According to the 'MidYear Vulnerability Quick View' report from Risk Based Security, there were 10,644 vulnerabilities reported in the first half of 2018. That is not, sadly, particularly shocking in and of itself.
That 3,279 (30.8 percent) of them did not make it into the official CVE or NVD systems more so. Especially as some 44 percent of these were given a severity rating of nine or higher, meaning they were of high or critical risk.
"It is highly problematic if an organisation is not aware of higher severity vulnerabilities that pose a risk to their assets" said Carsten Eiram, chief research officer for Risk Based Security. Of those 10,644 reported vulnerabilities, Eiram confirms that a quarter (25.6 percent) currently have no solution.
Meanwhile, researchers at NCC Group analysed nine years of its discovered vulnerabilities and found that only 2.4 percent resulted in a CVE numbering. Of the paltry 289 classed as closed, the critical-risk vulnerabilities took an average of 77 days to resolve. A figure that exceeds the industry-accepted 30 day notice period at any risk level. Matt Lewis, research director at NCC Group, says
"improving our industry’s ability to detect vulnerabilities before they become an issue is less of an achievement without an established process in place for their remediation and disclosure."
So, why are high severity vulnerabilities not all being reported by the likes of CVE or NVD as a matter of course?
Reed Loden, director of security at HackerOne, points out that, "it takes a lot of work to document a vulnerability, and as a result, most people don't think about or bother getting a CVE." MITRE has made the process somewhat easier in recent times, "but they also defer most requests concerning open source software to the DWF project, " Loden continues, "which is woefully understaffed as many of its team are volunteers." Lamar Bailey, director of security R&D at Tripwire, agrees with this opinion. "When a vulnerability is found and the researcher goes to obtain a CVE they make a request and it can take days, weeks, or months to get a reply," Bailey told SC, adding, "sometimes you never get a reply after multiple emails."
In defence of Mitre and the existing CVE process, Jonathan Cran, head of research at Kenna Security, told SC Media UK that "distributing the work to CVE Numbering Authorities (CNAs) has led to a doubling in the rate of named vulnerabilities in the past 12 months." Cran expects this expansion to continue, and cover a higher percentage of known vulnerabilities going forward. Not everyone is convinced. Rapid7's research director, Tod Beardsley, reckons the biggest blocker to CVE's universality is the stark lack of corporate participation."
In conversation with SC Media UK, Beardsley said, "participation in the project as a CNA is wholly voluntary, and only considered by companies with the most mature information security programmes." So the culture needs to change perhaps, where participation in such lists is the norm? "We can tackle the shortcomings of CVE and debate the rules of inclusion" Beardsley concludes "but without widespread adoption by technology companies, the CVE list will continue to lag behind the true count of newly discovered and published vulnerabilities."
And while this lag exists, some enterprises are going to remain blindsided by in-the-shadows vulnerabilities. "Companies that solely rely on CVE or NVD databases put themselves at risk," explains David Johansson, principal consultant at Synopsys: "They may miss critical information about important vulnerabilities affecting the software they use."
Johansson told SC Media UK that he has reviewed cases where a known vulnerability wasn’t identified simply because it wasn’t present in a CVE database. In the real world of organisations without dedicated security operations centres, and even in some that do have them, keeping up with the pace of vulnerability feeds is challenging.
"Using a competent vulnerability management solution to identify your missed issues, and ensuring you keep track of assets you own on less common platforms and software are vital," says Martin Jartelius, CSO at Outpost24, concluding: "Those are the least likely to be included in the vulnerability feeds and to be supported by any monitoring or patching software you have."