How the National Vulnerability Database Could Be Abused to Spread Malware

How the National Vulnerability Database Could Be Abused to Spread Malware

The National Vulnerability Database (NVD), created by the U.S. National Institute of Science and Technology, contains reported vulnerabilities disclosed by CVE Numbering Authorities (CNAs). The database is maintained by the CVE Assignment team and the CNAs with whom they collaborate as part of the CVE Program. CNAs are researchers who independently or on behalf of their employer collaborate to contribute new vulnerability research to the database. They are responsible for assigning IDs to new vulnerabilities and publishing information about them and recommendations for remediation.

The NVD’s collection of CVE data is widely considered to be the most comprehensive tool for the automation of vulnerability management, security controls and remediation, and compliance. Most vulnerability management products typically utilize published and recorded NVD data in their products.

NVD is not exempt from industry criticism and room for improvement. For example, in 2017 it was revealed that there is an average lag of 7 days after a CVE is released before being published on NVD, giving threat actors plenty of time to leverage a known vulnerability before most vulnerability management products report it.

In this blog, we’ll walk through an example of how the NVD could become an attack vector and how to protect against it.

Can the NVD Be Leveraged by Threat Actors?

When new vulnerabilities are listed, the NVD includes several links as resources to assist in analyzing and addressing vulnerabilities. For example, if a Google Chrome CVE is released, the NVD will list a reference link to the official Google Security Bulletin. These links are often automatically imported into security products on the market to add context to known vulnerabilities for management purposes, as mentioned above.

Figure 1. Reference material imported from the NVD providing detail on a multi-axis control device from Rockwell. All links are validated in our product.

If your vulnerability management system required you to click a link to download the most recent patch related to a specific CVE, how would you proceed? In certain instances, you might find it acceptable to trust any link associated with mitigation of a CVE. However, there is a potential risk associated with embedding and ultimately trusting these links.  

Around 337 (or roughly 2.5%) unique “reference” domains reported in the NVD are available for purchase online or for free, introducing a potentially significant security concern. This means that a threat actor could buy these domains and potentially use them in a large-scale supply chain attack. The link your vulnerability management product is telling you to click on may not offer a patch to download to remediate the CVE at hand, but malware used for ransomware or access for an advanced persistent threat (APT).

How Expensive and Significant is This Threat?

To illustrate the scale of the potential impacts, below is a chart with a simple cost distribution of available domains. We can note that most of the domains cost either less than U.S. $100 or more than U.S. $1000. For around U.S. $1700 total, any actor would be able to buy around 55% of these currently available domains or all of them for around U.S. $1.5 million

Figure 2. Domains reported in the NVD that are available for purchase are either very cheap or very expensive.

Most of these domains expired more than a decade ago and are not subsequently listed in the “reference” links of any product that is currently supported. However, looking at the following chart, we can see that several very recent CVEs have these potentially available and future malicious links in them.

Figure 3. Distribution of affected CVEs per year.

The data shows that a large portion of CVEs with available reference domains listed as resources that could be overtaken by a threat actor are from 2006. Many of these CVEs may already be remediated or may affect technologies that are no longer supported and have since been replaced. However, there are still a significant number of available domains listed as resources in the last five years, affecting products that are not discontinued.

Digging deeper into the data it is possible to extract the products that more frequently have these potentially malicious links among their “references” in NVD, including extremely popular products such as Firefox and some CMS like Drupal and Wordpress.

Figure 4. Most impacted CPEs.

What Should You Do to Avoid Potentially Malicious Reference Links? 

NVD personnel have already taken some countermeasures against this issue, such as informing users when clicking on an external link and creating the “URL Repurposed” tag to indicate that the specific URL may no longer lead to the originally intended content. They do not remove the URL from the CVE record or resource list for historical reference purposes.

Figure 5. The NIST website displays a popup when users click on an external link.

To further mitigate this issue, security controls should be implemented by the NIST NVD as well as each security vendor preparing details for mitigation or consuming NVD data.

A list of actions to consider: 

  • Validate the links and keep them up to date.
  • Inform users that the links are often public domains and subject to change
  • Consider deleting some links.
  • Monitor domains’ registrant and expiration date.
  • For end users - do not blindly trust links provided by security vendors.