US Government Shuts Down And Leaves Organizations Worldwide Vulnerable
When it was first announced that the US Federal Government was shutting down, most people would admit their first thoughts were how this was going to impact them personally. Will the post office be open? What’s going to happen to many other government run services?
However, even they should have, most people were not thinking about how this shutdown would impact the global security of organizations.
As many of our readers already know, the US government funded CVE and NVD programs are woefully inadequate for companies to solely rely on for vulnerability tracking, as they require proper vulnerability intelligence. Even though CVE/NVD missed over 6,800 vulnerabilities in 2016 and even more in 2017 (How many? Wait for our 2017 Year End report is published soon!), they were actively working to cover issues.
However, there were concerns raised when the government shutdown was announced, and the NIST website was updated with the following message:
This message does appear to cover NVD and confirms that it is also offline and not processing vulnerabilities. The fact that NVD could be potentially offline wasn’t lost on everyone in the security industry.
We decided to check to see what the current impact was for organization that rely on CVE/NVD. The interesting thing is that even though the government shutdown started on January 19, 2018, when looking at the NVD website it appears that entries for most of January 2018 have not be properly analyzed. We noticed that CVE-2017-4948, which was published on January 5th, 2018 and is a vulnerability in VMware, is still not analyzed.
If you are running VMware and your security vendors rely on NVD (hint: almost all do!), then you may, unfortunately, be in the dark on this issue. In fact, you may be in the dark on the other 749 vulnerabilities that we have curated since that time frame as well in VulnDB.
Now that the US government shutdown is close to being ended, we will have to wait and see how long it takes NVD to get back online and properly handle the backfill of vulnerabilities that have yet to be processed. It will also be curious to see if we have another repeat of this exact same situation on Feb 8, 2018 when the new funding agreement supposedly expires.
If you are interested in ensuring that you have the best ALWAYS ON vulnerability intelligence in the market, we would welcome the opportunity to show you a demo of VulnDB!