The NVD and meltdown? CVE Slowdown Current uncertainties and alternative

The world of vulnerabilities relies on NVD, and the very foundations are shaky. If you new in the cybersecurity and vulnerability space the National Vulnerability Database (NVD) stands as a cornerstone for the standardization of vulnerabilities, developers, and software vendors alike. Established by the National Institute of Standards and Technology (NIST), the NVD provides a comprehensive catalogue of information on publicly disclosed cybersecurity vulnerabilities. This critical resource plays a pivotal role in the vulnerability management lifecycle, enriching data from the Common Vulnerabilities and Exposures (CVE) Program managed by Mitre, with additional details such as severity scores, affected products, and potential weaknesses.

Comment below what you think of the current situation and what you think could be done to improve

The Criticality of NVD and Its Current Challenges

I can't stress the pressure that the NVD has on the API and how drastic consequences any changes cause. Recently, the NVD has undergone changes in the API method of querying for vulnerabilities and, more recently, changes in the CPE declaration with the almost absence of CPE enrichment. From 2015 to 2023, we saw an increase of 33X in the number of vulnerabilities.

The NVD's importance cannot be overstated. It serves not just as a repository but as an essential tool for the identification and mitigation of vulnerabilities, offering details like Common Platform Enumerations (CPEs).

Other than CPE backlog there is a whole lot of backlog of vulnerabilities in the NVD awaiting processing. The process of getting a CVE into the NVD seems straightforward from the current description.

The reality of it is much more complex, and Patrick Garrity ?????? has done great work some time ago analysing the whole flow:

Current Situation with CPE

CPEs are vital as they inform users about the specific software and products impacted by a CVE. However, a significant challenge has emerged: the slowdown in the publication of new vulnerabilities and the enrichment of existing ones, particularly the addition of CPE information. A longer article by Kevin Poireault explores additional elements of the current situation including almost the halt of the NVD in processing and enriching information

For a deeper dive into the vulnerabilities Chris H. has also summarized this beautifully in this longer article https://resilientcyber.substack.com/p/death-knell-of-the-nvd

Dan Lorenc from the security community has pointed out a concerning trend: the apparent discontinuation by the NVD of adding CPE matches to CVEs. This change means that CVE entries are increasingly devoid of critical metadata, indicating which software is actually affected. This development is particularly troubling, as it hampers the ability of organizations to identify and prioritize vulnerabilities within their environments accurately.

On February 15, the NVD website acknowledged that users might face "delays in analysis efforts," revealing that NIST is in the process of forming a consortium aimed at addressing the NVD program's challenges and developing enhanced tools and methodologies.

The Escalating Demand and the Strain on Resources

The NVD's challenges are compounded by the sheer volume of vulnerabilities it processes. From a few hundred to over 2000 monthly, the number of vulnerabilities has seen an astonishing 35% year-on-year increase. This exponential growth places an immense strain on the NVD's resources, necessitating a significant expansion in capacity and capabilities to keep pace.

Jerry Gamblin monitors the number of requests in the NVD and has recently flagged a backlog of vulnerabilities in the pipeline.

Moreover, the recent transition from version 1 to version 2 of the vulnerability management framework and the implementation of API throttling have further complicated access and utilization of the NVD's services. These changes, while aimed at improving the system's efficiency and reliability, have resulted in additional hurdles for users reliant on real-time data for vulnerability management.

Navigating Through the Slowdown: Seeking Alternatives

Given the current challenges, the cybersecurity community must explore alternatives and supplementary strategies to mitigate the impact of the NVD's slowdown. Here are some considerations:

• Leverage Other Vulnerability Databases: Organizations should consider utilizing other vulnerability databases and information sources, such as those maintained by cybersecurity firms, open-source projects, or international cybersecurity agencies, to ensure a broader coverage of vulnerabilities. a great post from Balint Fazakas highlights some of the vulnerabilities sources
• CIRCL . LU - https://cve.circl.lu/ - CPE, CVE, and CAPEC information
• Vuldb:https://vuldb.com/
• Vulmon:https://lnkd.in/eJScSsYf
• Vulners:https://vulners.com/
• Vulncheck:https://vulncheck.com/nvd2
• For libraries and open sources: https://osv.dev/
• Did i miss anyone? add one in the comment
• Collaborative Sharing and Analysis: The cybersecurity community can benefit from increased collaboration and information sharing, leveraging platforms and forums where insights and analyses of vulnerabilities are shared in real-time. an initiative
• Invest in Automated Tools: Download historical information, rely on ML/CWE based CPE enrichment and keep a local copy of the NVD, https://vulncheck.com/nvd2 has done a great work at this. Organizations can also invest in automated vulnerability management tools that aggregate data from multiple sources, providing a more comprehensive view of the threat landscape and enabling quicker response to emerging vulnerabilities.

Patrick Garrity ?????? has flagged in this article https://www.dhirubhai.net/pulse/security-industry-depends-nvd-patrick-garrity--jwq9c/ as well the need to have a petition for funding

Reminder of open source and USA-founded vulnerabilities database is still open source.

some historical reasoning from Patrick Garrity ?????? on the current challenges of NVD

1. For the first time in years, NIST budget was reduced. Timing on this appears to be early March: https://ww2.aip.org/fyi/many-science-agencies-cut-in-final-fy24-budget
2. NIST NVD has been resource constrained for years and CVE growth has become exponential, likely paired w/ limited to no additional resources.
3. There has likely been turnover on the team, possibly due to a multitude of reasons, which likely include budget
4. Government scientific techies generally aren't the best at communication further exacerbating the current issue. Also they are likely focused on solving for the problem and less on thinking about managing short term impact. They also likely have to be careful of speaking out publicly due to the political climate.
5. NVD is a manual enrichment process that requires ramp time to train on as they use a scientific process to ensure accuracy of results.

The Path Forward

The NVD's current predicament underscores the critical need for sustained support, investment, and innovation to address the burgeoning demands of vulnerability management. As the cybersecurity landscape continues to evolve, so too must the tools and resources we rely on to protect our digital infrastructure.

The initiative by NIST to establish a consortium offers a glimmer of hope for the future of the NVD program. However, it is incumbent upon the entire cybersecurity community to rally in support of these efforts, advocating for the resources and reforms necessary to ensure the NVD can continue to fulfill its vital role in our collective security.