MITRE Marks Major Milestone, Minting 400 CNAs as NVD Backlog Grows

MITRE passed the 400 CNA (CVE Numbering Authority) milestone this week - the designation given to organizations that are authorized by the CVE Program to assign CVE IDs and publish CVE Records within a specific scope. Recent additions include Wiz, Proton AG, and WatchDog.

Cloud vendors have also joined the CNA ranks, expanding their reporting to include vulnerabilities in cloud environments. Amazon’s CNA scope covers AWS and Amazon services, open source software and client software they publish, and devices the company manufactures. The CVEs must have a CVSS score of 4.0 (MEDIUM) or higher. Microsoft is adding a new class of vulnerabilities and will issue CVEs for critical vulnerabilities within its cloud services, regardless of whether customers need to patch or take action.

One might assume the proliferation of CNAs indicates a more robust and active ecosystem, but not all CNAs are actively publishing advisories.

In a post that takes a deep dive into the history of federated CNA growth, vulnerability historian Brian Martin highlights a curiosity that some CNAs have no public advisories at the time of minting.

“I understand that some organizations have no prior disclosures, often despite there being publicly disclosed vulnerabilities in their products,” Martin said. “However, it seems odd to me that MITRE is chasing such organizations while there are many hundreds that steadily produce advisories already, and still are not CNAs.“

Martin contends that that MITRE's focus on quantity over quality dilutes the effectiveness of the CNA program and raises questions about the true impact of these additions.

“This, to me, leds to the notion that MITRE is minting anything they can because the numbers look good and ‘reflect’ (not really) them doing a good job in maintaining and growing the CNA ecosystem,” he said. “This is disingenuous in my opinion and illustrates that it isn’t about running a mature federated model, rather, it is MITRE just maintaining an appearance as it reflects many millions of dollars of income each year.

“In reality, if a CNA isn’t minting CVE IDs, are they really a CNA? If not, then they still have 57 – 58 more mintings to go.”

Additionally, CNAs vary widely in how much information they provide when submitting CVEs. At the end of June, Bitsight research scientist Ben Edwards published a deeper evaluation of dependence on NVD, including charts demonstrating how little information some CNAs actually include in their CVEs. Edwards noted that even when the field exists, it doesn’t guarantee that it contains useful information.

Edwards also analyzed the field completion rate by CNA for the top 20 CNAs by total CVEs. (The “Description” and “References” column is excluded because those are included at 100% across the board.) It’s clear that some CNAs are better than others at providing more information in their reports.

NVD Backlog of CVEs Awaiting Analysis Has Increased by 30% Since June#

Despite NIST mobilizing on a plan to clear the backlog of CVEs awaiting analysis by September, the NVD has fallen further behind. A couple months ago, on June 3, the number of CVEs awaiting analysis was 13,358. That number has increased by 30% to 17,372 today. Even with additional processing support contractors, the team is not keeping pace with the volume of incoming CVEs.

More CVEs are undergoing analysis than in previous months. The new analysts are picking up speed but will need to address seven months of stalled activity. A cleared backlog by September is likely out of reach, given the steady clip at which CVEs are piling up.

At the end of July, Fortress Security analyzed the NVD’s progress on processing CVEs and projects that the number awaiting analysis will reach 28,376 by the end of the year. The contractors would have to process more than 234 CVEs per day, working seven days pr week, to clear the backlog while keeping pace with the daily influx of CVEs.

With just 140 days remaining in 2024, it is highly unlikely that the NVD will clear its backlog before the end of the year.

In May, researchers at VulnCheck highlighted concerns about the severity of the situation, with half of reported known exploited vulnerabilities still awaiting analysis:

• 50.8% of VulnCheck Known Exploited Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.(Source: VulnCheck KEV).
• 55.9% of Weaponized Vulnerabilities have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.
• 82% of CVEs with a Proof-of-Concept Exploit have not been analyzed by the National Vulnerability Database (NVD) since February 12, 2024.

Yesterday, vulnerability researcher Andrey Lukashenkov published similar concerns on LinkedIn with more updated figures regarding how many CVE records already have public exploit POCs:

Out of almost 25000 hashtag #CVE that were so far published in 2024, more than 1100 have public hashtag #exploit proof-of-concept that reference them by the CVE ID. And out of more than 2000 of those exploits PoC, more than 900 were published before or on the same day the corresponding CVE was added to the CVE Program.

I dug deeper and here is the plot that shows the number of public exploits PoC published in some reference time frames relative to the CVE publication date. Yes, some of those exploits PoC were more than five years old at the moment of CVE publication.

The slow-moving pace of getting completed CVE records is one of the challenges that undermines trust in the CVE program. This lack of context in vulnerability management leaves organizations blind in terms prioritizing remediation efforts.

As Brian Martin aptly summarized, "CVE is obviously an easy way to track some vulnerabilities, in an often delayed fashion, requiring a lot of your own analysis.”