15.11.2021 - The NCSC has examined an IT vulnerability reported to it by ETH Zurich and, as an authorised Numbering Authority, has issued an identifier for the first time. The vulnerability known as Blacksmith, discovered by researchers at ETH Zurich, Qualcomm and Vrije Universiteit Amsterdam, has now been published.
NCSC issues its first internationally valid CVE (Common Vulnerability and Exposure) identification number
In order to avoid the exploitation of vulnerabilities in IT systems as far as possible, it is extremely important that they be remedied quickly and that operators and manufacturers worldwide be notified. In the cyber sector, the non-profit organisation MITRE has created a globally accessible knowledge base that provides a comprehensive overview of possible threats and the corresponding security updates. A unique CVE (Common Vulnerability and Exposure) identification number is assigned to each reported vulnerability. The NCSC was recognised by MITRE as a CVE Numbering Authority in September this year and is thus authorised to assign CVE identifiers. As a Numbering Authority, the NCSC is responsible for the checking, coordination and publication of discovered vulnerabilities.
ETH Zurich discovers and reports vulnerability
In the first quarter of this year, researchers at ETH Zurich, Qualcomm and Vrije Universiteit Amsterdam reported a vulnerability discovered on a memory chip to the NCSC. The vulnerability, which the researchers call Blacksmith, affects all devices that use a specific RAM chip. This RAM chip is produced by Samsung, SK Hynix, und Micron and is used by various technology companies. Since the RAM chips in question are used worldwide, the vulnerability is classified as critical. However, the risk of misuse is considered low, as major effort is required to exploit it.
Further information on the Blacksmith vulnerability can be found in the ETH Zurich research paper.
NCSC checks and coordinates
As a newly authorised Numbering Authority, the NCSC is the link between those who discover vulnerabilities, manufacturers, operators and MITRE. In this role, the NCSC checks the vulnerability, assigns a CVE identifier and coordinates its publication. The Blacksmith vulnerability is the first vulnerability for which the NCSC has assigned the official CVE identifier and coordinated all steps through to publication. The "CVE-2021-42114" vulnerability was jointly published with the ETH on 15 November 2021.
Last modification 15.11.2021