Something mysterious is happening at the US National Institute of Standards and Technology (NIST) that could make many organizations vulnerable to threat actors.
Since February 12, 2024, NIST has almost completely stopped enriching software vulnerabilities listed in its National Vulnerability Database (NVD), the world’s most widely used software vulnerability database.
Tom Pace, CEO of firmware security provider NetRise, told Infosecurity that only 200 out of the 2700 vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), published since that date have been enriched.
Failure to enrich the CVEs means that over 2500 vulnerabilities added to the database have been uploaded without crucial metadata information.
This information includes a description of the vulnerability and software ‘weakness’ that could lead to an exploit (known as Common Weakness and Exposure, or CWE), the names of software products impacted, the vulnerability’s criticality score (CVSS) and the vulnerability’s patching status.
Read more: A Guide to Zero-Day Vulnerabilities and Exploits for the Uninitiated
A Significant Drop in Enrichment Data Uploads on the NVD
The issue was first discovered by Josh Bressers, VP of Security at software security provider Anchore, who published a blog post on March 8 showing a significant drop of enrichment data on NVD from around February 12.
Jerry Gamblin, principal engineer at Cisco Threat Detection & Response, shared another graph showing a significant drop in CVEs under the status ‘analyzed,’ which means they have been fully documented and an uptick in CVEs ‘awaiting analysis,’ compared with 2023.
Other posts from Gamblin and NetRise indicated similar drops in the number of published CVEs enriched with crucial metadata, such as CWEs, Common Product Enumerators (CPEs) and criticality scores (CVSS).
Therefore, despite new vulnerabilities being published they are currently not tagged to specific products, leaving organizations blind to what products and systems in their environments the specific vulnerabilities may be impacting.
Speaking to Infosecurity, Dan Lorenc, co-founder and CEO of software security provider Chainguard, commented: “It appears that the NVD has completely given up on adding CPE-matches to CVEs, meaning the CVE entries do not contain any metadata around what software is actually affected.”
On March 13, Anchore’s Bressers shared an updated version of the first graph, confirming that very few CVEs had been enriched over the past 30 days.
A “Massive Issue” For the Whole Cybersecurity Community
If such issues are not resolved quickly, they could significantly impact the security researcher community and all organizations worldwide.
NetRise’s Pace explained: “It means that you’re asking the entire cybersecurity community, overnight, to somehow go figure out what vulnerability is in what operating system, software package, application, firmware, or device. It’s a totally impossible, untenable task!”
Lorenc agreed and called the incident a “massive issue.”
“We are now relying on industry alerts and social media to ensure we triage CVEs as quickly as possible,” he said.
“Scanners, analyzers, and most vulnerability tools rely on the NVD to determine what software is affected by which vulnerabilities,” Lorenc added. “If organizations cannot triage vulnerabilities effectively it opens them up to increased risk and leaves a significant gap in their vulnerability management posture.”
NIST Hints at New NVD Consortium
On February 15, the National Vulnerability Database website announced that users may experience “delays in analysis efforts” because NIST “is currently working to establish a consortium to address challenges in the NVD program and develop improved tools and methods.”
Chris Hughes, president of Aquia, said that this message did not provide sufficient information for the security community.
“What exactly is this consortium, who will be involved, what changes will be made, and what sort of delays will we see as an industry when it comes to vulnerability analysis from the most widely used vulnerability database?” Hughes wrote in a post published in its Resilient Cyber newsletter on Substack on March 11.
NetRise’s Pace was surprised when he read the NVD announcement. “We’ve been disclosing and enriching vulnerabilities following the same process for years, and pretty efficiently. Why would we need a consortium now?”
At the time of writing, the NVD website has not made any further public announcements.
Infosecurity has contacted NIST and MITRE, a US non-profit organization tasked with maintaining CVEs, but they have not responded to a request for comments at the time of writing.
Hypotheses Explaining the Need for an NVD Consortium
The reason for these NVD disruptions or the need for a consortium remains unknown.
According to Hughes, there have previously been discussions within NVD stakeholder circles about replacing CPE. Such a replacement could be Software Identification (SWID) tags, a software tagging standard supported by both the Trusted Computing Group (TCG) and the Internet Engineering Task Force (IETF).
However, he said it is unlikely to happen. “Given SWID has already been kicked out of the discussions around software bills of materials (SBOMs) as an industry-leading format, and instead we see CycloneDX from OWASP and SPDX from The Linux Foundation dominating the SBOM format discussion.”
“Another useful note is that there are folks known as ‘the SBOM Forum’ currently advocating for the NVD to adopt Package URLs (PURLs) as well, given the pervasive use of software packages and open source software (OSS), but whether that materializes is still to be determined,” Hughes added.
Read more: How Organizations Can Leverage SBOMs to Improve Software Security
Internal discussions like these may have prompted the NVD to re-organize around a newly formed consortium.
Whatever the reason, Lorenc criticized the NVD’s lack of transparency in communication. He added that this is not the first time the security community has severely criticized the NIST-run team.
“Over the past year especially, the NVD has received much scrutiny from industry and those working to fix the broken vulnerability ecosystem. Historically, the NVD solved a huge visibility gap, but today, it has fallen behind,” Lorenc explained.
“As a result, we are starting to see other resources pop up, as well as countries considering starting their own. This is most apparent in the EU’s Cyber Resiliency Act,” he said.
China has also recently updated its vulnerability disclosure ecosystem, a recent analysis from the Atlantic Council has shown.
US Federal Government Issued NVD Requirements to Contractors
This episode coincides with the release of the latest revision of the Federal Risk and Authorization Management Program (FedRAMP Rev. 5), a US federal law requiring any company that wants to do business with the federal government to use the NVD as a source of truth and remediate all known vulnerabilities inside it.
“It feels like NIST is somehow trying to wind this program down or hand it off while other areas of the government are forcing its adoption,” noted Lorenc.
Alongside the enrichment drop, the NVD API has also been experiencing issues to an unprecedented scale, prompting vulnerability intelligence provider VulnCheck to release a free alternative called VulnCheck NVD++.
Infosecurity has contacted NIST and MITRE, which have not responded to requests for comments at the time of writing.