Introduction
This week, or in the next two, we’re likely to see MITRE heralding the milestone of minting their 400th CVE Numbering Authority (CNA). These are, primarily, organizations that can assign a CVE ID without having to go to MITRE each time to obtain the ID. This is part of what MITRE calls a “federated” model that allows for more dynamic and responsive assignments without a central bottleneck that caused serious issues at one point.
On the surface, this seems like a great thing for the CVE ecosystem as more entities can participate and assign identifiers for tracking vulnerabilities. In a well-implemented system this is definitely a good thing. In a system that is not well implemented and has shortcomings, this kind of system can actually become a burden to the ecosystem and cause countless wasted hours downstream as every stakeholder has to invest their own hours making up for those issues.
In this blog post I will share some background about why the federated model has grown considerably in the past six years as well as highlight some of the shortcomings, both on MITRE’s side as well as some of the CNAs. Understanding CNAs better is essential as they are a critical component of the CVE ecosystem. By the end of this, I think you will find that 400 isn’t near as big a deal as it sounds.
History of Federated CNA Growth
During September, 2016, Steve Ragan published an article about MITRE / CVE’s shortcomings. The article pointed out that MITRE was severely deficient in vulnerability coverage, as it has been for a decade. Unlike other articles, or my repeated blogs, Ragan’s article along with additional pressure from the industry prompted the House Energy and Commerce Committee to write a letter to MITRE asking for answers on March 30, 2017. When a certain board member brought it up on the CVE Board list, and directly told MITRE that their response should be made public, MITRE did not respond to that mail in a meaningful manner and ultimately never shared their response to Congress with the CVE Board.
This congressional pressure was arguably when MITRE went into overdrive and started minting new CNAs. While this approach is certainly a great way to effect better vulnerability coverage within CVE, it shouldn’t be overlooked that this was another way for MITRE to offload more of their work (while not receiving any less money from the Department of Homeland Security each year).
It’s difficult to tell if this rate and growth will persist since I don’t know all of the details for minting a new CNA. I do know that MITRE will continue to try to keep it up as CNAs offload a considerable amount of their work. This is more the case in the last couple of years as MITRE has stopped reviewing and editing CVE descriptions completely.
Minting a New CNA
While I spent ten years as a volunteer on the CVE Editorial Board, now just called the CVE Board, I was not involved in minting CNAs. However, it is pretty easy to deduce what is involved in the process. There are a few pieces of information I do not have and am curious about including time it takes, start to finish, to mint a CNA, as well as how MITRE chooses organizations to approach to become one.
Otherwise, MITRE will reach out to an organization with the pitch of becoming a CNA. I am sure it is about greater good, better supporting customers for upgrading/patching vulnerabilities, and the usual pro-security themes. After the dialogue is established, MITRE will present the official CNA rules and how they will operate as far as assigning IDs. On the surface this seems simple but in reality there are a lot of rules about when a CNA is allowed to assign versus when they need to go to their upstream CNA.
Once the ‘training’ (if there is any) or documentation consumption is finished the organization needs to have some form of advisory process on their side presumably. I say presumably because, believe it or not, that isn’t actually a requirement I don’t think. More on that later! After the organization says “All good” then MITRE will announce the new CNAs for that week on a Tuesday for some reason.
Tracking CNAs, Even “Hidden” Ones
After minting the CNA, MITRE will typically announce the new organization via Twitter account and the CVE website. On occasion, according to MITRE, they do not announce some new CNAs which I personally find interesting. I can’t figure out why an organization agrees to be a CNA, agrees to be on a private mail list, to be publicly listed in multiple places (CVE web site, GitHub project material, etc.), but not announce it on Twitter or CVE News. Some examples include Absolute Software, ConnectWise, Dassault Systèmes, and several more.
When this happens, MITRE still adds them to the GitHub CVEProject’s CNAsList.json file. Note, that is the copy to use rather than the one in the repo that hasn’t been updated for five months. While this list is extremely helpful, there are still times where a CNA will vanish without reason. In some cases it is due to acquisition where a company that is a CNA gets acquired by another company that is also a CNA.
There are cases where a CNA vanishes and it isn’t made clear why. Google Open Source Software was minted December 6, 2022 and no longer appears in the CNAsList.json file. I’d guess it got folded into one of the other Google CNAs, as there are multiple. Netgear was minted on March 14, 2017 and announced via CVE News, but not Twitter. Since then it has been removed from the CNAsList.json file seemingly without explanation. Riverbed Technologies was minted on April 3, 2020 and has the same disposition as Netgear.
Finally, while pedantic and seemingly of no concern, it’s also curious why there are five CNAs that received a CNA-2001 ID, while all being minted in 2021. Presumably due to a typo, but three times out of just over sixty mintings in 2021 seems high, when there isn’t a similar percentage in other years. There are also times a CNA will receive a CNA-YEAR ID that is not the year they were minted in. Often it is within ~ 60 -90 days of minting and the off-by-one YEAR, which I would chalk up to administrative process. However, ASUSTOR, Inc. received a CNA-2021 ID while being minted in 2017 and serves as yet another oddity.
Given the nature of the CNAs that operate publicly to assign CVE IDs, I personally believe there should be more transparency in their minting and de-minting. This, along with a more robust interface with filters and metadata would make it easier for researchers to determine the CNAs would be useful. Further, the CNAsList.json file does not track the date they were minted which seems like a serious oversight. Finally, unless there is a technical reason preventing it, CNA IDs should be changed to correspond to the year they were minted. