NIST NVD Disruption Sees CVE Enrichment on Hold

Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database, the world's most widely used software vulnerability database.
Tom Pace, CEO of firmware security provider NetRise, told Infosecurity that only 200 out of the 2700 vulnerabilities, known as Common Vulnerabilities and Exposures, published since that date have been enriched.
Failure to enrich the CVEs means that over 2500 vulnerabilities added to the database have been uploaded without crucial metadata information.
This information includes a description of the vulnerability and software 'weakness' that could lead to an exploit, the names of software products impacted, the vulnerability's criticality score and the vulnerability's patching status.
A Significant Drop in Enrichment Data Uploads on the NVD. The issue was first discovered by Josh Bressers, VP of Security at software security provider Anchore, who published a blog post on March 8 showing a significant drop of enrichment data on NVD from around February 12.
Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, shared another graph showing a significant drop in CVEs under the status 'analyzed,' which means they have been fully documented and an uptick in CVEs 'awaiting analysis,' compared with 2023.
Other posts from Gamblin and NetRise indicated similar drops in the number of published CVEs enriched with crucial metadata, such as CWEs, Common Product Enumerators and criticality scores.
Despite new vulnerabilities being published they are currently not tagged to specific products, leaving organizations blind to what products and systems in their environments the specific vulnerabilities may be impacting.
On March 13, Anchore's Bressers shared an updated version of the first graph, confirming that very few CVEs had been enriched over the past 30 days.
NetRise's Pace was surprised when he read the NVD announcement.
At the time of writing, the NVD website has not made any further public announcements.
Infosecurity has contacted NIST and MITRE, a US non-profit organization tasked with maintaining CVEs, but they have not responded to a request for comments at the time of writing.
The reason for these NVD disruptions or the need for a consortium remains unknown.
According to Hughes, there have previously been discussions within NVD stakeholder circles about replacing CPE. Such a replacement could be Software Identification tags, a software tagging standard supported by both the Trusted Computing Group and the Internet Engineering Task Force.
Internal discussions like these may have prompted the NVD to re-organize around a newly formed consortium.
Whatever the reason, Lorenc criticized the NVD's lack of transparency in communication.
China has also recently updated its vulnerability disclosure ecosystem, a recent analysis from the Atlantic Council has shown.
This episode coincides with the release of the latest revision of the Federal Risk and Authorization Management Program, a US federal law requiring any company that wants to do business with the federal government to use the NVD as a source of truth and remediate all known vulnerabilities inside it.
Alongside the enrichment drop, the NVD API has also been experiencing issues to an unprecedented scale, prompting vulnerability intelligence provider VulnCheck to release a free alternative called VulnCheck NVD++.
Infosecurity has contacted NIST and MITRE, which have not responded to requests for comments at the time of writing.


This Cyber News was published on www.infosecurity-magazine.com. Publication date: Fri, 15 Mar 2024 16:50:10 +0000


Cyber News related to NIST NVD Disruption Sees CVE Enrichment on Hold

NIST NVD Disruption Sees CVE Enrichment on Hold - Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database, the world's most widely used software vulnerability database. Tom Pace, CEO of firmware security provider ...
7 months ago Infosecurity-magazine.com
NIST Confusion Continues as Cyber Pros Complain CVE Uploads Stopped - A recent rise in software vulnerability exploits has come as the US National Vulnerability Database, the world's most comprehensive vulnerability database, experiences its most significant crisis in history. After experiencing a vulnerability ...
5 months ago Infosecurity-magazine.com
NIST's NVD has encountered a problem - Whether the cause is insurmountable technical debt, lack of funds, a third reason or all of them, NIST's National Vulnerability Database is struggling, and it's affecting vulnerability management efforts. NIST hasn't further explained wherein the ...
7 months ago Helpnetsecurity.com
Accelerating Safe and Secure AI Adoption with ATO for AI: stackArmor Comments on OMB AI Memo - We appreciate the opportunity to comment on the proposed Memo on Agency Use of Artificial Intelligence. Ensuring agencies have access to adequate IT infrastructure,. We base our remarks on our experience helping US Federal agencies transform their ...
10 months ago Securityboulevard.com
CMMC v2.0 vs NIST 800-171: Understanding the Differences - The NIST SP 800-171 lays out the requirements for any non-federal agency that handles controlled unclassified information, or other sensitive federal information. DFARS does not address the CMMC at all but a new clause is currently being drafted for ...
10 months ago Securityboulevard.com
Update delays to NIST vulnerability database alarms researchers - Vital data used to protect against cyberattacks is missing from more than 2,000 of the latest entries in the world's most widely used vulnerability database. A significant number of new CVEs added to the National Vulnerability Database in recent ...
7 months ago Packetstormsecurity.com
NIST Fortifies Chatbots and Self-Driving Cars Against Digital Threats - In a landmark move, the US National Institute of Standards and Technology has taken a new step in developing strategies to fight against cyber-threats that target AI-powered chatbots and self-driving cars. The Institute released a new paper on ...
10 months ago Infosecurity-magazine.com
What is the NIST Cybersecurity Framework? Definition from SearchSecurity - The NIST Cybersecurity Framework provides guidance on how to manage and reduce IT infrastructure security risk. NIST created the CSF to help private sector organizations in the United States develop a roadmap for critical infrastructure ...
9 months ago Techtarget.com
NIST Getting Outside Help for National Vulnerability Database - NIST announced on Wednesday that it will be receiving outside help to get the National Vulnerability Database back on track within the next few months. The organization informed the cybersecurity community in February that it should expect delays in ...
5 months ago Securityweek.com
Patch management needs a revolution, part 3: Vulnerability scores and the concept of trust - Vulnerability ratings are the foundation for a good risk-based vulnerability management program, especially if they're from a trusted party. Red Hat champions the notion of risk-based vulnerability management. For every vulnerability affecting our ...
9 months ago Redhat.com
How AI can be hacked with prompt injection: NIST report - As AI proliferates, so does the discovery and exploitation of AI cybersecurity vulnerabilities. Prompt injection is one such vulnerability that specifically attacks generative AI. In Adversarial Machine Learning: A Taxonomy and Terminology of Attacks ...
7 months ago Securityintelligence.com
NIST: No Silver Bullet Against Adversarial Machine Learning Attacks - NIST has published a report on adversarial machine learning attacks and mitigations, and cautioned that there is no silver bullet for these types of threats. Adversarial machine learning, or AML, involves extracting information about the ...
9 months ago Securityweek.com
Week in review: Attackers trying to access Check Point VPNs, NIST CSF 2.0 security metrics evolution - RansomLord: Open-source anti-ransomware exploit toolRansomLord is an open-source tool that automates the creation of PE files, which are used to exploit ransomware pre-encryption. Attackers are probing Check Point Remote Access VPN devicesAttackers ...
5 months ago Helpnetsecurity.com
Preparing for Q-Day as NIST nears approval of PQC standards - Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks. While estimates just a few ...
4 months ago Helpnetsecurity.com
Preparing for Q-Day as NIST nears approval of PQC standards - Q-Day-the day when a cryptographically relevant quantum computer can break most forms of modern encryption-is fast approaching, leaving the complex systems our societies rely on vulnerable to a new wave of cyberattacks. While estimates just a few ...
4 months ago Helpnetsecurity.com
The US National Institute of Standards and Technology Announces the Successful Encryption Algorithm for Securing Internet of Things Data - The National Institute of Standards and Technology (NIST) recently announced that ASCON was the winning bid for its Lightweight Cryptography Program. This program was designed to find the best algorithm to protect small Internet of Things (IoT) ...
1 year ago Bleepingcomputer.com
How the New NIST 2.0 Guidelines Help Detect SaaS Threats - The SaaS ecosystem has exploded in the six years since the National Institute of Standards and Technology's cybersecurity framework 1.1 was released. Back in 2016-2017, when version 1.1 was initially drafted, SaaS held a small but significant place ...
7 months ago Bleepingcomputer.com
How to Build a Phishing Playbook Part 2: Wireframing - Welcome back to our series on automating phishing investigation and response with playbooks in Smart SOAR. This is a four-part series covering preparation, wireframing, development, and testing. Wireframing workflows is an excellent step in-between ...
10 months ago Securityboulevard.com
How to Enrich Data for Fraud Reduction, Risk Management and Mitigation in BFSI - To stay ahead of these challenges, organizations are increasingly relying on data products to enrich their data and enhance their fraud reduction and risk management strategies. The Data Revolution in BFSI. Data is the lifeblood of the BFSI sector. ...
8 months ago Securityboulevard.com
How to Build a SOAR Playbook: Start with the Artifacts - Security Boulevard - Artifacts are data elements relevant to your security incidents, such as device IDs, user IDs, IP addresses, file hashes, and process names. By focusing on commands that interact with your key artifacts, you streamline your playbook, making it more ...
1 month ago Securityboulevard.com
CVE-2009-4100 - Yoono extension before 6.1.1 for Firefox performs certain operations with chrome privileges, which allows user-assisted remote attackers to execute arbitrary commands and perform cross-domain scripting attacks via DOM event handlers such as onload. ...
7 years ago
New NCCoE Guide Helps Major Industries Observe Incoming Data While Using Latest Internet Security Protocol - PRESS RELEASE. Companies in major industries such as finance and health care must follow best practices for monitoring incoming data for cyberattacks. The latest internet security protocol, known as TLS 1.3, provides state-of-the-art protection, but ...
9 months ago Darkreading.com
Examining if NISTs Cybersecurity Framework 20 Could Lead to Global Standards - It has been almost seven years since the 1.1 update of NIST's Cybersecurity Framework. Since its launch in 2014, the Framework has become one of the most influential references for cybersecurity best practices and planning. In January, the world got ...
1 year ago Blog.isc2.org
Vanta announces new offerings to meet the needs of modern GRC and security leaders - Vanta announced a number of new and upcoming product launches enabling customers to accelerate innovation and strengthen security. The new offerings include advanced Reporting to help security professionals measure the success of their security ...
11 months ago Helpnetsecurity.com
NIST CSF Adoption and Automation - As a gold standard for cybersecurity in the United States and the foundation for many new standards and regulations starting to emerge today, the National Institute of Standards and Technology's Cybersecurity Framework is more crucial than ever. ...
10 months ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)