Progress to report on the NVD!

This morning, the SBOM Forum met with three members of NIST’s NVD team (including the leader of the team) to discuss problems we know about pertaining to the NVD (listed below). We discussed a small number of the most serious problems and – of course – didn’t reach any solutions during the hour. However, the Forum members were quite pleased with NIST’s concern about these problems (almost none of which they knew about), as well as their willingness to discuss solutions. In fact, we’re going to have a follow-up meeting in about a month; I suspect/hope there may be more after that – perhaps every month.

The NIST people immediately brought up the fact that NIST hasn’t received their share of funding from the Omnibus funding measure that was passed by Congress at the end of last year. This means all of NIST is just receiving enough money to keep the lights on. The NVD group has 25 people at full strength, but at the moment they only have 19 (I believe that’s the number they said) and can’t hire anyone else. This is really bare bones.

However, I think they were surprised at our response (in fact, I was a little surprised at it). There was broad support (among the 22 or so people on the call, including people from major software suppliers as well as companies and nonprofits involved with SBOMs) for the idea of private companies banding together to help NIST address the problems listed below. Of course, this assistance wouldn’t be with dollars, but with something even better: Help from some very knowledgeable people.

The interesting thing about the NVD’s problems is that they’ve all been solved repeatedly; there’s nothing that requires new technologies, massive investment, etc. They can mostly be solved with changes in policies and procedures and education (of stakeholders) about those changes.

We started to discuss having this meeting a couple of months ago; then, our focus was the naming problem (for which we outlined a solution – as far as the NVD goes – in this paper last September). However, it seems there are currently some serious infrastructure problems – made worse as we approach September of this year, when NIST was planning to end the ability to download a “mirror” of the NVD (which many organizations do now, some many times a day). After our conversation today, my guess is mirroring won’t be removed in September, although there are certainly other infrastructure issues that need to be addressed (again, none of them huge or involving new technologies).

All good news. I’ll keep you up to date with new developments.

 

Issues for the NVD – discussed with NIST 4/28/23

CPE issues raised in SBOM Forum’s Sept. 2023 document

1. If a supplier has never reported a single CVE as applicable to any of their products, there will be no CPE for them. It is likely that the great majority of suppliers who have never reported a single CVE didn’t do this because they have never found a vulnerability in their products, but rather because they never looked for them. However, if a user searches on the supplier’s name, they will receive the “There are 0 matching records” message.

The problem is that this same message will be received when there is a CPE for the supplier, but there are no CVEs reported for products that they make. This might possibly mean the supplier is very diligent about identifying and fixing vulnerabilities. However, since the message will be the same in both cases, there is no way to determine which is the case.

2. There is no error checking when a new CPE name is entered in the NVD. Therefore, if the CPE name that was originally created for the product does not exactly follow the specification as it was entered, a user who later searches for the same product and enters a properly specified CPE will receive the same message: “There are 0 matching records”.

In other words, when a user receives this message, they might interpret this to mean there is a valid CPE for the product they’re seeking, but a vulnerability (CVE) has never been identified for that product - i.e., it has a clean bill of health. However, in reality it would mean the CPE name was created improperly. Even worse, there might be many CVEs attributed to the off-spec CPE name, but without knowing the name that was actually created, the user will never be able to learn about those CVEs.

2a. If a user mis-spells the CPE name they are searching for in the search bar, but there is in fact a legitimate CPE name already, the user will once again get the “There are 0 matching records” error message. If the user doesn’t realize they mis-spelled the name, they might once again believe the CPE is there, but there are no vulnerabilities (CVEs) attributed to it.

3. When a product or supplier name has changed since a proprietary product was originally developed (because of a merger, acquisition, or corporate rebranding), the CPE name for the product may change as well, but with no link to the previous name. Thus, a user of the original product may not be able to learn about new vulnerabilities identified in it, unless they know the name of the current supplier as well as the current name for the product.

4. Supplier and product names can be written in many ways, such as “Microsoft™” and “Microsoft™ Inc.”, or “Microsoft™ Word” and “Microsoft Office™ Word”, etc. However, there is no easy way to distinguish the correct supplier or product name among a large number of query responses from the NVD.

5. Sometimes, a single product will have multiple CPE names in the NVD because they have been entered by different people, each making a different mistake. For this reason, it will be hard to decide which name is correct. Even worse, there may be no “correct” name, since each of the names may have CVEs entered for it. This is the case with OpenSSL in the NVD now (e.g., “OpenSSL” vs “OpenSSL_Framework”). Because there is no CPE name that contains all the OpenSSL vulnerabilities, the user needs to find vulnerabilities associated with each variation of the product's name. But how could they ever be sure they had identified all the CPEs that have ever been created for OpenSSL?

