Securing open source through CVE prioritisation

According to a recent study, 96% of applications in the enterprise market use open-source software. As the open-source landscape becomes more and more fragmented, the task to assess the impact of potential security vulnerabilities for an organisation can become overwhelming. Ubuntu is known as one of the most secure operating systems, but why? Ubuntu is a leader in security because, every day, the Ubuntu Security team is fixing and releasing updated software packages for known vulnerabilities. It is a continuous 24/7 effort. In fact, on average, the team is providing more than 3 updates each day, and the most vital updates are prepared, tested and released within 24 hours. To achieve that result, Canonical designed a robust process to review, prioritise and fix the most crucial software vulnerabilities first. Software vulnerabilities are tracked as part of the Common Vulnerabilities and Exposures (CVE) system, and almost all security updates published by the Ubuntu Security team (via Ubuntu Security Notices – USNs) are in response to a given public CVE. 

The robust triage process

The Ubuntu Security team manages their own CVE database to track various CVEs against the software packages within the Ubuntu archive. As part of this process, each day the team triages the latest public vulnerabilities from various sources, including MITRE, NIST NVD and others. This triage process involves assessing every single new publicly announced CVE and determining which (if any) software packages in Ubuntu may be affected, collecting any information required for patching the package (including upstream patches) and noting any potential mitigations for the vulnerability. Once CVEs are triaged against the applicable software packages, they are assigned a priority, from the range of negligible, low, medium, high and critical. This priority is then used by the Ubuntu Security team to indicate which vulnerabilities should be addressed first.

Extended CVE review 

A common method for assessing the severity of CVEs is the Common Vulnerability Scoring System (CVSS). This is designed to provide a numerical value for the severity of the particular vulnerability and to allow these to be compared between vulnerabilities. The CVSS score for a given CVE is calculated using a number of inputs, and whilst this allows various aspects of the vulnerability to be considered, it has a number of shortcomings. In particular, whilst CVSS was designed to assess the technical severity of a vulnerability, it is often misused instead as means of vulnerability prioritisation or risk assessment. In particular, there are many aspects that are important to consider for a given vulnerability which is not captured by CVSS, including the likelihood that the given software package is installed or in use, whether the default configuration of a package may mitigate the vulnerability and whether a known exploit against the vulnerability exists.

CVE Prioritisation done right

In contrast, the priority value assigned by the Ubuntu Security team is designed to capture these and other elements so that it can be used as an effective measure to prioritise security software updates taking into account every Ubuntu instance – including server, desktop, cloud, and IoT. Vulnerabilities that affect the largest number of Ubuntu installations and which present the largest risk (by say being remotely exploitable without any user input, etc.) are prioritised critical or high. Those which affect only a small number of users and might require user-input or might only cause smaller effects such as a denial-of-service may be prioritised as a medium, low or negligible. This CVE prioritisation is done on a case-by-case basis for each vulnerability, and since a given vulnerability might apply to more than one package in the Ubuntu archive, this can be assigned further on a vulnerability-per-package basis as well. This ensures that those vulnerabilities which have the highest risk and impact and which are likely to affect the largest number of Ubuntu installations are fixed first, regardless of the given CVSS score, to ensure that the risk of exploitation by known software vulnerabilities is limited as much as possible.

To read more about the priority which is assigned for each vulnerability, as well as the criteria used for each priority assignment as part of the CVE prioritisation, refer to the Ubuntu CVE Tracker.