Russia's national vulnerability database is incomplete, and a cover for software snooping

News by Bradley Barth

Russia seeking cooperation on vulnerability database appears simply a ploy to access US software source code to exploit vulnerabilities and strengthen government control with little civil use.

The government organisation running Russia's national vulnerability database (NVD) is far less comprehensive than its American counterpart, omitting many critical bugs while focusing heavily on flaws that appear to be specifically relevant to Russian state information systems, according to new research from Recorded Future.

The Russian database, known as the BDU, is administered by the Federal Service for Technical and Export Control of Russia (FSTEC), a national military counter-intelligence agency. According to Recorded Future, since 2014 FSTEC has published only about 10 percent of the 107,901 total bugs announced by the American NVD, which is operated by the US Commerce Department's National Institute of Standards and Technology (NIST).

In a blog post issued today, Recorded Future concludes that the Russian database exists not so much to provide a public service, but rather to establish a minimum set of security guidelines for Russian officials tasked with securing government information systems.

At the same time, having an official vulnerability database also gives Russia a seemingly legitimate cover for demanding that foreign software and security companies submit their products to FSTEC and related agencies for inspection of their source code, Recorded Future continues. But in reality, this is just a thin veneer through which Russia disguises its efforts to gather intel on foreign software, the researchers assert.

"FSTEC is a military organisation and is publishing 'just enough' content to be credible as a national vulnerability database. The Russian government needs vulnerability research as a baseline for FSTEC's other technical control responsibilities, such as requiring reviews of foreign software," writes report authors and researchers Priscilla Moriuchi, director of strategic threat development, and Dr. Bill Ladd, chief data scientist.

In an interview with SC Media, Moriuchi added that the BDU database is "virtually useless," with "almost nothing in this that you can't find in another database that is... more comprehensive." And yet, it is "just enough legitimate content" to provide plausible deniability regarding "the real mission of the organisations."

Recorded Future notes that a disproportionate number of BDU's published bugs are flaws known to be commonly exploited by Russian APT groups. Indeed, the report says that FSTEC has listed about 60 percent of all vulnerabilities used by the Russian military. The researchers believe that this could mean Russian military officials are taking measures to ensure that the same exploits aren't similarly employed against their own government's information systems.

"If anything, FSTEC might be a little too focused in its support of Russian state information systems, as the few vulnerabilities it does publish yield insight into Russian government priorities and software," the authors remark.

The report observes that of the vulnerabilities that FSTEC published the quickest following their discovery, 75 percent were found in browsers and industrial controls-related software -- perhaps a commentary on which bugs Russia deems most critical. On the other hand, the BDU database is still missing over 1,000 Adobe vulnerabilities with a critical or high CVSS, and it also tends to overlook vulnerabilities found in IBM, Huawei, and content management systems such WordPress, Joomla and Drupal.

Recorded Future also found that FSTEC is considerably slower than NIST when publicly reporting vulnerabilities, taking an average of 95 days to release such information -- a full 50 days longer than the US and 84 days longer than China. (A previous Recorded Future report found that the US vulnerability reporting process is slower than China's because the American NVD waits to publish vulnerabilities until after they are first listed in the MITRE Corporation's CVE Dictionary.)

While NIST's Information Technology Laboratory houses a scientific and technological staff of 400, FSTEC actually has more than three times as many employees, which suggests that Russia's lackluster vulnerability reporting is not due to a shortage of manpower, but rather an intentional choice, the report surmises.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events