The National Vulnerability Database (NVD) is arguably the world’s largest database of publicly known vulnerabilities found in various software systems. When a Common Vulnerabilities and Exposures (CVE) designation is assigned to a reported vulnerability (supervised by MITRE), the details about the vulnerability are typically not published until a technical review is complete.
During the review process, information about the reported vulnerability will almost certainly become available through blogs, mailing lists or security advisories. In addition, exploits and/or proofs of concept for the vulnerability are often published — and published quickly, days before the vulnerability detail has been added to NVD. In fact, of the 19,730 CVEs appearing on ExploitDB,15,033 (76.19%) were published on NVD after their disclosure on ExploitDB. The median number of days between a vulnerability exploit published on ExploitDB and that vulnerability’s disclosure on NVD is four.
That means that regardless how long it takes for NVD to process a CVE after first disclosure in other sources, there is a 76.19% chance that an exploit will be publicly available days earlier.
For vulnerabilities in open source components (other than those with commercial support agreements), users will not receive any alerts from the open source community or NVD about the vulnerability — even though vulnerability and exploit information is already available in the public domain. Unlike commercial software, where support agreements require vendors to “push” updates to users, open source support is a “pull” model, where users are responsible for monitoring projects for updates and security issues. Once vulnerabilities become public (without records in NVD accompanied by relevant technical details/reviews), the exploitation of such vulnerabilities becomes a reality. Once a vulnerability becomes public through any means, the race between NVD (to protect) and any potential adversaries (to exploit) begins aggressively.
Look at The Race: Vulnerabilities in NVD
According to a study done by Recorded Future in 2014: “7.5 is the median number of days it takes for a vulnerability to be exploited as reported by public/web data." (Exploits for the recent Apache Struts vulnerability that resulted in the Equifax breach were available the same day that Apache released their Security Advisory, and attacks were widespread within just a few days.) Therefore, to win the race against the adversaries, NVD needs to cross the finish line within a week. However, our investigations reveal that 52.2% of the CVEs published by NVD are late by more than seven days, which also means that adversaries already have enough time to exploit more than half of the vulnerabilities published by NVD. Of course, not all vulnerabilities have exploits, published or otherwise. To consumers of the affected software systems, this scenario is discouraging, especially if they are solely dependent on NVD to receive vulnerability reports and the corresponding analysis.
Note also that the exploitation of a specific vulnerability is very contextual, therefore, it must not be concluded that high severity vulnerabilities are always exploitable and lower severity vulnerabilities are not (or less) exploitable. Our study reveals that adversaries could very well target any vulnerability, although some vulnerabilities are simply not worth an attacker's time. Join our session in Flight 2017 to learn more details of this study.
Do you know that Black Duck security experts analyze various vulnerabilities discovered within millions of open source components to make the consumers of affected open source more secure? If you want to know more about our research, please contact us for more details.