CVEs: More and better information on vulnerabilities from CISA

Contents

Anyone who has to deal with security vulnerabilities professionally can hardly avoid the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST). The US authority enriches the mother of all vulnerability databases, the Mitre Common Vulnerabilities and Exposures (CVEs), with detailed threat information, information on available updates and other recommendations for action. IT security managers, but also journalists like us at heise security, for example, use the NVD to look up the latest threat details.

This additional information is now being significantly expanded and the players want to thoroughly renovate the system, which is struggling with problems. This is because the NIST cannot keep up with enriching the new NVD entries; since mid-February, a massive backlog of CVE entries that have been left behind has been causing displeasure in the security community. The entries published by the responsible CVE Numbering Authorities (CNAs) often already contain some details, such as CVSS scores, which indicate the severity of the threat. In the vast majority of cases, however, important metadata is missing, which security products such as SIEM and firewalls or tools for vulnerability and patch management depend on being available quickly.

In order to clear the backlog, NIST has increased its staff and also requested external help. The Cybersecurity and Infrastructure Security Agency (CISA), which announced its own solution to the problem in May 2024: the "Vulnrichment" project, which is publicly available on GitHub. Behind the portmanteau of vulnerability and enrichment lies more than just adding missing metadata to CVEs that have been left behind: The project aims to permanently accelerate the addition of missing CVE information and make it more flexible. It also integrates useful, CISA-specific additional information.

CISA can now edit CVEs

First of all, it is interesting to note that CISA does not transmit its vulnerability information to NIST so that it can supplement the NVD. Instead, it has been given the authority to directly supplement the data of existing and newly published entries. According to a blog entry from the CVE programme from June 2024, CISA was appointed as the very first external "CVE Authorized Data Publisher" (ADP) for this purpose. This makes it clear that the US authority intends to participate in enriching the data in the long term.

To put the appointment into context, it is not a big surprise. CISA has been one of the financial sponsors of the CVE program for years and has itself held the role of root CNA in the field of industrial control systems (ICS) since 2020. In addition, CISA employees are also part of the CVE Board, which makes important decisions relating to the project.

The additional information from the NVD then also ends up in the original MITRE CVE entries. Until now, MITRE's own database CVE.org only presented the information that the CNAs had stored in the CVE records and was therefore much less attractive as a data source than the NVD with its extra details. This has now changed: A look at the CVE.org entry for CVE-2024-6730, for example, reveals that CISA's data is now an integral part of the information offered there. MITRE provides it in a separate tab with the heading "ADP".

Anyone looking for an alternative to the web view of the information should take a look at MITRE's GitHub repository CVE List V5. The complete CVE list, which is updated every seven minutes, including vulnerability information, is available for direct download.