It would be hard to dispute that the CVE (Common Vulnerabilities and Exposures) program is a great concept: a “dictionary” of all known vulnerabilities in publicly released software or firmware so organizations can know what risks they are facing. (See "What is the CVE and how does it work?".) There is much dispute, however, 18 years after the nonprofit research and development organization MITRE launched the program, about how well it is working.
According to a number of critics, it’s not doing very well. Joshua Corman, a founder of I Am The Cavalry and director of the Cyber Statecraft Initiative for the Atlantic Council, said in a keynote at the SOURCE Boston conference in April that identifying and cataloging CVEs has fallen behind – way behind.
“For all vulnerabilities disclosed anywhere, commercial databases currently track about 80 percent. CVE tends to have 60 percent of that 80 percent,” he said. “So when you make a risk decision, you’re doing it with a blind spot of about 50 percent. This is a too-big-to-fail thing. It’s like our bridges and tunnels collapsing,” he said, adding, “It is about to get a lot worse,” thanks to the continuing explosion of devices and accompanying vulnerabilities that comprise the Internet of Things (IoT).
CSO’s Steve Ragan, in a Salted Hash post last September, noted that, “the CVE system is faced with bottlenecks and coverage gaps, as thousands of vulnerabilities go without CVE-ID assignments. “These gaps are leaving business leaders and security teams exposed to vulnerabilities that their security products, which rely on CVE-IDs to function and assess risk, don't even know exist in some cases,” he wrote.
Some members of the CVE Board – which includes 25 members from multiple segments of the cybersecurity community – are critical as well. Brian Martin, vice president of vulnerability intelligence at Risk Based Security and an independent member of the board, says that according to a vulnerability database his firm compiled, the gap is not as extreme as Corman estimates, but is still significant.
“There are currently 52,913 vulnerabilities without a CVE identifier. That is out of 158,413 they have cataloged, making it about 33 percent missing,” Martin says. However, the percentage improvement, “has come at the cost of accuracy and quality.” Some CVE descriptions being published are essentially worthless to consumers, as they lack critical details and don't include references that would help them. “So to benefit from the CVE ID, consumers have to do more work and struggle to understand the issue,” he says, adding that, “MITRE is also still flip-flopping on their assignment and abstraction rules. In some cases they are assigning too many IDs to a group of issues, other times they are not assigning the proper year ID.”
The backlog has even gotten the attention of US Congress. The chairmen of the House Energy and Commerce Committee and three of its subcommittees sent letters dated March 30 to MITRE, which continues to oversee the program. The Department of Homeland Security (DHS), which funds it, suggested that MITRE should have anticipated the growth in vulnerabilities, and asked what they are going to do about it.
“The explosion of connected devices and services that has been associated with the CVE program’s shortcomings, while rapid, did not occur overnight,” the letter to MITRE said.
“In light of this, we seek to understand how MITRE and the CVE program failed to anticipate and prepare for this growth … and what more may be done to ensure this program can more effectively serve its essential mission.”
While the committee wants to understand it, so far it apparently doesn’t want the public to understand it, even though the program is taxpayer funded. The letters asked for responses by April 13, but the committee has not yet made public any further information on communications with either MITRE or DHS. Dan Schneider, a spokesman for the committee, says MITRE has responded, but he declined to discuss it or anything about the program for the record.
Lucy Martinez, of the DHS public affairs office, says, “we do not comment on congressional correspondence and will respond directly to the members.” She did not respond to a request simply to see the MITRE response. Also, neither MITRE nor DHS would say what is the annual funding of the program. Ragan reported it was $1.2 million in 2006.
Regarding complaints of thousands of vulnerabilities still without IDs, Jennifer Lang, a spokeswoman for MITRE, says the CVE program, “assigns a number to 100 percent of the vulnerabilities of which we are aware and that meet our definition of a vulnerability. There are also an unknown number of vulnerabilities in the cyber ecosystem that could be assigned,” she says. “The challenge is that we can’t quantify that number in percentage terms because they have not been disclosed to the CVE program.” Lang adds that, “there is no single or universally accepted way to count vulnerabilities, and different organizations define and count vulnerabilities differently.”
