At times, the value of something only becomes apparent once it is nearly lost. Such was the case this past Tuesday when news broke that the MITRE Corporation faced a funding shortfall that could halt the continuation of the Common Vulnerabilities and Exposures (CVE) Program beyond April.
Thankfully, the Cybersecurity Infrastructure Security Agency (CISA) intervened by extending the contract for another 11 months, giving the community a window to establish new funding mechanisms and governance structures to safeguard the program’s future. This transition is essential; the traditional US-backed, MITRE-operated CVE assignment model, in place for 25 years, is unlikely to be restored, and a move towards new dimensions is warranted.
Understanding the CVE Program
Similar to MITRE’s widely-known ATT&CK framework, the CVE Program provides a standardized language for the cybersecurity community to discuss vulnerabilities effectively—a lingua franca for identifying flaws. This standardization ensures mutual understanding when discussing vulnerabilities and aids in distinguishing between similar vulnerabilities when needed.
Monitoring vulnerabilities plays a crucial role in various security tasks, such as managing attack surfaces, implementing intrusion prevention systems, and developing compensatory controls and mitigations when patching is not an immediate option. Internally, Sophos utilizes CVEs in various capacities, including:
- Identifying and prioritizing vulnerabilities
- Creating detection rules targeting specific compromise indicators efficiently
- Prioritizing safeguard measures for Sophos’ infrastructure, with insights into the potential repercussions of vulnerability exploitation and the necessary patches for mitigation
- Guiding multiple processes at Sophos, such as incident response, to ensure coordinated containment and remediation efforts across Security Operations and Incident Response teams
- Supporting communication, including engagement in Patch Tuesday activities, with vendors and clients
- Serving as a CNA (CVE Numbering Authorities—more details below)
Deciphering CVE Numbers
CVEs are issued by CVE Numbering Authorities (CNAs), often software vendors like Sophos, who identify vulnerabilities in their products and inform MITRE upon assigning a number to each. Alternatively, CERTs (Computer Emergency Response Teams, typically at a national level) could also issue CVEs, or the CNA-LR (CVE CNA of last resort)—currently MITRE Corporation. (“MITRE” is not an acronym, despite originating from MIT.)
A CVE can be assigned to any software vulnerability, even if the software vendor is not part of the CNA program. These identifiers follow the format CVE-YYYY-NNNNN, where YYYY represents the year and NNNNN is the number. The numbering is not strictly sequential but serves as a unique identifier rather than a count of discovered vulnerabilities. Larger CNA issuers may receive blocks of numbers for convenience, potentially leading to occasional gaps between blocks, or assigning multiple CVEs to the same vulnerability unknowingly.
The issuance of CVEs is not without debate; defining a “software vulnerability” can be contentious, especially when assessing the exploitability of a vulnerable software component within a larger project. This complexity may be explored in future discussions, particularly regarding scenarios where CVEs intersect with Software Bills of Material (SBOMs) and other governance efforts.
Implications of a CVE-less World
Have you ever struggled with identifying threat actors like APT29, also known as IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, and Midnight Blizzard? Welcome to a world where descriptions lack coordination, resulting in confusion. This inconsistency extends to malware names, evident from historical instances—refer to Virus Total’s detection records, highlighting the disarray.
A central authority capable of uniquely naming and describing vulnerabilities, alongside furnishing machine-readable data, empowers both individuals and tools to address core issues uniformly. While the National Vulnerability Database (NVD) managed by the National Institute of Science and Technology (NIST) has faced challenges, any further CVE system disruptions could elevate difficulties in effectively monitoring and safeguarding vulnerable systems.
Embracing a Promising Future
In light of the recent funding turbulence surrounding the CVE Program, we stand at a crossroads. Three potential paths lie ahead, with consensus yet to emerge.
One option involves maintaining the status quo, at least for the upcoming 11 months (the period covered by the recent funding extension). For 25 years, the US government has played a pivotal role in funding the CVE Program, but reliance on a single government’s support for a globally significant system seems ill-advised following this week’s funding scare.
Alternatively, a group of longstanding CVE Program board members has proposed a governance shift to a non-profit foundation free from US government influence. Such a CVE Foundation would boast international diversity and independent funding mechanisms, potentially offering a more stable and reliable system, albeit with additional bureaucracy and altered public-private sector dynamics. This appears as the most prudent direction, despite possible lingering US-centric tendencies among CVE board members.
On another note, CIRCL — the Computer Incident Response Center Luxembourg, a CERT entity—has introduced GCVE, advocating for a decentralized CVE issuance and governance model. While the proposal presents intriguing ideas, including backward compatibility, challenges are likely to arise. Standardized definitions under a centralized board often prove invaluable, reducing the risk of confusion and inconsistencies that decentralized models encompass. The existing CVE system ensures consistency, offering a defined set of rules, although not always satisfying everyone’s preferences.
Concluding Remarks
The CVE Program, a product of collaborative efforts with inherent imperfections, has proven itself as the best model thus far, led by industry experts dedicated to achieving optimal outcomes. This juncture is not the time for drastic measures; abandoning the system would be unwise.
Advocating for a financially autonomous and globally representative version of the existing model should be the collective goal. Fragmentation, as seen in Russia and China’s approaches, would disadvantage defenders, tilting the playing field toward malicious threats. The CVE Board’s esteemed volunteers have tirelessly contributed for 25 years, refining the system—let us support its continuous enhancement for the years to come.
Appreciation
Credit goes to Darshan Raghwani for his involvement in developing this post.
About Author
