[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1316
  • Last Modified:

Obtaining CVE number for vulnerabilities

https://cve.mitre.org/find/index.html

I have a few Checkpoint vulnerabilities: usually Checkpoint will list out the
CVE number.

Eg:
for "Content Protection Violation" (which is a rather brief description given by Checkpoint),
Checkpoint indicate that the industry reference is CVE-2011-1892 & when I go to the above
cve mitre link, I can key in the CVE# to get more details

However, when we generate out the raw csv file, got a few vulnerabilities
which Checkpoint did not list out its CVE number (ie industry reference) :
a) Malformed HTTP
b) illegal header format detected: Malformed HTTP protocol name in response
c) Block HTTP Non Compliant
d) Web Server Enforcement Violation

Q1:
Are the above vulnerabilities or they are just some sort of informational events?

Q2:
If they are vulnerabilities, how can I obtain their CVE number from the cve mitre
link above?  I've tried keying in those descriptions but did not get the description

Q3:
For "Malformed HTTP", Checkpoint listed a CAN number for it ie CAN-2004-0848.
What is this CAN number?  
If a vulnerability (or is it if it's a CAN? ) has a CAN number, does it has  a
corresponding CVE number ?
0
sunhux
Asked:
sunhux
1 Solution
 
btanExec ConsultantCommented:
Checkpoint should have severity level pertaining to those alerts and indeed they can be categories (or Attack Name) and it is not specific to any CVE as the vulnerability is readily available known and specific "gap" identified as compare to these which is malicious scheme or attempts on exploiting vulnerability

e.g. a) Malformed HTTP is Attack Name but Attack Information can be b) illegal header format detected: Malformed HTTP protocol name in response

another is Attack Information ca be also "Illegal header format detected Malformed HTTP version in request (Error Code WSE0020001)" error message
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk26440

also another Attack  is c) Block HTTP Non Compliant, but I do see it misleading as this is a preventive action and CP stated the Protection Name: Non Compliant HTTP instead. Nonetheless, it just to name it has detected non compliance HTTP packet and blocked it. Example of false positive as below
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk92657

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk93824

For the d) Web Server Enforcement Violation, it is another Attack and there can be more specific to the IPS signature such as below. These include the a/m too...

ASCII Only Request
Block HTTP Non-Compliant
Command Injection
Cross Site Scripting
Directory Listing
General Notice
Header Spoofing
HTTP Methods
Streaming Engine: TCP Segment Limit Enforcement
Web Server Enforcement Violation

I will not say they tie to CVE per se but using such key words and search in CVE database can generate close match to related CVE as well ... and normally high chance with CVE tagged on your listing is indeed more severe...

For CAN tag it is actually retired already. t is meant to refer to CVE candidate number
https://cve.mitre.org/about/faqs.html#b8

B8. Why did CVE retire the term CVE "candidates"?
When the CVE Initiative first began in 1999 and vulnerabilities were discovered and published less frequently than they are today, CVE Identifiers were issued "candidate" or "entry" status, where candidate status indicated that the identifier was under review for inclusion on the CVE List and entry status indicated that the identifier has been formally accepted to the list. CVE Identifiers with candidate status used the CAN-prefix (e.g., "CAN-1999-0067"), while CVE Identifiers with entry status used the CVE-prefix (e.g., "CVE-1999-0067")...

Therefore, at the request of the community, as of 2005 all CVE Identifiers now use the CVE-prefix and are immediately usable by the community. While references and other supporting information may be updated over time, the CVE Identifier number itself does not change once it has been assigned to an issue.

For searching can check out this FAQ
https://cve.mitre.org/about/faqs.html#c1

Good to check out CVE FAQ
https://cve.mitre.org/about/faqs.html
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now