In a Study in Scarlet, Sherlock Holmes said, “It is a capital mistake to theorize before one has data,” which is one of my favorite Sherlock quotes. For the last month or so, my team has been dealing with missing CPE data points in the Mitre CPE data, and it finally forced me to set down and put together a new tool to analyze the data.
What Are CPEs?
CPE is an acronym for Common Platform Enumeration. It is a standardized method of describing and identifying classes of applications and operating systems in a common format as described in this NIST document.
How Are They Used?
The most common use case for CPE data is fairly straightforward; you want to find all CVEs affecting either a software package or an operating system you run. The NVD actually provides an API to allow you to do these lookups programmatically.
What Are The CPE Data Quality Issues?
When a company attaches a CPE to CVE, it has four optional data points in the JSON Scheme:
- VersionStartIncluding
- VersionStartExcluding
- VersionEndIncluding
- VersionEndExcluding
These data points allow you to narrow down the version of the software that is vulnerable to the CVE.
The correct usage of these fields is present in CVE-2020-6572. Looking at the data provided, we know anything that is Chrome 81.0.4044.92 or older is vulnerable and should be patched.
The incorrect usage of this field is present in CVE-2015-8960. Looking at the data provided, we have to assume that all versions of Chrome (IE, Firefox, Safari, and Opera) are still vulnerable.
How Many CVEs Have This Problem?
As of today, 71,811 CVEs have at least one CPE that does not include version information. Not all of these are wrong, as if your CPE is mapped to a unique version, you can find an upgrade path to remove the vulnerability.
Real World Example:
To test the data, I decided to see how many CVEs with open CPE for the 3 major browsers (Chrome, Firefox, Edge) existed.
Web Browser | CVE Count | CVEs |
Chrome | 5 | ‘CVE-2011-3389’, ‘CVE-2012-4930’, ‘CVE-2013-6662’, ‘CVE-2010-1731’, ‘CVE-2015-8960’ |
Firefox | 4 | ‘CVE-2011-0064’, ‘CVE-2011-3389’, ‘CVE-2012-4930’, ‘CVE-2015-8960 |
Edge | 380 (10 newest listed) | ‘CVE-2021-26411’, ‘CVE-2021-1705’, ‘CVE-2020-17131’, ‘CVE-2020-17058’, ‘CVE-2020-17054’, ‘CVE-2020-17052’, ‘CVE-2020-17048’, ‘CVE-2020-16884’, ‘CVE-2020-1569’, ‘CVE-2020-1568’ |
What Can Be Done?
In a perfect world, Mitre and NVD would make these fields mandatory and remove the ability to assign a non-versioned CPE (ex: cpe:2.3:a:microsoft:edge:-:*:*:*:*:*:*:*
) to a CVE.
Where is the Code?
The code is in this jupyter notebook and can be run on Colab: