Friday, May 31, 2024

The NVD continues to underwhelm


Yesterday, the NVD put up the latest episode of their ongoing soap opera, “As the NVD declines”, in the form of this announcement on their website:

May 29, 2024: NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database. We are confident that this additional support will allow us to return to the processing rates we maintained prior to February 2024 within the next few months.

In addition, a backlog of unprocessed CVEs has developed since February. NIST is working with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) to facilitate the addition of these unprocessed CVEs to the NVD. We anticipate that that this backlog will be cleared by the end of the fiscal year. 

As we shared earlier, NIST is also working on ways to address the increasing volume of vulnerabilities through technology and process updates. Our goal is to build a program that is sustainable for the long term and to support the automation of vulnerability management, security measurement and compliance.

With a 25-year history of providing this database of vulnerabilities to users around the world and given that we do not play an enforcement or oversight role, NIST is uniquely suited to manage the NVD. NIST is fully committed to maintaining and modernizing this important national resource that is vital to building and maintaining trust in information technology and fostering innovation. 

Moving forward, we will keep the community informed of our progress toward normal operational levels and our future modernization plans.

This announcement was loudly trumpeted by an article in Cybersecurity Dive today. The headline made me open the article, where I was immediately disappointed by the first sentence: “The National Institute of Standards and Technology expects to clear the towering backlog of unanalyzed vulnerabilities in the National Vulnerability Database by the end of September, the agency said in a Wednesday update.”

Why was this disappointing? To understand why, you need to understand the two most important activities performed by the NIST NVD staff:

1.      Importing CVE reports produced by CVE.org and integrating them into the NVD database.

2.      “Analyzing” the reports, which primarily consists of a) creating and adding a CVSS score (if not already present), b) adding CWEs, and c) adding CPE names. CPE names are by far the most important of those items, since without them, the CVE report is the rough equivalent of a car without a steering wheel: You know there’s a new vulnerability out there, but you have no idea what product(s) is vulnerable to it, unless you read the text of the report. However, text isn’t enough. The CPE name of a vulnerable product needs to be in the report, since without it, nothing will appear in the NVD to link the vulnerability to the product.

However, the NVD didn’t lie when they said in their announcement, “NIST has awarded a contract for additional processing support for incoming Common Vulnerabilities and Exposures (CVEs) for inclusion in the National Vulnerability Database”, right before they said, “In addition, a backlog of unprocessed CVEs has developed since February.” The first quote refers to item 1 above: the “additional processing support” in the new contract is to help the NVD ingest CVEs into the NVD. The second quote refers to the enrichment of those CVEs. That’s the “additional backlog” that they haven’t even thought about addressing yet, let alone found the funds to reduce it (of course, reducing that backlog will require a lot more hours of effort, although it will not be technically difficult). CISA is trying to reduce it themselves, but they’re only doing so for a small percentage of the backlogged CVEs.

This is more than passing strange. After all, the NVD has been processing CVE reports since the early years of this century. Since the processing doesn’t add anything to the report beyond what the CNAs (who work on behalf of CVE.org) have already included, and since by now, parsing the reports and populating the appropriate NVD fields should be performed as soon as the report is received, why does the NVD even have a backlog of CVEs to process, let alone need to pay $865,000 to a contractor to lower the backlog?

I’m sure the reason is the same as the one that probably explains the collapse of the enrichment function during one day (Feb. 12) in February: the fact that the NVD’s hardware and software infrastructure was created two decades ago. Presumably, whoever developed them has long ago departed the NVD (and perhaps this world), perhaps not leaving behind what would be considered top-notch documentation today.

Contrary to what the article says, CISA’s funding cutback doesn’t explain the sudden collapse of the database on February 12. Nor does the fact that they received a larger-than-normal number of new CVE reports then. No modern database should choke and be down for 3 ½ months (and counting) due to a sudden increase in workload. In fact, no modern database should be down for even a day due to any technical problem, let alone 3 ½ months. But we’ve known for a long time that there are multiple single points of failure in the NVD’s infrastructure.

By the way, has anyone heard the NVD’s explanation for what happened in February, or even an apology?...I didn’t think so, since they still haven’t provided one (note they didn’t do that in their announcement yesterday, either). This must mean one of two things, neither of which is good:

1.      They still haven’t figured out what happened; or

2.      They know what happened, but don’t think their worldwide users deserve to hear that.

I’m not sure which is worse.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com. Also, if you would like to learn more about or join the OWASP SBOM Forum, please email me.

My book "Introduction to SBOM and VEX" is now available in paperback and Kindle versions! For background on the book and the link to order it, see this post.

 

No comments:

Post a Comment