NVD slowdown leaves thousands of vulnerabilities without analysis data
Security world reacts as NIST does a lot less of oft criticized, 'almost always thankless' work
Opinion The United States National Institute of Standards and Technology (NIST) has almost completely stopped adding analysis to Common Vulnerabilities and Exposures (CVEs) listed in the National Vulnerability Database. That means big headaches for anyone using CVEs to maintain their security.
It was just another day, February 15th, 2024, to be exact, that the National Vulnerability Database (NVD) posted a notice saying:
NIST is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods. You will temporarily see delays in analysis efforts during this transition. We apologize for the inconvenience and ask for your patience as we work to improve the NVD program.
The IT security world looked at this news, shrugged its shoulders, and went back to work. Security, done right, never sleeps.
The NVD is vitally important. Whenever a Common Vulnerabilities and Exposures (CVE) is released, the people behind the NVD's job is to analyze the CVE and tag it with its Common Weakness Enumerators (CWEs). The CWEs describes the kind of coding or architecture flaws behind the problem. They also provide the Common Platform Enumerator (CPE), which identifies the systems, software, and packages affected by the bug at the moment. The one everyone in security knows is the Common Vulnerability Scoring System (CVSS). This last is a numeric score from 0 (why did anyone even report this?) to 10 (all hell will break loose) that describes just how bad the security hole is.
But, while the NVD crew hasn't already labeled a CVE with all this vital information within an hour, it has always done a timely job. That's a good thing, because a CVE without its NVD data is pretty meaningless.
Mind you, maintaining the NVD has always been a thankless job. People love to argue about CVSS scores. For example, the founder and lead developer of the popular open source command line copy tool cURL was angry as a hornet when the NVD gave a red alert CVSS score of 9.8 to a cURL bug that really wasn't that big of a deal.
Lately, too, thanks to a flood of bogus CVEs, the job has gotten even harder. For instance, on August 22nd, 2023 alone, no fewer than 138 CVEs were filed. We all know we've got lots of security problems, but we don't have that many!
Dan Lorenc, CEO and co-founder of Chainguard, a software supply chain security company, thinks "the ridiculous rash of awful CVEs" resulted from "scraping old issues and commits to file these in an automated fashion, without ever getting maintainers involved."
But soon, infoseccers began to take note of a problem. Just weeks after the NVD update, Josh Bressers, VP of Security at software security outfit Anchore, published a post noting that since "February 15, 2024, NIST has almost completely stopped updating NVD."
"Thousands of CVE IDs" had been published "without any record of analysis by NVD," he added.
Whoops!
This is a big deal. As Lorenc pointed out, "Scanners, analyzers, and most vulnerability tools rely on the NVD to set these fields so they can determine what software is affected by which vulnerabilities."
Knowing exactly what program is affected by a major bug is kind of a big deal, don't you think? So, what's going on? We don't know. I've asked NIST, but they've been elusive.
Based on what little the organization has said in the record, I suspect NIST's staff is both overworked and under-budgeted. NIST's latest budget is stuffed with earmarks having little to do with its main missions, and it's been cut to $1.46 billion from last year's $1.6 billion.
This sudden lapse has left the cybersecurity community in a quandary. Without detailed vulnerability information, identifying and mitigating risks becomes a herculean task, exposing organizations to potential exploits.
- International effort to disrupt cybercrime moves into operational phase
- British Library pushes the cloud button, says legacy IT estate cause of hefty rebuild
- Korean eggheads crack Rhysida ransomware and release free decryptor tool
- New kids on the ransomware block in 2023: Akira and 8Base lead dozens of newbies
The good news is that the NVD isn't the only single source of truth for security bugs. Many security companies and scanners now work with Open Source Vulnerabilities (OSV) or the GitHub Security Advisory DB.
But, and it's a huge but, many others still rely on CVSS and NVD. If you're a contractor working with the United States government, for example, you have no choice but to use NVD. It's literally the law: The Federal Risk and Authorization Management Program (FedRAMP Rev. 5) requires your company [PDF] to use CVSS and NVD.
This is far from the first time NIST and its security mechanisms have annoyed security companies. A couple of years ago, it was the disconnect between the NIST systems and how security is handled with cloud-native computing. By the way, that problem hasn't gone away.
However, despite all the problems, NIST's systems have remained essential for IT security. Now, though, people are worried. And, they have reason.
What can we do? Well, looking into alternatives is a good idea, but nothing comes close to covering NVD's sheer breadth.
There are also efforts to replace NVD. Bressers has revealed that Anchore has an open source project called NVD Data Overrides. Its goal is to replace the data currently missing from NVD, except for CVSS scores, in the meantime. After all, he explained, "The vulnerability world is now so big we need to cooperate the same way open source works."
Lorenc, meanwhile, opined: "NIST, the NVD, and the CVE Program as a whole have operated as a key, critical piece of infrastructure for over 20 years. Their work is often criticized, almost always thankless, and very rarely easy. By acting as a neutral, process-driven arbiter of vulnerability data, they've provided our entire industry a valuable tool for managing cybersecurity risk."
He's right. ®