US cuts: CVE list could stop immediately

The mother of all vulnerability databases, the MITRE Corporation's Common Vulnerabilities and Exposures (CVEs), could go offline in the next few hours. This is because the US government is not extending the funding. CVE is fundamental for cooperation in the field of IT security. Thanks to CVE, reported security vulnerabilities are given a unique number so that all parties involved can ensure that they are talking about the same problem.

In a short internal letter, MITRE warns of a "collapse" of the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST), including the associated warnings and advisories. Security products of all provenance, measures to defend against IT attacks and ultimately all types of critical infrastructure would also be affected. The NVD builds on CVEs and enriches them with detailed threat information, information on available updates and other recommendations for action. IT security managers, as well as journalists like us at heise security, use the NVD to look up the latest threat details.

It was only last year that the US federal authorities NIST and CISA (Cybersecurity and Infrastructure Security Agency) set about improving the NVD. Without CVE, however, this would come to nothing.

CISA wants to "mitigate" the effects

MITRE does not want to simply delete the servers, but assures that it is committed to the project. The government is making "considerable efforts" to secure MITRE's role. CISA has confirmed the end of funding and says it is "working urgently to mitigate the impact and preserve CVE". However, CISA itself has been affected by significant cuts and chaos thanks to Elon Musk's DOGE.

It remains to be seen what will happen next. A list of the CVE numbers assigned so far is available online at Github until further notice. As long as MITRE keeps the actual CVE servers running, accredited institutions (CVE Numbering Authorities) will probably still be able to obtain CVE numbers automatically. However, MITRE will probably no longer include vulnerabilities reported by third parties in the list from Thursday.

Not a new problem

MITRE is a non-profit organization that emerged from the Massachusetts Institute of Technology (MIT) and manages six research centers on behalf of the US government, including the National Cybersecurity Federally Funded Research and Development Center since 2014. MITRE has been operating the CVE list since 1999, based on a series of annual contracts with the US Department of Homeland Security. With the annual contract now expiring, MITRE has apparently received almost 28 million US dollars, part of which was earmarked for CVE. Why the contract ends on Wednesday according to MITRE, but not until next week according to an entry on a US government website, is not known to heise online.

In 2018, CSO reported that the CVE share of the contract amounted to 1.2 million US dollars in 2006 and was increased to four million dollars in 2016. The amount is now likely to be significantly higher. CWE (Common Weakness Enumeration) was also financed via the most recent contract. CWE does not collect individual security vulnerabilities, but rather categories of common vulnerabilities in hardware and software, and standardizes their English names. This greatly facilitates communication and thus promotes the defense, elimination and prevention of security vulnerabilities.

Back in 2018, during Donald Trump's first term in office, a committee of the US House of Commons dealt with CVE and NVD, which have not been running optimally for a long time. There is a considerable backlog with the NVD. A group of Republican MPs called for the form of funding to be changed from uncertain, annual contracts with MITRE to a stable budget item in the Department of Homeland Security. This was not implemented, quod erat demonstrandum.

(ds)