I’ve written a number of posts lately on the problems with
the National Vulnerability Database (NVD); this
one was the first. Briefly speaking, around the middle of February, the NVD
greatly slowed the rate at which it incorporated new CVEs into the database
(CVEs originate in the CVE.org database,
which is run by the Department of Homeland Security. The NVD is run by NIST, which is part of the
Department of Commerce).
In addition, the small number of new CVEs that have appeared
in the NVD since mid-February don’t have CPE names with them (CPE is the only software
identifier supported by the NVD). A CVE report without a CPE name on it is
about as useful as a car without a steering wheel, since the whole point of a
CVE report is to identify the product(s) that is affected by the vulnerability
(i.e., the CVE). While CPE has a fixed specification and CPE names
could in theory be generated automatically, the NIST staff members that run the
NVD feel compelled to create each CPE name manually.
However, it seems they’re not doing that very well, either. See the graph below, which was created last week by Patrick Garrity of VulnCheck. The X axis labels are very small, but each day of 2024 is a datapoint. On February 12, the “(CVEs) Analyzed” line (in green) flatlined. It has remained at an almost constant value since then, meaning almost no new CVEs have been analyzed in two months; since the NVD staff members only create a CPE name to go with a CVE when they “analyze” the CVE, this means that virtually no useful CVE reports (i.e., reports that link a CVE with one or more CPE names) have been added to the NVD since February 12.
Of course, this has not been due to a lack of new CVE reports coming from CVE.org. The red “(CVEs) Awaiting Analysis” line has steadily climbed since February 12. In other words, since February 12, new CVEs have appeared at their normal pace, but almost no new CVE reports have been analyzed by the NVD staff, meaning they still do not have CPE names.
What happened to cause this problem? NIST has put up about
four or five notices since late February, the latest of which is this
one. It has no explanation, of course, even though that’s been promised a
couple of times. However, sometimes actions (or non-actions, in this case)
speak much louder than words. Here is what I think NIST is really telling us:
1.
We still don’t fully understand what happened on
Feb. 12. However, it wasn’t any sudden increase in new CVEs to analyze, any
sudden decrease in staff, any sudden loss of funding, etc. The NVD has always
been understaffed and underfunded, and new CVEs have increased most years.
2.
No matter what the cause of the problem (other
than a direct nuclear strike), we would have been up and running within minutes
of the event – if our infrastructure weren’t two decades old. Any important
modern database is fully redundant, but we have always had single points of
failure. Clearly one or more of these failed.
3.
Ironically, all of the data in the NVD is also in
CVE.org, which utilizes a modern, fully-redundant database infrastructure. Why
don’t we switch all queries to CVE.org, you ask? We refer you to Tom’s earlier
statement: CVE.org is part of DHS, while we are part of the Department of
Commerce. Maybe the two Secretaries will meet to work this out. And maybe
Israel will sit down and have a good talk with Iran. But don’t count on either
of these happening anytime soon.
4.
We would like to tell you that we’re working on
the problem, but how can we do that, since we still don’t understand it? Instead,
we’re going to tell you about an idea we discussed with the OWASP SBOM Forum a
year ago, but never followed up on: a “consortium” of private companies that
will help us fix our problems. That will take 9-12 months at a minimum to put
into place, and even theno, it’s not clear what this group could do to fix our
ancient infrastructure. But we have to point to something that we’re
going to do, rather than just say we’ll continue to run from crisis to crisis.
But that’s the most likely outcome.
5.
Have a nice day!
To sum up, we’re two months into the NVD’s problem, and we
still don’t have even a partial explanation of the problem, let alone a full
one. And we definitely don’t have a solution!
What’s the next step, both for your organization and the US
government? The next step is to figure out what the options are for the next
step. The OWASP SBOM Forum is assembling a group
to do exactly that, and expects the group to start meeting soon. Let me know if
you’d like to participate in that, by contributing your time, your
organization’s money, or both (participation does not require a contribution).
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com.
My book "Introduction to SBOM and VEX" is now available in paperback and Kindle versions! For background on the book and the link to order it, see this post.
No comments:
Post a Comment