Back in November last year, Recorded Future investigated the relative publication speed for China's National Vulnerability Database (CNNVD) and that of the US National Vulnerability Database (NVD). That analysis established that CNNVD was faster in reporting vulnerabilities, an average time of 13 days between initial disclosure and database inclusion compared to 33 days for the NVD.
Things, however, are not always as they seem. Record Future noted at the time that the CNNVD was essentially nothing more than a shell for the Chinese Ministry of State Security (MSS) rather than being an independent organisation. When exceptions to the 'quicker to publish' rule were studied, it became clear that there was a high chance that critical vulnerabilities were being evaluated by the MSS for 'operational utility' before publication.
After revisiting that original analysis, Priscilla Moriuchi and Dr Bill Ladd looked at the outliers in more detail. These are the CVEs that NVD reported on very quickly (in six days or less) and which CNNVD took twice as long as its 13 day average to do so. It was then that the researchers noticed that the initial CNNVD publication dates for two vulnerabilities had been back-dated to match the NVD disclosures, and the publication delay effectively eradicated. The resulting research paper includes screen shots of both entries for confirmation of the date changes; one being back dated by 56 days, the other by an astonishing 236 days.
Further investigation has revealed that 267 of 268 CNNVD original publication dates for CVEs identified as outliers had been altered since November 2017, as well as 71 out of 74 outliers that were identified when updating the research mid-February. The report states that "99 percent of all outlier CVEs were altered to erase the publication lag and obfuscate the influence of the MSS."
Recorded Future reckons this manipulation reveals more than it conceals, and the Chinese state has allowed a supposedly public service organisation with a 'transparency mandate' to be run by an intelligence agency with a secrecy one. Priscilla Moriuchi, director of strategic threat development at Recorded Future and one of the authors of the report, told SC Media UK that "the CNNVD data manipulation and the influence of the MSS on the vulnerability reporting process is the clearest example to date of why an intelligence service should not manage public vulnerability notification" continuing that such a large-scale manipulation of vulnerability data "undermines trust and could compromise security operations relying solely on CNNVD for that information."
In conversation with SC Media UK, Ian Thornton-Trump, currently cyber-vulnerability & threat hunting lead at Ladbrokes Coral Group but with a background including service with the Military Intelligence Branch of the Canadian Forces, the subject turned to how surprised we should be of this kind of CVE manipulation in order to enhance offensive security operations. "If we follow Google's responsible disclosure guidance of 90 days, it means that generally (but not always) any CVE has already been known about for 90 days." Thornton-Trump explains "generally to prove that a CVE is “bad” a proof of concept is required."
Take for instance the recently revealed email EXIM remote code execution bug impacting hundreds of thousands email servers. Despite the assurance this is not under active exploit, Thornton-Trump points out that it may also mean that a researcher cozy with a nation state offensive operations programme has had 90 days to go after email servers of interest. "It's naïve to think the great game of espionage is not being played in the cyber-domain" he insists.
So, does this leave your organisation effectively as collateral cyber-damage in this new reality? "We saw the devastating effects of the Eternal family of SMB V1 exploits on companies that did not heed the US CERT warning" Thornton-Trump continues "but these vulnerabilities existed for years before disclosure and if you believe Snowden, were actively used for offensive cyber-operations."
What that means is that US CERT, or any other which most certainly includes CNNVD, is not necessarily an early warning system, Rather, as Thornton-Trump concludes "an evacuate the ship warning system..."