[BreachExchange] CVE? Nope. NVD? Nope. Serious must-patch type flaws skipping mainstream vuln lists – report

Wed Aug 15 00:17:45 EDT 2018

https://www.theregister.co.uk/2018/08/14/record_software_vulnerabilities/

The first half of 2018 saw a record haul of reported software
vulnerabilities yet a high proportion of these won’t appear in any
mainstream flaw-tracking lists, researcher Risk Based Security (RBS)
has claimed.

According to the company’s estimate, from the beginning of the year
until June 30 it recorded a total of 10,644 vulnerabilities, 16.6 per
cent of which were given CVSSv2 scores of 9.0 or higher (High to
Critical severity), which means they required urgent patching.

However, 3,279 of these don’t appear in official databases such as the
Common Vulnerabilities and Exposures (CVE) and the US National
Vulnerability Database (NVD), potentially leaving companies in the
dark about their existence.

Of this less well-documented group, 44.2 per cent had a severity
rating between 9.0 and 10.0.

“While other criteria than just CVSS scores are important to consider
when managing and prioritizing vulnerabilities, it is highly
problematic if an organisation is not aware of higher severity
vulnerabilities that pose a risk to their assets,” said RBS chief
research officer, Carsten Eiram.

The underlying reason, RBS claimed, is that as vulnerability reporting
has grown, it has also become more decentralised. Today,
vulnerabilities are being logged “everywhere and anywhere”.

It’s why companies such as RBS have sprung up to monitor numerous
sources to gain a more accurate picture of the total number of flaws,
it added.

This isn’t as simple as tracking multiple sources because
vulnerability reporting is often confusing and incomplete, including
sources in languages other than English. “While some contend that the
CVE/NVD solution is good enough, the number of data breaches based on
hacking points to a different conclusion,” said RBS’s VP of
vulnerability intelligence, Brian Martin.

“In today’s hostile computing environment, with non-stop attacks from
around the world, organisations using sub-par vulnerability
intelligence are taking on significant risk needlessly.”

Another issue was disclosure – how coordinated software vendors and
developers are when informing customers that the software being used
by them has a vulnerability.

The good news from the 2018 Mid-Year VulnDB QuickView Report is that
48.5 per cent are now disclosed in a coordinated way, an improvement
over 2017.

And yet, 25.5 per cent of the flaw haul between January and June have
no known solution, either in the form of a software patch or a
mitigation to reduce a flaw’s severity.

It could be argued that the overall gradual rise in the number of
vulnerabilities should be interpreted as good news, a reflection of
the small army of researchers who make it their job to find them.

While this might be true to some extent, only 13.1 per cent of
coordinated disclosures originated from the booming sector of bug
bounty programmes, the report's authors estimated. Meanwhile, almost a
third of the total vulnerabilities were known to have a public
exploit.

Leaving aside RBS’s sales pitch for their own research, it’s clear
that organisations should be looking beyond mainstream vulnerability
data sources.

“We continue to see a surprising number of companies still relying on
CVE and NVD for vulnerability tracking, despite the US government
funded organisations' continued underrepresentation of identifiable
vulnerabilities,” said Martin.