The US Cybersecurity and Infrastructure Agency (CISA) has announced the creation of “Vulnrichment,” a new project that aims to fill the CVE enrichment gap created by NIST National Vulnerability Database’s recent slowdown.
NVD is failing
Since 1999, NVD analysts have been adding CVE-numbered vulnerabilities to the database, after analyzing public data about them to “enrich” each entry with impact metrics (CVSS), vulnerability types (CWE), applicability statements (CPE), links to security advisories, and more.
This database is used by many vulnerability assessment and managament tools to automate the discovery and handling of security vulnerabilities affecting organizations’ systems.
It has to be noted, though, that most tools don’t rely solely on the NVD to supply this data. Nevertheless, the fact that NIST’s analysts have managed to analyze just 4523 of the 14280 CVEs they received since the start of the year is increasingly a problem.
Though NVD analysts are prioritizing the analysis of the most significant vulnerabilities, the backlog is growing. NIST says that a number of factors are behind this slowdown, “including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support.”
Its main professed solution for the problem is to establish a consortium of industry, government, and other stakeholder organizations that will collaborate on research to improve the NVD.
How will CISA’s Vulnrichment work?
“The CISA Vulnrichment project is the public repository of CISA’s enrichment of public CVE records through CISA’s ADP (Authorized Data Publisher) container. In this phase of the project, CISA is assessing new and recent CVEs and adding key SSVC decision points,” the agency explains on the project’s GitHub repo.
So far, CISA has enriched 1,300 CVEs.
CISA uses a SSVC decision tree model that aims to put vulnerabilities into one of four categories, based on their exploitation status, technical impact, impact on mission essential functions, public well-being impact, and whether exploitation can be automatable:
1) Track (“remediate vulnerabilities within standard update timelines”)
2) Track* (“remediate vulnerabilities within standard update timelines”)
3) Attend (“remediate vulnerabilities sooner than standard update timelines”)
4) Act (“remediate vulnerabilities as soon as possible”)
“For those CVEs that are rated as ‘Total Technical Impact,’ ‘Automatable,’ or have ‘Exploitation’ values of ‘Proof of Concept’ or ‘Active Exploitation,’ further analysis will be conducted. CISA will determine if there is enough information to assert a specific CWE identifier, a CVSS score, or a CPE string,” the agency noted, and confirmed that it won’t be overwriting the originating CNA’s data in vulnerabilities’ original CVE record.
For Vulnrichment, CISA is sticking with the CVE JSON format, “so stakeholders can immediately start incorporating these updates into vulnerability management processes.”
The agency is encouraging the IT cybersecurity professional community to provide feedback on their effort, and expects the project to evolve quickly.