CVE? Nope. NVD? Nope. Serious must-patch type flaws skipping mainstream vuln lists – report
Infosec firm fingers 'decentralised' reporting
The first half of 2018 saw a record haul of reported software vulnerabilities yet a high proportion of these won’t appear in any mainstream flaw-tracking lists, researcher Risk Based Security (RBS) has claimed.
According to the company’s estimate, from the beginning of the year until June 30 it recorded a total of 10,644 vulnerabilities, 16.6 per cent of which were given CVSSv2 scores of 9.0 or higher (High to Critical severity), which means they required urgent patching.
However, 3,279 of these don’t appear in official databases such as the Common Vulnerabilities and Exposures (CVE) and the US National Vulnerability Database (NVD), potentially leaving companies in the dark about their existence.
Of this less well-documented group, 44.2 per cent had a severity rating between 9.0 and 10.0.
“While other criteria than just CVSS scores are important to consider when managing and prioritizing vulnerabilities, it is highly problematic if an organisation is not aware of higher severity vulnerabilities that pose a risk to their assets,” said RBS chief research officer, Carsten Eiram.
The underlying reason, RBS claimed, is that as vulnerability reporting has grown, it has also become more decentralised. Today, vulnerabilities are being logged “everywhere and anywhere”.
It’s why companies such as RBS have sprung up to monitor numerous sources to gain a more accurate picture of the total number of flaws, it added.
This isn’t as simple as tracking multiple sources because vulnerability reporting is often confusing and incomplete, including sources in languages other than English. “While some contend that the CVE/NVD solution is good enough, the number of data breaches based on hacking points to a different conclusion,” said RBS’s VP of vulnerability intelligence, Brian Martin.
“In today’s hostile computing environment, with non-stop attacks from around the world, organisations using sub-par vulnerability intelligence are taking on significant risk needlessly.”
Another issue was disclosure – how coordinated software vendors and developers are when informing customers that the software being used by them has a vulnerability.
The good news from the 2018 Mid-Year VulnDB QuickView Report is that 48.5 per cent are now disclosed in a coordinated way, an improvement over 2017.
And yet, 25.5 per cent of the flaw haul between January and June have no known solution, either in the form of a software patch or a mitigation to reduce a flaw’s severity.
It could be argued that the overall gradual rise in the number of vulnerabilities should be interpreted as good news, a reflection of the small army of researchers who make it their job to find them.
While this might be true to some extent, only 13.1 per cent of coordinated disclosures originated from the booming sector of bug bounty programmes, the report's authors estimated. Meanwhile, almost a third of the total vulnerabilities were known to have a public exploit.
Leaving aside RBS’s sales pitch for their own research, it’s clear that organisations should be looking beyond mainstream vulnerability data sources.
“We continue to see a surprising number of companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organisations' continued underrepresentation of identifiable vulnerabilities,” said Martin. ®