Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database, the world's most widely used software vulnerability database.
Tom Pace, CEO of firmware security provider NetRise, told Infosecurity that only 200 out of the 2700 vulnerabilities, known as Common Vulnerabilities and Exposures, published since that date have been enriched.
Failure to enrich the CVEs means that over 2500 vulnerabilities added to the database have been uploaded without crucial metadata information.
This information includes a description of the vulnerability and software 'weakness' that could lead to an exploit, the names of software products impacted, the vulnerability's criticality score and the vulnerability's patching status.
A Significant Drop in Enrichment Data Uploads on the NVD. The issue was first discovered by Josh Bressers, VP of Security at software security provider Anchore, who published a blog post on March 8 showing a significant drop of enrichment data on NVD from around February 12.
Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, shared another graph showing a significant drop in CVEs under the status 'analyzed,' which means they have been fully documented and an uptick in CVEs 'awaiting analysis,' compared with 2023.
Other posts from Gamblin and NetRise indicated similar drops in the number of published CVEs enriched with crucial metadata, such as CWEs, Common Product Enumerators and criticality scores.
Despite new vulnerabilities being published they are currently not tagged to specific products, leaving organizations blind to what products and systems in their environments the specific vulnerabilities may be impacting.
On March 13, Anchore's Bressers shared an updated version of the first graph, confirming that very few CVEs had been enriched over the past 30 days.
NetRise's Pace was surprised when he read the NVD announcement.
At the time of writing, the NVD website has not made any further public announcements.
Infosecurity has contacted NIST and MITRE, a US non-profit organization tasked with maintaining CVEs, but they have not responded to a request for comments at the time of writing.
The reason for these NVD disruptions or the need for a consortium remains unknown.
According to Hughes, there have previously been discussions within NVD stakeholder circles about replacing CPE. Such a replacement could be Software Identification tags, a software tagging standard supported by both the Trusted Computing Group and the Internet Engineering Task Force.
Internal discussions like these may have prompted the NVD to re-organize around a newly formed consortium.
Whatever the reason, Lorenc criticized the NVD's lack of transparency in communication.
China has also recently updated its vulnerability disclosure ecosystem, a recent analysis from the Atlantic Council has shown.
This episode coincides with the release of the latest revision of the Federal Risk and Authorization Management Program, a US federal law requiring any company that wants to do business with the federal government to use the NVD as a source of truth and remediate all known vulnerabilities inside it.
Alongside the enrichment drop, the NVD API has also been experiencing issues to an unprecedented scale, prompting vulnerability intelligence provider VulnCheck to release a free alternative called VulnCheck NVD++.
Infosecurity has contacted NIST and MITRE, which have not responded to requests for comments at the time of writing.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Fri, 15 Mar 2024 16:50:10 +0000