Discrepancies in reports to the national vulnerability databases (NVD) show the U.S. lags behind China, exposing U.S. firms to cyber attacks.
The U.S. is “drastically behind” China in recording software vulnerabilities in its National Vulnerability Database (NVD), and is missing key vulnerability reports. This gap could put U.S. private and public sector organizations at risk of attack, a Sophos research investigation had found.
Speaking at the LABSCon conference in Phoenix, Kristin Del Rosso, an incident response and threat intelligence product manager at Sophos, described her investigation into a vulnerability, CNVD 202128277, which she discovered in China’s National Vulnerability Database (CNNVD), but that had no analog in the U.S. NVD, which is maintained by NIST.
Let a thousand national vulnerability databases bloom
That discrepancy got Del Russo to start looking into the question of whether there were other discrepancies between the vulnerability databases maintained by China and the U.S. Her realization was alarming.
“There are a lot of vulnerabilities missing.”
—Kristin Del Rosso
Unlike in the U.S., China’s vulnerability reporting landscape is complex. China operates two, overlapping vulnerability databases, CNNVD and the CNVD. The former is run by CNITSEC, which is an arm of the Ministry of State Security in China. “It's like if you had the CIA running the NVD program,” Del Rosso said. CNVD, the China National Vulnerability Database, is nominally run by a non-profit that doesn’t have direct ties to the State security apparatus, though Del Rosso said that claims of independence from the government are dubious.
The two sites, though nominally the same, are hosted on different infrastructure, use different naming conventions and have different and partially overlapping contents. Differing naming conventions and gaps in coverage and timing makes research into vulnerabilities complicated and amounts to a form of obfuscation, Del Rosso said. “They made it difficult to close the gap between their own two country databases,” she said.
China-wide red team report, anyone?
The flaw that started her quest, a remote file read vulnerability in some Chinese language office automation software, turned up in a threat hunting exercise on a device with a Chinese IP address with a list of vulnerabilities and exploits and a list of hundreds of targets that included mail servers and online payment portals for Chinese energy companies. Further exploration revealed what appeared to be the work of a Chinese penetration tester. “It was all very odd,” Del Rosso said.
Del Rossa began searching to determine what companies were using the targeted office automation software, which included targets in China and the U.S. That caught her attention. “This is a vulnerability that we don’t have but that could be used to target systems in the U.S.,” she said.
Further research turned up evidence that the vulnerability was used in HVV Action, a country-wide red team/blue team exercise sponsored by the Chinese Ministry of Public Security akin to CISA Cyber Storm. A reference to the vulnerability was mentioned in the 2021 report from that year’s HVV Action exercise.
That raised troubling questions for Del Rosso about the U.S.’s cyber awareness. “We literally just found a vulnerability used in a nation-wide critical infrastructure security contest that we didn’t know about,” Del Rosso said.
A troubled history on vulnerability disclosure
The question is “why?” China’s handling of CNNVD has been the subject of criticism before. In 2017 and 2018, the Insikt Group at the firm Recorded Future concluded that the Ministry of State Security (MSS) in China was altering publicly available data about vulnerabilities it listed in the CNNVD. Recorded Future identified more than 200 that had their original publication dates altered.
The CNNVD appeared to have a formal vulnerability evaluation process in which high-threat CVEs were evaluated for their operational utility by the MSS prior to publication - a possible indicator of vulnerabilities that the MSS was considering for use in cyber offensive operations. “They have a history of strategically hoarding vulnerabilities,” Del Rosso noted.
U.S. lags on vulnerability disclosure
The bigger issue may be the U.S. government’s lackluster performance encouraging vulnerability disclosure, and keeping abreast of reports coming from China and other countries that run their own, national NVDs including Russia, Japan and Germany.
Del Rosso found large discrepancies between the vulnerabilities listed in the US NVD and China’s two vulnerability databases, the CN NVD and the CNVD. As it stands, the U.S. NVD, with more than 184,000 CVEs is more than 12,000 CVEs short of China’s CN NVD, with just over 196,000 vulnerabilities total.
And research conducted by Del Rosso and a colleague indicates that some of those are serious. For example, the pair uncovered vulnerabilities linked to a Siemens Smart Energy platform and a Schneider Electric Modicon web server vulnerability that appeared in either the CN NVD or the CNVD that had no analog in the US NVD.
Much of that comes down to the government’s management of vulnerability reporting.
“We are drastically behind in how quickly we disclose these vulnerability gaps."
—Kristin Del Rosso
“China incentivizes (vulnerability reporting). They have honor management. They have certificates and awareness. You have to register to submit vulnerabilities,” she said. Not so in the U.S. “We don’t do any of that. We kind of do it “on your honor,” and we have a backlog.”
The introduction of CNAs (CVE Numbering Authorities) in the U.S. has helped, but Del Rosso notes that vulnerabilities in products that aren’t covered by a CNA often languish for months before they are recorded. In contrast, China is “very proactive in closing the vulnerability gap and going out to get them,” she said.
Del Rosso experienced that first hand when she attempted to report the CNVD 202128277 vulnerability to MITRE. It took 37 days to get the vulnerability added to the NVD, ultimately ranking a 7.5 severity level.
In contrast, on the Chinese side, vulnerability reporters must register as either an individual or enterprise. Once that’s done, the government “game-ifies” vulnerability disclosure with badges, and further sources vulnerabilities through other networks and sourcing competitions. “They’re actively sourcing in ways that we have not matched them at,” she said.
(Another) call to reform the NVD
Spotting reporting means the NVD does not tell the full story of software risk. Instead, it reflects the activity of companies that choose to participate as CNAs. In our recent report, ReversingLabs NVD Analysis 2022: A Call to Action on Software Supply Chain Security, reports are dominated by flaws in a handful of legacy platforms by firms including Microsoft, Red Hat, Google, Apple and Oracle, while open source, DevOps and cloud platforms that support digital transformation initiatives are often under-represented.
The U.S. government, acting through organizations like NIST and MITRE, needs to be more proactive about encouraging vulnerability disclosure by companies and individuals, even as the U.S. government begins to pay closer attention to activity on other national vulnerability databases like the CNNVD and CNVD.
China has a history of giving high-value vulnerabilities to their APT groups who have targeted our assets, Del Rosso noted.
“We’re offering you the ability from a protection and detection standpoint to proactively secure defenses from someone who is a known adversary and we haven't put any effort into closing that [gap]? That doesn’t make any sense. The first step is acknowledging the problem."
—Kristin Del Rosso
- Get up to speed on the threat landscape with news and deep dives
- Keep up with key developer trends in Dev & DevSecOps
- Learn more about software supply chain security
- Report: Supply chain security top of mind for devs — but tampering detection lags
- The NVD must evolve: Learn how and why with our free report
- SBOM: We explain why it matters for supply chain security
- Get a free SBOM and supply chain risk report