Tag Archives: thoseamericans

On November 13, NIST NVD finally admitted the obvious: they had failed to process the CVE analysis backlog before the end of the fiscal year (September 30)

On November 13, NIST NVD finally admitted the obvious: they had failed to process the CVE analysis backlog before the end of the fiscal year (September 30)

On November 13, NIST NVD finally admitted the obvious: they had failed to process the CVE analysis backlog before the end of the fiscal year (September 30). This is actually visible in their own statistics. At the moment, there are 19860 identifiers in the backlog. This week, 1136 new CVEs were received, and they analyzed only 510. And this is not some abnormal week, this happens regularly. They can’t cope with analyzing new vulnerabilities, they don’t have time to deal with the backlog. The crisis continues.

At the same time, for some reason, they write in the message that they have a full team of analysts, and they are addressing all incoming CVEs as they are uploaded into NVD system. But why do their statistics show the opposite?

They write that they processed all the vulnerabilities from CISA KEV. And that’s good. But CISA KEV only added 162 CVEs in 2024. It’s great that NVD was able to process these identifiers, but the achievement is, to put it mildly, not impressive.

Why can’t NVD process this backlog?

They write that the problem is in the format of data from Authorized Data Providers (ADPs), apparently meaning CISA Vulnrichment. NVD is currently unable to effectively import and enhance data in this format. In order to be able to do this, they are developing some “new systems”.

Not only have they admitted their inability to analyze vulnerabilities on their own and their willingness to use the results of someone else’s analysis as is, they also cannot write parser-converters in any adequate time. 🐾 I have no words. 🤦‍♂️

And now there is news that US Senator Rand Paul, the new chairman of the Senate Homeland Security Committee, has promised to seriously reduce the powers of CISA or eliminate them completely. 😁 It’s all because of CISA’s work “to counter disinformation” before the US elections. So the only American information security regulator capable of doing anything useful in a reasonable amount of time could be destroyed. Great idea, comrades, keep it up. 👍

I expect nothing but further degradation.

На русском

I asked the author of the article about the source of Tanya Brewer’s quotes (NVD manager from NIST)

I asked the author of the article about the source of Tanya Brewer's quotes  (NVD manager from NIST)

I asked the author of the article about the source of Tanya Brewer’s quotes (NVD manager from NIST). It turns out that she said this at the “NVD Symposium” session. This session is in the program, but its video recording was not posted to the VulnCon 2024 channel, despite “TLP:CLEAR”. 😏

На русском

On May 3, more than 826 new vulnerabilities were added to NVD (in just one day)

On May 3, more than 826 new vulnerabilities were added to NVD (in just one day)

On May 3, more than 826 new vulnerabilities were added to NVD (in just one day). Picture from the CVE.icu service, which visualizes NVD changes. There is also a list of these vulnerabilities. Most of them, 709, were added by ZDI. Why would they do that? 🤔

Last November I had a post (in Russian) that a number of trending vulnerabilities that were reported by ZDI are displayed in NVD as “CVE ID Not Found”. So, it seems the geniuses from Trend Micro ZDI finally noticed that their CVEs do not reach NVD and decided to fix this with such a massive import of problematic CVEs. 🤷‍♂️ At the same time, they clearly demonstrated the scale of the disaster. 🙂

Well, better late than never. But now it will be interesting to calculate the delay between the appearance of ZDI-CAN identifier and NVD CVE. 😏 For example, for RCE – WinRAR CVE-2023-40477, exploited in phishing attacks, it is 260 days. 🤠

PS: the final number for May 3rd is 847 CVE, but this is not that important.

На русском