"NIST" on a digital background

  Source: Borka Kiss via Alamy Stock Photo

  Since 2005, the [1]National Vulnerability Database (NVD) has been
  posting details about the hundreds of daily common vulnerabilities and
  exposures (CVEs) discovered by security researchers from around the
  globe. But last month, the critical government-sponsored database went
  from being an essential tool to a nearly dark destination.

  That's when NVD posted on its website a very cryptic announcement
  saying users "will temporarily see delays in [our] analysis efforts" as
  the National Institute of Standards and Technology (NIST) implements
  improved tools and methods. No further explanation has been
  forthcoming.

  The freeze isn't completely across the board: A small percentage of
  CVEs is being documented by NIST, but by no means at the same velocity
  seen in prior years. This puts enterprise security managers in a bind
  to stay on top of new threats.

  The CVE model is composed of 365 partners who collect threats, with
  about half of them US-based, covering a wide range of software vendors,
  bug bounty operators, and private research firms. Each participant
  posts new threats according to a careful schema to ensure that the new
  items are unique. Since the beginning of the year, there have been more
  than 6,000 new CVEs posted.

  But for some unexplained reason, nearly half of these have omitted any
  details in the NVD, details that make the vulnerability data useful to
  enterprise security managers and to the numerous vulnerability
  management tools that can help prevent potential damages from
  attackers.

  One of these tools is Tenable's Nessus vulnerability scanner. Its
  researchers point out that NIST's NVD provides added context to each
  particular vulnerability, context that can determine whether the threat
  is critical and requires immediate patching or can affect a wide
  population of applications and operating systems.

  Dan Lorenc, CEO of Chainguard, [2]wrote a post on LinkedIn last month
  documenting the situation. "The [latest] CVE entries do not contain any
  metadata around what software is actually affected," he wrote. "This is
  a massive issue and the lack of any real statement on the problem [by
  NIST] is troubling."

  Lorenc isn't alone in that sentiment. "This is a data set of national
  importance," says Josh Bressers of Anchore, who also [3]posted comments
  about the situation earlier this month. "I would have expected clearer
  communications because no one knows anything. It is all a mystery."

  NIST representatives didn't reply to requests for comment from Dark
  Reading.

  Before the February freeze, NIST regularly updated each CVE with this
  useful metadata; sometimes these updates would take weeks or months
  from the date of their discovery to disclosure in the NVD entries.
  "However, as the industry has seen, waiting on NIST to supplement CVE
  records comes at a cost. With more CVEs being issued every year, we now
  have more opportunities for software vendors to provide more complete
  CVE records," [4]Tenable researchers said . Translated, that means
  someone else has to pick up the slack.

  Morphisec, a security tools vendor, [5]published a blog post describing
  the NVD situation earlier this month. "Smaller organizations are
  constantly chasing patches. The lack of metadata with NVD means they
  are losing the immediate benefits and will reduce their overall
  security,” says Michael Gorelik, CTO of Morphisec. “This means that
  potential business disruption is inevitable, especially in the
  ransomware-rich landscape we have today. This is a bigger immediate
  problem than the threats posed by GenAI."

  Tom Pace, CEO of Netrise, says the freeze is a problem. "We don't know
  the impacts of particular vulnerabilities anymore," he says. "This is
  not a good state of affairs. This data set is relied on by many people
  around the world. This is going to make patching more difficult and
  slower." That means bad actors have more time to find their way into
  enterprise networks.

One Alternative: MITRE Steps Up to Fill the Gap

  NIST may be the agency responsible for NVD, but the lion's share of the
  actual work product that is behind it comes from the well-known defense
  contractor MITRE, since it takes care of the CVE collection. Pace says,
  "It isn't technical — why isn't MITRE picking up the slack? NIST has a
  smaller crew anyway." He calls out MITRE for falling down on its
  mission and leaving security teams in the dark.

