Sydney-based channel player The Missing Link has been authorised to assign CVE identification numbers to new vulnerabilities discovered in third-party software.
The security specialist, which uncovered a serious bug in Ubuntu Linux in 2019, was licenced as a CVE Numbering Authority (CNA) by the Common Vulnerabilities and Exposures (CVE) program.
The CVE’s goal is to ensure descriptions of vulnerabilities are communicated consistently, and cyber security professionals have the information required to prioritise and address them.
Partners publish CVE Records in a public catalogue, which stakeholders use to correlate vulnerability information for protecting systems against attacks. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.
A list of over 30 zero-day vulnerabilities, which Missing Link security advisors will discover as part of the CVE Program has been published on the company’s site.
These include vulnerabilities such as “reflected cross-site scripting in CraftCMS SEOmatic plugin by Nystudio 107” and “authenticated blind SQL injection in OpenAsset Digital Asset Management by OpenAsset”. Not all zero-days are published and accredited due to the security risks associated.
The Missing Link application security manager Jack Misiura said in a statement that the team had “discovered CVEs, or zero-days, in multiple commonly used products.”
It was the Missing Link’s former senior security consultant Chris Moberly who discovered the “dirty sock” exploit, or CVE-2019-7304, in Linux Ubuntu, which lets attackers gain access to root.
Misiura said, “we’re passionate about finding, disclosing, and patching or fixing zero-day vulnerabilities before hackers can exploit the weakness.”
“Our mission has always been to bring clarity to the complex world of ICT security, and our CNA authorisation now means we can streamline disclosure of vulnerabilities, communicating them with our customers in a more timely manner.”
Headquartered in Sydney, The Missing Link also opened an office in Melbourne. In 2017, The Missing Link bundled the Australian Signals Directorate’s “most effective security controls” into a managed service.