAs, there are
only 16 Researcher-only CNAs in the world.

The Research CNAs

We have now the CNAs that share the same type as us.
In Fluid Attacks, we have a dedicated team performing
research, with a clear prioritization model and an oiled
methodology for finding vulnerabilities on software that
fits on our scope.

Measuring the performance of a Research CNA is hard
because it all depends on the internal process taken
to emit CVE IDs.

The only publicly available parameter to compare these
CNAs is basically the number of CVE IDs emitted in total
and CVE IDs emitted per year.

One of the metadata which is only visible on the JSON
is the CNA ID.

aroldan ~  $ curl -s https://www.cve.org/js/app.3611fa3b.js  | grep -Eo 'g=JSON.parse\(.*\);r.Z.use' | sed -e "s/g=JSON\.parse('//g; s/');r.Z.use//g; s/<a href=\\\'//g; s/\\\' target=\\\'_blank\\\'>//g; s/\\\'//g" | json_pp | jq '.[] | select ( .CNA.type == ["Researcher"] and .organizationName == "Fluid Attacks") | .cnaID'
"CNA-2021-0020"

According the the value, it is safe to assume that the
CNA ID contains the year on which the the organization
was accepted by Mitre as CNA.

With that, this is the data gathered from the Researcher
class CNAs:

CNA Country # CVEs CNA ID Year CVEs/Year Ranking (Total) Ranking (CVEs/Year)
Cyber Security Works Pvt. Ltd India 55 2020 13.75 5 7
Fluid Attacks Colombia 76 2021 25.33 3 4
Larry Cashdollar USA 9 2016 1.13 10 11
Talos USA 55 2016 6.88 5 8
Government Technology Agency of Singapore Cyber Security Group (GovTech CSG) Singapore 18 2021 6.00 9 9
AppCheck Ltd UK 6 2021 2.00 11 10
VulDB Switzerland 480 2001 20.87 1 5
Dutch Institute for Vulnerability Disclosure (DIVD) Netherlands 2022 0.00 13
Automotive Security Research Group (ASRG) USA 1 2022 0.50 12 12
ZUSO Advanced Research Team (ZUSO ART) Taiwan 36 2022 18.00 8 6
The Missing Link Australia (TML) Australia 51 2022 25.50 7 3
NetRise USA 0 2022 0.00 13 13
Austin Hackers Anonymous USA 0 2023 0.00 13
STAR Labs SG Pte. Ltd Singapore 100 2023 100.00 2 1
Securifera, Inc USA 61 2023 61.00 4 2
Halborn USA 0 2023 0.00 13 13

Analysis

  • VulDB is the CNA with most CVEs emitted. However its performance
    per year is ranked as fifth of all.
  • STAR Labs SG has the best CNA performance per year
  • Fluid Attacks has the best third performance by total of
    CVE IDs emitted and the fourth per year. Not bad!
  • Fluid Attacks has the best performance in America!

Conclusions

This was a hacker’s view of the performance of
Research CNAs. There are other research teams in the world
that look for vulnerabilities and report them directly
via the Mitre Root CNA, but those were not included in this
analysis.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Andres Roldan. Read the original post at: https://fluidattacks.com/blog/cnas-intel/

Application Security Check Up