Securing open source through CVE prioritisation

According to a recent study, 96% of applications in the enterprise market use open-source software. As the open source landscape becomes more and more fragmented, the task to assess the impact of potential security vulnerabilities for an organisation can become overwhelming. Ubuntu is known as one of the most secure operating systems, but why? Ubuntu is a leader in security because, every day, the Ubuntu Security team is fixing and releasing updated software packages for known vulnerabilities. In fact, on average, the team is providing more than 3 updates each day, and the most vital updates are prepared, tested and released within 24 hours. To achieve that result, Canonical designed a robust process to review, prioritise and fix the most crucial software vulnerabilities first. Software vulnerabilities are tracked as part of the Common Vulnerabilities and Exposures (CVE) system, and almost all security updates published by the Ubuntu Security team (via Ubuntu Security Notices – USNs) are in response to a given public CVE. 

The robust triage process

The Ubuntu Security team manages their own CVE database to track various CVEs against the software packages within the Ubuntu archive. As part of this process, each day the team triages the latest public vulnerabilities from various sources, including MITRE, NIST NVD and others. This triage process involves assessing every single new publicly announced CVE and determining which (if any) software packages in Ubuntu may be affected, collecting any information required for patching the package (including upstream patches) and noting any potential mitigations for the vulnerability. Once CVEs are triaged against the applicable software packages, they are assigned a priority, from the range of negligible, low, medium, high and critical. This priority is then used by the Ubuntu Security team to indicate which vulnerabilities should be addressed first.

Security and stability

Providing any changes to software always introduces a risk of triggering a regression in functionality. While Canonical endeavours to test and validate any changes that we make, it is impossible to cover all use cases for every user, and so there is an inherent risk of affecting functionality. Therefore the value gained by fixing any security issue must always be weighed against the risk of possible regression that is introduced. This balancing act is more of an art than a science, and it is hard to capture clear rules, but in particular for low or medium priority vulnerabilities, the risk of regression needs to be considered very carefully. Factors such as the age of the code, the difference in the code structure for backports, the range of functionality affected, and the user base of the package are all taken into account. This way Canonical aims to provide the most secure and stable platform possible to all Ubuntu users.

Extended CVE review 

A common method for assessing the severity of CVEs is the Common Vulnerability Scoring System (CVSS). This is designed to provide a numerical value for the severity of a particular vulnerability, and to allow these to be compared between vulnerabilities. The CVSS score for a given CVE is calculated using a number of inputs, and whilst this allows various aspects of the vulnerability to be considered, it does not capture the risk presented by a given vulnerability. In particular, whilst CVSS was designed to assess the technical severity of a vulnerability, it is often misused instead as means of vulnerability prioritisation or risk assessment. In particular, there are many aspects that are important to consider for a given vulnerability which are not captured by CVSS, including the likelihood that the given software package is installed or in use, whether the default configuration of a package may mitigate the vulnerability and whether a known exploit against the vulnerability exists. As such, use of CVSS alone to compare and prioritise vulnerabilities can lead to an incomplete risk profile.

CVE Prioritisation done right

In contrast, the priority value assigned by the Ubuntu Security team is designed to capture the varied individual context for each software package in Ubuntu so that it can be used as an effective measure to prioritise security software updates taking into account every Ubuntu instance – including server, desktop, cloud, and IoT. Vulnerabilities which affect the largest number of Ubuntu installations and which present the largest risk (by say being remotely exploitable without any user input, etc.) are prioritised critical or high. Those which affect only a small number of users and might require user-input or might only cause smaller effects such as a denial-of-service may be prioritised as medium, low or negligible. This prioritisation is done on a case-by-case basis for each vulnerability, and since a given vulnerability might apply to more than one package in the Ubuntu archive, this can be assigned further on a vulnerability-per-package basis as well. This ensures that those vulnerabilities which have the highest risk and impact and which are likely to affect the largest number of Ubuntu installations are fixed first, regardless of the given CVSS score, to ensure that the risk of exploitation by known software vulnerabilities is limited as much as possible.

To read more about the priority which is assigned for each vulnerability, as well as the criteria used for each priority assignment, refer to the Ubuntu CVE Tracker.