Something mysterious is happening at the US National Institute of Standards and Technology (NIST) that could leave many organizations vulnerable to malicious actors.
As of February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database (NVD), the most widely used software vulnerability database in the world.
Tom Pace, CEO of firmware security provider NetRise, said Information security that only 200 of the 2700 vulnerabilities, known as Common Vulnerabilities and Exposures (CVE), published since this date have been enriched.
The failure to enrich CVEs means that more than 2,500 vulnerabilities added to the database were uploaded without crucial metadata information.
This information includes a description of the vulnerability and software “weakness” that could lead to an exploit (called Common Weakness and Exposure, or CWE), the names of the affected software products, the vulnerability criticality score (CVSS), and the vulnerability patch status. .
Read more: A Guide to Zero-Day Vulnerabilities and Exploits for the Uninitiated
A significant drop in enrichment data downloads on the NVD
The issue was first discovered by Josh Bressers, vice president of security at software security vendor Anchore, who posted a blog post on March 8, showing a significant drop in enrichment data on the NVD starting around February 12.
Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, shared another chart showing a significant drop in CVEs under the “analyzed” status, meaning they have been fully documented, and a slight increase in CVEs “pending investigation.” ‘analysis’, compared to 2023.
Other articles from Gamblin and NetRise reported similar declines in the number of published CVEs enriched with crucial metadata, such as CWEs, Common Product Enumerators (CPE), and Criticality Scores (CVSS).
Therefore, even though new vulnerabilities are published, they are not currently associated with specific products, leaving organizations blind to which products and systems in their environment these specific vulnerabilities may impact.
Talk to Information securityDan Lorenc, co-founder and CEO of software security vendor Chainguard, commented: “It appears that the NVD has completely given up on adding CPE mappings to CVEs, meaning that CVE entries contain no metadata about the actual software. affected. .”
On March 13, Bressers of Anchore shared an updated version of the first chart, confirming that very few CVEs had been enriched in the last 30 days.
A “major issue” for the entire cybersecurity community
If these issues are not resolved quickly, they could have a significant impact on the security research community and all organizations around the world.
NetRise’s Pace explained: “That means you’re asking the entire cybersecurity community, overnight, to somehow figure out what the vulnerability is in what operating system, software package, application, firmware or device. This is a totally impossible and untenable task!
Lorenc agreed and called the incident a “major problem.”
“We now rely on industry alerts and social media to ensure CVEs are triaged as quickly as possible,” he said.
“Scanners, analyzers, and most vulnerability tools rely on NVD to determine which software is affected by which vulnerabilities,” Lorenc added. “If organizations fail to triage vulnerabilities effectively, it exposes them to increased risk and leaves a significant gap in their vulnerability management posture. »
NIST hints at new NVD consortium
On February 15, the National Vulnerability Database website announced that users may experience “delays in scanning efforts” as NIST is “currently working to create a consortium to address NVD program challenges and develop improved tools and methods.
Chris Hughes, president of Aquia, said that message did not provide enough information to the security community.
“What exactly is this consortium, who will be involved, what changes will be made, and what kind of delays will we see as an industry when it comes to scanning for vulnerabilities from the vulnerability database most widely used? » Hughes wrote in a publication published in its Resilient Cyber newsletter on Substack on March 11.
NetRise’s Pace was surprised when he read the NVD announcement. “We’ve been disclosing and enriching vulnerabilities using the same process for years, and quite effectively. Why would we need a consortium now?
As of this writing, the NVD website has not made any further public announcements.
Information security contacted NIST and MITRE, a US non-profit organization responsible for maintaining CVEs, but they did not respond to a request for comment as of this writing.
Hypotheses explaining the need for an NVD consortium
The reason for these NVD disruptions or the need for a consortium remains unknown.
According to Hughes, discussions have already taken place within NVD stakeholder circles about replacing the CPE. One such replacement could be Software Identification Tags (SWID), a software marking standard supported by both the Trusted Computing Group (TCG) and the Internet Engineering Task Force (IETF).
However, he added that this was unlikely. “Since SWID has already been excluded from discussions around Software Bill of Materials (SBOM) as the industry-leading format, we instead see OWASP’s CycloneDX and Linux Foundation’s SPDX dominating the SBOM format discussion .”
“Another useful note is that there are people known as the “SBOM Forum” who are currently advocating for the NVD to also adopt Package URLs (PURLs), given the ubiquitous use of software packages and open source software. source (OSS), but if this comes to fruition. remains to be determined,” Hughes added.
Read more: How Organizations Can Leverage SBOMs to Improve Software Security
Internal discussions like these may have prompted the NVD to reorganize around a newly formed consortium.
Whatever the reason, Lorenc criticized the lack of transparency in the NVD’s communication. He added that this is not the first time the security community has harshly criticized the NIST-led team.
“Over the past year in particular, NVD has come under intense scrutiny from the industry and those working to fix the broken vulnerability ecosystem. Historically, the NVD filled a huge visibility gap, but today it has fallen behind,” Lorenc explained.
“As a result, we are starting to see other resources popping up, as well as countries considering creating their own. This is particularly evident in the European Cyber Resilience Law,” he said.
China also recently updated its vulnerability disclosure ecosystem, a recent analysis of the Atlantic Council showed it.
The U.S. federal government has issued NVD requirements for contractors
This episode coincides with the publication of the latest revision of the Federal Risk and Authorization Management Program (FedRAMP Rev. 5), a US federal law requiring any company wishing to do business with the federal government to use the NVD as a source of truth. and fix any known vulnerabilities it contains.
“It feels like NIST is somehow trying to shut down this program or divest it while other parts of the government force its passage,” Lorenc noted.
Along with the drop in enrichment, the NVD API also encountered issues of unprecedented scale, prompting vulnerability intelligence provider VulnCheck to release a free alternative called VulnCheck NVD++.
Infosecurity contacted NIST and MITER, who did not respond to requests for comment as of this writing.