6. Often, a vulnerability will appear in one module of a library. However, because CPE names are not assigned based on an individual module, the user may not know which module is vulnerable, unless they read the full CVE report. Thus, if the vulnerable module is not installed in a software product they use, but other modules of the library are installed (meaning the library itself is listed as a component in an SBOM), the user may unnecessarily patch the vulnerability or perform other unnecessary mitigations[1].

7. The supplier of a product doesn’t determine the CPE name (even if they are a CNA). But if NIST makes a mistake in specifying the name, the supplier will hear about it from unhappy customers.

8. There’s no way for a supplier to “self-onboard” themselves to the NVD. They have to wait until there’s a new CVE that applies to them, then get a CNA (or MITRE) to assign a CPE for them.

9. To reduce or eliminate errors in CPE names, it would be good for the NVD to automate creation of CPEs, as CVE.org has done with creation of new CVEs.

10. It would be good if the NVD people just used CPEs created by the supplier, instead of inventing new ones (and often making mistakes).

Other NVD issues

1. Many organizations download a “mirror” of the entire NVD regularly; however, that capability will be removed starting in September 2023. It has been “replaced” by the API, but there’s already experience indicating that having multiple large NVD users within one organization may lead to serious bottlenecks.

2. When a user identifies the need for an update or correction to any data, they must use email to request it. While NIST usually responds to the email within a week, a more efficient system than email might allow updates to be made within a day and require much less human involvement with each update.

3. A lot of the historical data in the NVD contains errors. These need to be cleaned up.

4. Because of the coming tsunami of SBOM-based component vulnerability searches, as well as increased interest in software supply chain vulnerability management in general, it is important that the NVD be easily scalable. While the SBOM Forum members don’t have direct knowledge of whether and how the NVD can scale, we do wish to emphasize that the NVD should be considered critical infrastructure and treated as such.

5. There are single points of failure in the NVD, including the CPE dictionary. There is a serious question how well this will withstand the millions of daily requests that will start hitting it in September.

6. In the NVD CVE downloads, one cannot determine which products referenced by CPEs contain the vulnerability.   In CVE-2021-44228, for example, there are many dozens of CPEs from various vendors such as Cisco, ServiceNow, Bentley, percussion and Net App, to name some.   However, from all the CPE entries, there is no way to determine which of the many dozens of products referenced by CPEs, contains the vulnerability (in this case Apache Log4j).   Often, the entry is first (Typically Configuration 1) but that is not always the case.  The request is that the NVD downloads indicate which of the CPEs directly contains the vulnerable code.

7. In addition to general scalability considerations, it is also important to consider the international dimension: The EU, UK, Japan and other countries are currently consulting about improving software security for their nations. They will need a single reliable and trustworthy source of vulnerability information, as opposed to having separate nation-backed solutions. Having separate solutions will make tooling inefficient and will likely lead to misleading results in many cases. 

Because the NVD is already widely used worldwide, it is the best candidate for this solution. Of course, the cost of implementing a worldwide solution needs to be borne by users (in both private and public sectors) in all participating countries. The fact that users in many countries will be contributing to the cost of developing and maintaining a central vulnerability database, as opposed to users in each country individually developing and maintaining their own national database, will undoubtedly allow a much higher level of investment in the central database, resulting in greater performance and functionality for all.

8. In the NVD CVE downloads, the CVSS score for each of the CPE entries should be made available if the vendor supplies that information.   Thus, for the Log4j CVE-2021-44228, there could be the overall CVSS score (10.0 Critical, in this case) along with the CVSS score for CPEs referencing Siemens products, Cisco Products, etc.   CVSS scores from a vendor (vs NIST or other sources) should be identified as such, so there is no confusion.   This will greatly aid organizations reviewing NVD to determine the urgency of applying published remediation.

9. There is a question whether the NVD query structure could be optimized to make it more efficient: i.e., to have a greater likelihood of producing positive results.

10. Greater transparency is needed. All too often, the NVD mailing list is only informed of an upcoming change when it’s already been decided on, or even implemented.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

---

[1] This probably occurred often with log4shell. That vulnerability was only present in the log4core module of the log4j library, yet the CPE name for a library always applied to the complete library, not any of the modules.