NIST Blames 'Growing Backlog of Vulnerabilities' Requiring Analysis on Lack of Support (infosecurity-magazine.com) 22
It's the world's most widely used vulnerability database, reports SC Magazine, offering standards-based data on CVSS severity scores, impacted software and platforms, contributing weaknesses, and links to patches and additional resources.
But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in — of which 24 have been analyzed.]
Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well."
NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..."
A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.
The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow."
Thanks to Slashdot reader spatwei for sharing the article.
But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in — of which 24 have been analyzed.]
Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well."
NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..."
A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.
The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow."
Thanks to Slashdot reader spatwei for sharing the article.
FISCAL RESPONSIBILITY!! (Score:4, Insightful)
(GOP Talking Head)
But But But--
WHY SHOULD TAXPAYERS FOOT THE BILL FOR THIS!?
(looks in mirror-- the reflection screams back)
YOU CANT POSSIBLY EXPECT **JOB CREATORS** TO FOOT THIS EXPENSE! THINK OF THE ECONOMY!!
---
(The shadow on the wall chips in)
IT WAS CLEARLY IMMIGRANTS!
---
(Mirror reflection screams at the shadow)
WE CANT FIND QUALIFIED APPLICANTS!!
--
(Talking head)
Please! You're all giving me a ME-ACHE!
It's CLEARLY a case of LAZY WORKERS that JUST NEED TO WORK HARDER!
--
(All three in unison)
HURRAY! 20% CUT!!
Re: (Score:1)
Re: FISCAL RESPONSIBILITY!! (Score:1)
Re: FISCAL RESPONSIBILITY!! (Score:2)
Re: (Score:1)
But, if they DISCLOSE those OH SO USEFUL vulnerabilities, then those will become USELESS!!
How will we keep AMERICA NUMBER ONE if we sabotage our own advantage in espionage!?
We KEEP ON INSISTING that we *NEED* to install backdoors in these software stacks AT THE FACTORY, but we KEEP GETTING TOLD NO!!
**ITS SO UNFAIR!!** /s
Re: (Score:1)
Sharing the three-letter agencies' information also reveals to the Russians, the Chinese, the Iranians, and the Norks the three-letter agencies' capabilities. Now they could share with NIST but that too gets sticky as NIST isn't really set up to handle those kinds of security.
NIST's problems are the result of not adequately funding the internal operations of the government as opposed to things like SS, Medicare, Medicaid. The R's don't give a flying rat's ass about the government operations (deep state and
Three-letter responsibilities. (Score:2)
I'm sure the three-letter agencies are more than willing to analyse these vulnerabilities - it's undoubtedly already done and fully funded. Oh you want them to declassify the fact that they created the vulnerability? hmmmmm
FTFY, in case you were still wondering about what’s holding up all that “agency cooperation and interoperability”. Sometimes we forget where we get the really good shit from.
Re: (Score:2)
10 points! Great job.
Well that would.... (Score:5, Interesting)
A lot of CVEs came from the Linux Kernel project (Score:3)
The Linux Kernel project became a "CVE Numbering Authority" in the middle of February and since then has issued 691 CVEs.
See this Slashdot article [slashdot.org] in which I am quoted as "worrying this could overwhelm the CVE infrastructure".
Re:A lot of CVEs came from the Linux Kernel projec (Score:4, Insightful)
That's kind of the point of it. Kernel devs have no idea if in your specific usecase they haven't thought about that bug can become an exploitable vulnerability.
The old "a bug is a bug is a bug" wasn't making security people happy, so now they're treating almost every bug as a potential security issue.
Pick your poison, and keep your kernel up to date...
The Reporting Bug. (Score:5, Insightful)
The Linux Kernel project became a "CVE Numbering Authority" in the middle of February and since then has issued 691 CVEs.
See this Slashdot article [slashdot.org] in which I am quoted as "worrying this could overwhelm the CVE infrastructure".
Fair point, but that was either the main cause of this backlog, or it wasn’t. A 12% budget cut either had an impact, or it did not. Which is it? Should be simple to validate with a bit of historical content. How many CVEs went days, weeks, or months without analysis a year ago? Three budgets ago?
It’s sad we’re compelled to ask historical questions to validate every claim today, but it’s quite necessary to determine how much bullshit clickbait may comprise any given article. Anyone will say anything for clicks these days. Part of the “bug” of reporting.
Re: (Score:3)
The open letter to congress specifically mentions a degradation starting in Feb. but more interesting is the restructuring. I have a feeling that is the real reason, as they sort out who's going to be in charge:
With the latest revelations at VulnCon, we question whether a consortium under NIST makes the most sense. Perhaps a better solution would be to see NVD moved to CISA and have a consortium under the Joint Cyber Defense Collaborative (JCDC), which already exists. The collaboration recently established
Re: (Score:2)
Fair point, but that was either the main cause of this backlog, or it wasn’t. A 12% budget cut either had an impact, or it did not. Which is it?
It could be both. There could be other factors as well.
Time to unplug the internet (Score:2)
Time out, it kinda got ahead of us, everyone needs a break. Just unplug the whole internet and let NIST catch up. It's not safe to be connected without a current CVE database.
Oh look, more freeloading by others (Score:4, Informative)
This is important work, but the idea that the US taxpayer should be the only people paying for it is not reasonable; other countries should be making financial contributions, as should the big tech companies.
Patching is enslavement (Score:1)
Who would gave thought (Score:3, Insightful)
NIST, which had its budget cut by almost 12% this year by lawmakers
Who would have thought that cutting budgets would reduce services ? Welcome to the US Gov, the GOP wants to cut everything except for agencies that kill people. NIST, enjoy the land of the FDA, FTC, CDC, Social Programs .... (I could go on).
Says a lot w/o doing anything.... (Score:2)