  Dark Reading's requests for further information from MITRE were
  rebuffed: "MITRE is unable to speak on this topic currently," said a
  company representative. Pace asks, "How can private industry figure it
  out on their own?"

  Private industry has been working on NVD alternatives, to be sure. To
  that end, one security consultant commented on LinkedIn that "NVD can't
  be fixed and we have to give it up and fix both it and CVE together.
  The US government isn't going to solve this, and solutions have to be
  driven by the private sector."

  There are numerous other data collections that have been created over
  the decades. Several security vendors, such as Tenable, Qualys, and
  Ivanti, have created their own vulnerability collections that contain
  more metadata details and other items to help prevent attacks. And
  there are several open source efforts that have been underway for years
  but have lately gotten more attention, thanks to the NVD freeze.

  One open source effort is from [6]VulnCheck, which has its NVD++
  collection . Another is the [7]Open Vulnerability Database (OVD) from a
  [8]variety of vendors , including Google, SonarSource, GitHub, Snyk,
  and others. Both of these arose out of a frustration by NVD users who
  wanted to have better automated queries of the vulnerability data. The
  NIST NVD had imposed rate limits on these queries, which both NVD++ and
  OVD have eliminated. Switching to either collection from NIST's NVD
  isn't simple and will require some programming effort and testing time.

  Another effort comes from China, where several government agencies have
  banded together to have [9]their own vulnerability database . That
  could be bad news for the rest of the world because it will have
  restrictions on what will be published, such as lacking any
  proof-of-concepts that are typical of the NVD and open systems efforts.
  Researchers speculate that this could also lead toward more Chinese
  zero-day attacks, in effect, weaponizing these vulnerabilities.

Another Solution: A New Industry Consortium

  Information on the NVD website cites a consortium that could operate
  the database, although security researchers are skeptical. The
  statement was thin on specifics, such as who will be part of the
  effort. Pace says, “We’ve been disclosing and enriching vulnerabilities
  following the same process for years, and pretty efficiently. Why would
  we need a consortium now?” Bressers says a consortium is possible, but
  the devil will be in the details when making a more useful successor to
  NVD. He mentions that vulnerabilities continue to see exponential
  growth and that any solution has to scale accordingly.

  Finally, another complexity with the NVD freeze is that it goes counter
  to reporting requirements from other parts of the federal government.
  [10]The latest version, Rev. 5, of the Federal Risk and Authorization
  Management program mandates that federal contractors have to use NVD as
  an authoritative source of threats. “It feels like NIST is somehow
  trying to wind this program down or hand it off while other areas of
  the government are forcing its adoption,” noted Lorenc in his blog
  post. "What is going on here?"

  Next week, vulnerability researchers will gather for the [11]VulnCon
  conference in Raleigh, N.C. , where an "NVD symposium" is on the
  agenda. Perhaps more details will emerge then.

References

  1. https://nvd.nist.gov/
  2. https://www.linkedin.com/posts/danlorenc_nvd-nist-fedramp-activity-7172709591091245057-x0Ip/
  3. https://anchore.com/blog/national-vulnerability-database-opaque-changes-and-unanswered-questions/
  4. https://www.tenable.com/blog/mind-the-gap-how-waiting-for-nvd-puts-your-organization-at-risk
  5. https://blog.morphisec.com/national-vulnerability-database-defend-unpatched-vulnerabilities
  6. https://vulncheck.com/blog/nvd-plus-plus
  7. https://osv.dev/
  8. https://www.darkreading.com/vulnerabilities-threats/google-launches-scanner-to-uncover-open-source-vulnerabilities
  9. https://www.atlanticcouncil.org/in-depth-research-reports/report/sleight-of-hand-how-china-weaponizes-software-vulnerability/
 10. https://www.fedramp.gov/2024-02-16-rev-5-additional-documents-released/
 11. https://www.first.org/conference/vulncon2024/

You are viewing proxied material from 1436.ninja. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.