Monday, October 4, 2021

Information Sharing – CNA Responsibilities

I have recently reported  (here and here, subscription required) two separate instances where the CVE’s for vulnerabilities originally reported by Claroty still had no details available in the NIST NVD for the CVE numbers months after the associated advisories were published; they were still listed as “reserved”. I initially reported that I thought Claroty may be the CVE numbering authority (CNA) for those CVEs, but I was reminded that security research organizations could not be CAN’s, that role is essentially limited to national cybersecurity organizations and vendors.

I cannot tell for sure who the CNA for these vulnerabilities is; the MITRE CVE page for each vulnerability does not list the assigning CNA for ‘reserved’ CVEs. I now suspect, however, that it is probably NCCIC-ICS, they have published advisories for the two groups of vulnerabilities.

In any case, the CVE numbers for these vulnerabilities are currently worthless as information sharing devices, the role for which the CVE program was established. If CNA’s do not provide NIST and MITRE the timely follow-up information about reserved CVE’s, they are failing in their duty. Further, MITRE should have procedures in place to remind CNA’s about CVE’s that they have reserved, but for which they have not yet provided vulnerability data.

The CVE program has many well-known problems, but this goes to the base responsibilities of the program. Any new program that is stood up to replace it, is going to have to ensure that processes are in place to conduct the kind of follow-up that I described above.


Anonymous said...

Also check out CVE-2021-27426 and 27428, both from GE Grid.

Anonymous said...

Check out CVE-2021-27426 and -27428, both from GE Grid, half a year old, still no CVE filled in.

/* Use this with templates/template-twocol.html */