NIST gives up enriching most CVEs

Posted by mooreds 8 hours ago

NIST gives up enriching most CVEs(risky.biz)

161 points | 37 comments

smsm42 8 hours ago|

> This opens the door for a lot of infosec drama. Some of the organizations that issue CVE numbers are also the makers of the "reported" software, and these companies are extremely likely to issue low severity scores and downplay their own bugs.

It is true but the reverse is also true. It may be very hard for an external body to issue proper scoring and narrative for bugs in thousands of various software packages. Some bugs are easy, like if you get instant root on a Unix system by typing "please give me root", then it's probably a high severity issue. But a lot of bugs are not simple and require a lot of deep product knowledge and understanding of the system to properly grade. The knowledge that is frequently not widely available outside of the organization. And, for example, assigning panic scores to issues that are very niche and theoretical, and do not affect most users at all, may also be counter-productive and lead to massive waste of time and resources.

zbentley 7 hours ago||

Very true. So many regulated/government security contexts use “critical” or “high” sev ratings as synonymous for “you can’t declare this unexploitable in context or write up a preexisting-mitigations blurb, you must take action and make the scanner stop detecting this”, which leads to really stupid prioritization and silliness.

gibsonsmog 7 hours ago|||

At a previous job, we had to refactor our entire front end build system from Rollup(I believe it was) to a custom Webpack build because of this attitude. Our FE process was completely disconnected from the code on the site, existing entirely in our Azure pipeline and developer machines. The actual theoretically exploitable aspects were in third party APIs and our dotNet ecosystems which we obviously fixed. I wrote like 3 different documents and presented multiple times to their security team on how this wasn't necessary and we didn't want to take their money needlessly. $20000 or so later (with a year of support for the system baked in) we shut up Dependabot. Money well spent!

jjav 2 hours ago||||

Very early in my career I'd take these vulnerability reports as a personal challenge and spent my day/evening proving it isn't actually exploitable in our environment. And I was often totally correct, it wasn't.

But... I spent a bunch of hours on that. For each one.

These days we just fix every reported vulnerable library, turns out that is far less work. And at some point we'd upgrade anyway so might as well.

Only if it causes problems (incompatible, regressions) then we look at it and analyze exploitability and make judgement calls. Over the last several years we've only had to do that for about 0.12% of the vulnerabilities we've handled.

lokar 6 hours ago|||

My favorite: a Linux kernel pcmcia bug. On EC2 VMs.

Sohcahtoa82 2 hours ago||

In a similar vein:

Raising alarms on a CVE in Apache2 that only affects Windows when the server is Linux.

Or CVEs related to Bluetooth in cloud instances.

minetest2048 2 hours ago|||

Or raising alarm on a CVE in linux mlx5 driver on an embedded device that doesn't have a pcie interface

nikanj 1 hour ago|||

”If you use that installed Python version to start a web server and use it to parse pdf, you may encounter a potential memory leak”

Yeah so 1) not running a web service 2) not parsing pdf in said non-existing service 3) congrats you are leaking memory on my dev laptop

semi-extrinsic 6 hours ago|||

Every month when there is a new Chrome release, there is a handful of CVSS 9.x vulnerabilities fixed.

I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours. Are they just absolutely flooded with reports, or does nobody on the vendor side actually follow these rules to the letter?

michaelt 3 hours ago|||

> I'm always curious about the companies that require vendors to report all instances where patches to CVSS 9.x vulnerabilities are not applied to all endpoints within 24 hours.

That sounds like a nigh-impossible requirement, as you've written it.

I suspect the actual requirement is much more limited in scope.

PunchyHamster 5 hours ago|||

the rating is nonsense anyway, which one actually applies to code you run varies wildly

9.x vulnerability might not matter if the function gets trusted data while 3.x one can screw you if it is in bad spot

rdtsc 6 hours ago|||

> It is true but the reverse is also true.

Yup. Almost every single time NVD came up with some ridiculously inflated numbers without any rhyme or reason. Every time I saw their evaluation it lowered my impression of them.

moomin 5 hours ago|||

Pretty sure if I had to bet on incentives or expertise, I'd bet on incentives every time.

LocalH 6 hours ago||

Also, sometimes CVEs aren't really significant security issues. See: curl

strenholme 5 hours ago||

The deluge of new security reports is somewhat of a pain in the butt for those of us who have written notable open source software decades ago that is still in use. I recently got about a dozen reports from one reporter, and they look to be AI-assisted reports.

Long story short, the reports were things like “If your program gets this weird packet, it takes a little longer than usual to free resources”. There was one supposed “packet of death” report which I took seriously enough to spend an afternoon writing a test case for; I couldn’t reproduce the bug and the tester realized their test setup was broken.

There seems to be a lot of pressure for people to get status by claiming they broke some old open source project, to the point people like me are getting pulled out of retirement to look at issues which are trivial.

tptacek 7 hours ago||

The NVD was an absolutely wretched source of severity data for vulnerabilities and there is no meaningful impact to vendors/submitters supplying their own CVSS scores, other than that it continues the farce of CVSS in a reduced form, which is a missed opportunity.

rwmj 8 hours ago||

https://archive.ph/S8ajd

"Enrichment" apparently is their term for adding detailed information about bugs to the CVE database.

j16sdiz 7 hours ago||

TBH, I don't see much enrichment they are giving in last 5 or 6 years.

deckar01 4 hours ago||

Mitre used to issue CVEs within 24 hours. I am going on 4 months now with no follow up, and no way to tell them GitHub issued a CVE already… I’m pretty sure they were just rubber stamping before. Considering disclosure normally should be coordinated with maintainers, 3rd parties like Mitre don’t seem to have much to offer or much to gain other than being a bottleneck.

a34729t 4 hours ago|

Honestly im surprised private industry doesnt take this over. Everybody already has their enriched, supplemental data on top of the Mitre/NVD definitions.

dlor 5 hours ago||

Enriching does a few things, but the main ones are adding CVSS information and CPE information.

CVSS (risk) is already well handled by other sources, but CPE (what software is affected) is kind of critical. I don't even know how they're going to focus enrichment on software the government uses without knowing what software the CVEs are in.

DeepYogurt 4 hours ago|

CPE is a joke. The offical spec doc asserts that correctness of names is not in scope for the spec. See section 5. Well-Formed CPE Name Data Model

https://csrc.nist.gov/pubs/ir/7695/final

khalic 6 hours ago||

I can’t help but draw a connection with the numerous budget cuts from this admin, including the almost-crisis from last year with NIST.

DeepYogurt 8 hours ago||

Long overdue to be honest.

RandomTeaParty 5 hours ago|

I was always wondering - are there alternative lists like this?

Maybe not in english or smth

More comments...