NIST has made some progress clearing its backlog of security vulnerability reports to process – though it's not quite on target as hoped.
The US government standards body just blew its self-imposed September 30 deadline to bring the speed at which its National Vulnerability Database (NVD) processes new flaws up to its pre-February rate, following a decline in output this year.
Patrick Garrity of infosec intelligence outfit VulnCheck, pored over the CVE-labeled bugs successfully analyzed by the NVD between February 12 and September 21, and reported "mixed" results.
NIST didn't respond to The Register's questions about its growing accumulation of vulnerabilities nor VulnCheck's study, and we will update this story if we receive word from the US agency.
According to Garrity: As of September 21, NVD still has 18,358 CVEs (72.4 percent of new reported vulnerabilities) that need to be analyzed. At the time of publication, the number has dropped slightly to 17,873. NIST updates these numbers daily, and they are all available via the NVD dashboard.
This does represent a big improvement over May's numbers, following NIST's hiring of an outside consultancy to help get its bug processing back on track.
"But a significant backlog remains," Garrity said in his analysis published on Monday, the day of NIST's previously stated deadline.
Jason Soroko, senior fellow at Sectigo, told The Register, "the backlog adds risk to an already challenging cybersecurity landscape."
What needs doing?
Here's a brief refresher for those who need it. The NVD is a NIST-managed public central repository for security flaws that have been assigned a CVE ID number to track them. The folks running the database perform what they call an "enrichment" of each CVE, which is a fancy way of saying they aggregate all the public info they can find about each vulnerability – think vendor and researcher disclosures, patches, proof-of-concept exploits, and so on – and then organize it all in that database for people to search and monitor.
Crucially, from that info, the NVD team calculates the severity of each bug, assigns it a vulnerability type, figures out the exact products affected, and then does QA on these details. Once an entry is approved, it's added to the database and made public. The process is defined here. It turns raw CVE IDs into human-friendly records.
"Once a CVE is in the NVD, enrichment team members can begin the enrichment process," the NVD folks explain in their documentation. "The processing time can vary depending on the CVE, the information available, and the quantity of CVEs published within a given timeframe."
It's that enrichment process that is behind schedule; there are CVEs piling up that need analyzing, tidying up, and publishing in the public database so that users and vendors can easily stay on top of what exactly has been disclosed and when, what has been patched, what is affected, how severe something is, and so on, all from one place.
It's important to have an independent entity manage that, in case a supplier (for example) tries to pass off a critical hole as a minor one, or if there are conflicting reports on a bug. People looked to NVD as a trustworthy source of security failures they needed to be on top of, whether that's mitigating or patching.
Back in February, NIST scaled back the NVD program, which led to a pile-up of CVEs waiting to be analyzed — and growing frustration in the infosec industry. As of May 20, about 93.4 percent of new vulnerabilities since February remained unanalyzed, according to Garrity.
Then at the end of May, NIST amended its five-year, $125 million IT contract with Maryland-based Analygence to include support for clearing the NVD backlog.
Also at the time, NIST said it expected to get back to its pre-February CVE processing rates by the end of the government's fiscal year 2024 – the 12 months to September 30. That didn't happen, and while the mountain of security flaws to enrich isn't growing as fast as it was four months ago, it hasn't yet been leveled.
Orgs 'losing visibility' into new vulns
That's important because organizations that rely on NVD are "losing visibility into assets" primarily those with "newer vulnerabilities that have been published during this time period," Garrity told The Register. "This means that there is a high likelihood that organizations don't have visibility into assets that are known to be being exploited."
One tool that should help with this, however, as Garrity noted in his research, is CISA's Vulnrichment project, which now provides independent CVSS severity scores and other data points for CVE-tagged bugs for those who need it.
Still, while Vulnrichment has "been a good stop gap until NVD gets its operations in order," the CVE logjam "is hurting security processes world over," Mayuresh Dani, security research manager at Qualys, told The Register.
Many orgs either rely on NVD-provided data for risk prioritization, or they use custom tools for surfacing vulnerabilities that build on NVD datasets, he added.
"Since NVD information is not available to them, which was reliable in the past, they need to spend additional cycles in collating and coming up with this information just so their processes continue," Dani said. "This is also hurting the open source community projects that depend on NVD data for their operations."
- NIST turns to IT consultants to clear National Vulnerability Database backlog
- Patch now: Critical Nvidia bug allows container escape, complete host takeover
- Windows 11 Patch Tuesday preview is a glitchy disaster
- HPE patches three critical security holes in Aruba PAPI
Plus, as Trend Micro Zero Day Initiative's head of threat awareness Dustin Childs pointed out: We don't know what all remains in the backlog.
"It's a known unknown," Childs told The Register. "We know there's an impact, but it's not clear how bad the impact is since we don't know what CVEs are in that backlog."
Some security tools, vendor-produced advisories, and threat intel feeds provide additional visibility.
But there's not enough redundancy with other sources to make up for the NVD slowdown, because "there's really no profit in such an undertaking," Childs added. "This is one area network defenders look to governments to provide information since no one else is providing this type of information." ®