A recent rise in software vulnerability exploits has come as the US National Vulnerability Database, the world's most comprehensive vulnerability database, experiences its most significant crisis in history.
After experiencing a vulnerability enrichment slowdown in mid-February 2024, experts working in software security have told Infosecurity that the database run by the US National Institute of Standards and Technology stopped showing new vulnerabilities since May 9.
Cybersecurity professionals from the public and private sectors are trying their best to document the three-month-long vulnerability backlog and fill the gaps where they can.
Since issues with vulnerability enrichments first emerged on February 12, NIST has analyzed only 4524 of the 14,286 common vulnerabilities and exposures received so far this year.
Having so many unanalyzed vulnerabilities means attackers have an opportunity to exploit them.
Ai, said he observed that vulnerabilities that have not yet been fully processed by the NVD were being actively exploited in the wild.
Infosecurity has spoken to many experts who noticed that no new vulnerabilities have been uploaded on the NVD for a few days.
Rey Lukashenkov is head of revenue at Vulners, a website that provides information on security vulnerabilities and exploits.
The issue is also shown on the website of CVE.ICU, a research project that provides a deeper understanding of software vulnerability disclosures.
Infosecurity has contacted NIST about the alleged CVE uploading halt.
A NIST spokesperson denied any disruption in vulnerability processing.
The issues were due to the NVD migrating to the new CVE JSON format.
In March, the NVD program manager, Tanya Brewer, announced at VulnCon that NIST would establish a consortium to address challenges in the NVD program.
In the meantime, many software security professionals, including Garrity and Chavoya, have been trying to keep track of the vulnerability backlog by publishing regular updates on the number of unanalyzed vulnerabilities.
Others are also attempting to fill the vulnerability analysis gap.
Chavoya claimed his company now covers 85% of the backlog vulnerabilities.
On May 8, the US Cybersecurity and Infrastructure Security Agency announced that it was starting a new software vulnerability enrichment program called 'Vulnrichment.
It will focus on adding metadata to CVEs, including Common Platform Enumeration numbers, Common Vulnerability Scoring System scores, Common Weakness Enumeration nametags, and Known Exploited Vulnerabilities entries.
The Agency has asked all CVE Numbering Authorities to provide complete CVEs when making their initial submission to CVE.org.
He believes the entire vulnerability disclosure process must be updated and that automated reporting should prevail.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Tue, 14 May 2024 15:25:31 +0000