The Real Danger Lurking in the NVD Backlog

Summary:
On February 12, 2024, the NIST National Vulnerability Database significantly slowed its processing and enrichment of new vulnerabilities. Since then, 12,720 new vulnerabilities have been added, but 11,885 remain unanalyzed, hindering security professionals' ability to assess affected software. By February 15, the NVD warned of analysis delays, raising concerns among industry experts about the increased risk of malicious exploitation and supply chain vulnerabilities. 93.4% of new vulnerabilities added since February 12 remain unanalyzed. 50.8% of known exploited vulnerabilities have not been analyzed, according to VulnCheck's KEV data. 55.9% of weaponized vulnerabilities remain unanalyzed. 82% of CVEs with proof-of-concept exploits are unanalyzed. The lack of analysis of these critical vulnerabilities presents a significant risk as threat actors, including nation-states and ransomware gangs, could exploit these gaps to target organizations with devastating consequences.

Analyst Comment:
For over 20 years, the NIST NVD has been a critical source of software vulnerability data, providing three primary functions: CVE enrichment, consumable data access, and CNA/vendor accountability. CVE enrichment involves providing detailed information such as CVSS scores, CWE, CPE configurations, and reference tags. Consumable data access ensures that this information is available in a consistent and easily accessible format, such as JSON. CNA/vendor accountability involves managing CVE rejections and ensuring data quality. Despite debates over its approach, the NVD has been the go-to source for enriched CVE data, crucial for government and organizational vulnerability management.

Cybercriminals can leverage these unanalyzed vulnerabilities to launch attacks, leading to financial losses, data breaches, and disruption of services. The NVD's slowdown in processing vulnerabilities has significant implications for global cybersecurity, increasing the risk of exploitation. Coordinated efforts from the CVE community and third-party contributions are crucial to address these challenges and maintain robust vulnerability management practices.

Suggested Corrections:
To mitigate the NVD's slowdown, the CVE community, including CVE numbering authorities (CNAs), should enhance CVE records with comprehensive data when publishing new CVEs. This includes providing product names, vendor names, version numbers, thorough descriptions, broad references, CPE, CVSS, and CWE information. CVE.org/MITRE and NVD should focus on automating CVE enrichment where possible and addressing gaps where CNAs have not supplied sufficient information. NVD should deprioritize the manual review of every CVE submission and establish trust with CNAs and the CVE program to streamline the process.

Link(s):
https://vulncheck.com/blog/nvd-backlog-exploitation