Yesterday, the NVD put up the latest episode of their
ongoing soap
opera, “As the NVD declines”, in the form of this announcement on their
website:
May 29, 2024: NIST has awarded a contract for
additional processing support for incoming Common Vulnerabilities and Exposures
(CVEs) for inclusion in the National Vulnerability Database. We are confident
that this additional support will allow us to return to the processing rates we
maintained prior to February 2024 within the next few months.
In addition, a backlog of unprocessed CVEs has developed
since February. NIST is working with the Department of Homeland Security’s
Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the
addition of these unprocessed CVEs to the NVD. We anticipate that that this
backlog will be cleared by the end of the fiscal year.
As we shared earlier, NIST is also working on ways to address
the increasing volume of vulnerabilities through technology and process
updates. Our goal is to build a program that is sustainable for the long term
and to support the automation of vulnerability management, security measurement
and compliance.
With a 25-year history of providing this database of
vulnerabilities to users around the world and given that we do not play an
enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST
is fully committed to maintaining and modernizing this important national
resource that is vital to building and maintaining trust in information
technology and fostering innovation.
Moving forward, we will keep the community informed of our
progress toward normal operational levels and our future modernization plans.
This announcement was loudly trumpeted by an article
in Cybersecurity Dive today. The headline made me open the article,
where I was immediately disappointed by the first sentence: “The National
Institute of Standards and Technology expects to clear the towering backlog of
unanalyzed vulnerabilities in the National Vulnerability Database by
the end of September, the agency said in a Wednesday update.”
Why was this disappointing? To understand why, you need to understand
the two most important activities performed by the NIST NVD staff:
1.
Importing CVE reports produced by CVE.org and integrating them into the NVD
database.
2.
“Analyzing” the reports, which primarily
consists of a) creating and adding a CVSS score (if not already present), b)
adding CWEs, and c) adding CPE names. CPE names are by far the most important of
those items, since without them, the CVE report is the rough equivalent of a
car without a steering wheel: You know there’s a new vulnerability out there,
but you have no idea what product(s) is vulnerable to it, unless you read the
text of the report. However, text isn’t enough. The CPE name of a vulnerable
product needs to be in the report, since without it, nothing will appear in the
NVD to link the vulnerability to the product.
However, the NVD didn’t lie when they said in their announcement,
“NIST has awarded a contract for additional processing support for incoming
Common Vulnerabilities and Exposures (CVEs) for inclusion in the National
Vulnerability Database”, right before they said, “In addition, a backlog of
unprocessed CVEs has developed since February.” The first quote refers to item
1 above: the “additional processing support” in the new contract is to help the
NVD ingest CVEs into the NVD. The second quote refers to the enrichment of
those CVEs. That’s the “additional backlog” that they haven’t even thought about
addressing yet, let alone found the funds to reduce it (of course, reducing that
backlog will require a lot more hours of effort, although it will not be
technically difficult). CISA is trying to reduce it themselves, but they’re
only doing so for a small percentage of the backlogged CVEs.
This is more than passing strange. After all, the NVD has
been processing CVE reports since the early years of this century. Since the
processing doesn’t add anything to the report beyond what the CNAs (who work on
behalf of CVE.org) have already included, and since by now, parsing the reports
and populating the appropriate NVD fields should be performed as soon as the report
is received, why does the NVD even have a backlog of CVEs to process, let alone
need to pay $865,000 to a contractor to lower the backlog?
I’m sure the reason is the same as the one that probably explains
the collapse of the enrichment function during one day (Feb. 12) in February:
the fact that the NVD’s hardware and software infrastructure was created two
decades ago. Presumably, whoever developed them has long ago departed the NVD (and
perhaps this world), perhaps not leaving behind what would be considered
top-notch documentation today.
Contrary to what the article says, CISA’s funding cutback
doesn’t explain the sudden collapse of the database on February 12. Nor does
the fact that they received a larger-than-normal number of new CVE reports then.
No modern database should choke and be down for 3 ½ months (and counting) due to
a sudden increase in workload. In fact, no modern database should be down for even
a day due to any technical problem, let alone 3 ½ months. But we’ve known for a
long time that there are multiple single points of failure in the NVD’s
infrastructure.
By the way, has anyone heard the NVD’s explanation for what
happened in February, or even an apology?...I didn’t think so, since they still
haven’t provided one (note they didn’t do that in their announcement yesterday,
either). This must mean one of two things, neither of which is good:
1.
They still haven’t figured out what happened; or
2.
They know what happened, but don’t think their worldwide
users deserve to hear that.
I’m not sure which is worse.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have
read here, I would love to hear from you. Please email me at tom@tomalrich.com. Also, if you would like to learn more about or join the OWASP SBOM Forum, please email me.
My book "Introduction to SBOM and VEX"
is now available in paperback
and Kindle versions! For background on the book and the link to order it,
see this post.