That troubles Martin. “I fully believe that responses should be a matter of public record, given the embedded nature of the CVE program,” he says. “The 'stakeholders' in CVE, as they call them, or ‘consumers’ as I do, should understand what MITRE is doing to address the issues.”
The program’s defenders, however, say things are improving and have been for the past 15 months. They credit what they call a “federated system,” which has enlisted dozens more organizations as CNAs (CVE Numbering Authorities) – 62 at current count – to identify new vulnerabilities and assign ID numbers to them.
Kent Landfield, director, standards and technology policy at Intel, and chief standards and technologies policy strategist for the CVE board, agreed that MITRE had been overwhelmed by the “explosion” of vulnerabilities. He says things “came to a head in January 2016, with the community, the board and MITRE at odds.” Since then, “things have been moving in the right direction,” he says, adding that while in the past, “MITRE was all centralized and hesitant to get new CNAs, they’ve now created a federated model. It’s still an experiment in some respects, but it started in March 2016.”
The intent, he says, is to divide the CVE ID burden among “root” CNAs that are responsible for different categories of CVEs.
An example is the Distributed Weakness Filing (DWF) Project, which is responsible for finding and identifying vulnerabilities in open source software. Other CNAs – major companies like Microsoft, Apple and Google – identify and catalog vulnerabilities found in their own products.
The bottom line, Landfield says, is that, “it was very important that we put in place a mechanism that would scale – that would be sustainable. And that is what is happening.”
Kurt Seifried, director at the DWF Project, senior software engineer for Red Hat Product Security and also a CVE Board member, agreed. The way to close the gap in CVEs that are not part of the dictionary yet, he says, “is relatively simple: Add more CNAs to scale out CVE.
“This means having a governance model similar to DNS (Domain Name System) – MITRE is the root, DWF is the sub-root for all open source, Microsoft is a sub root for all Microsoft, and so on, with additional CNA hierarchies for countries/industry verticals. The operational model is much more peer-to-peer, with CNAs contacting each other as needed,” Seifried says.
He noted that, since the launch of the federated model, “we have doubled the number of CNAs, and in 2016 had more than 10,000 CVEs assigned. We’re also working on automation and other self-service-style aspects to continue scaling the process to meet demand.”
Lang added that when the “federated” model began, there were only 22 CNAs, and since then 40 have been added, “with new CNA candidates continually entering the queue.”
So, does that mean the problem, while it still exists, is well on the way to being solved? Art Manion, vulnerability analysis technical manager at CERT (Computer Emergency Response Team) Division, Carnegie Mellon University Software Engineering Institute, and another CVE Board member, is cautiously optimistic. Cautious because he believes some of Martin’s criticisms are valid – that while it is possible to quibble over the exact magnitude of the gap, it is “drastic” by any measure, and because it is indeed going to be impossible, with the current model, to keep up with the explosive increase in vulnerabilities because of the “IoT apocalypse.”
Assigning IDs to 10,000 to 14,000 vulnerabilities in a year, “is going to be an order of magnitude too low. The problem is passing human scale,” he says, “so the only way to address it is with automation.” But, he is also optimistic because he is on one of the working groups created by the CVE Board that is devoted to bringing automation into the ID process.Also, “there are signs that the federated system is working, although it’s too early to tell” about the long-term, he says.
According to Martin, success in the long term will also depend on doing the basics. “I believe MITRE uses too much of the taxpayer funding for administrative positions, rather than more personnel that directly support the database,” he says.
“They certainly need to implement a better quality assurance process on existing entries. They need to agree on the current assignment standards, hold CNAs accountable, and most importantly hold themselves accountable to follow the standards.”