What is KVE?

South Korea is always actively insisting on the “platform sovereignty”. After a boom caused by Squid Game on Netflix, some Koreans thought that Netflix is not giving a fair share to Korean studios1 and complained why there is no local equivalent of Netflix which can attract users like what Squid Game did. Even an ISP sued Netflix2 citing that they are not paying enough for the traffic caused by Netflix services. Well, we don’t want to discuss on the Squid Game or why some of Google and Apple services are not available in Korea in this article, but that kind of mentality is prevalent in various places of Korean society.

As a security researcher, everyone should know CVE (Common Vulnerabilities and Exposures). MITRE Corporation maintains a nice public database of disclosed computer security flaws. It benefits many system administrators and security researchers by sharing the known vulnerability and helping them to fix those holes. Also, the software vendors also include CVE numbers for their security patches in order to announce what security problem they fixed. The CVE is used globally and the vulnerability database also contains region-specific products and their vulnerabilities too.

Then here comes the “platform sovereignty” mind of Korean institution. Having a local equivalent of CVE could be beneficial for overcoming language barrier, since CVE is only available in English. Small-sized companies may cite the language problem as the reason of not-observing best practice and fixing their security vulnerabilities, which could be mitigated by publicly funded institution giving some CVE translation3. Now meet KVE, which is designed “local equivalent” of CVE.

We do not deny that a localized vulnerability device can help the local software vendors and users. However, the biggest difference between CVE and KVE is that the latter database is only available internally within KrCERT. If you search with the keyword such as “KVE vulnerability”, what you will get is mostly the notice in Korean and a line in changelog mentioning that the vulnerability had been fixed. Hmm, now what? Why there is no information of the vulnerability itself publicly available at all, even its abstract information such as severity, impact, type of vulnerability? Is it to covering the mistakes made by local (small) companies and not to ruin their reputation? We really don’t know and want to know why we can’t see the whole database, not the fragment.

Following examples are how the KVE ID is used:

  • An IP camera company “disabled” ONVIF access due to the missing access control on ONVIF interface allowing anyone to see the stream4. Note that “disable the feature because we can’t secure that” mindset is quite prevalent among small Korean companies.
  • An archiver software patched NSIS and TAR file handling, citing the KVE ID5. No one knows what is the exact problem.
  • A web CMS software patched a security hole citing the KVE ID6. Details could only be guessed from the patch.

As a security researcher, we find that the non-public vulnerability database targetting the public produces make little or no sense at all. Security researchers waste time writing reports about duplicated vulnerabilities because they do not have access to the database. End-users and system administrators are unable to know what threat they are currently exposed because the information is kept secret, and have to rely on the mercy of software vendors. The KVE ID’s existence is only known to researchers through the KISA bug bounty program, which replies to the researcher’s mail with their useless database reference ID. We believe that opening up the KVE database will bring more positive effect in the future.

  1. Book reveals uncomfortable truth about ‘Squid Game’s global success  ↩︎

  2. Netflix says paying SK Broadband over Squid Game surge creates ‘anti-competitive environment’ ↩︎

  3. 취약점 정보 - KrCERT (in Korean) ↩︎

  4. QCAM-K1 보안취약점 발견에 따른 패치 안내 ↩︎

  5. 반디집 업데이트 정보 ↩︎

  6. gnuboard/gnuboard5 ↩︎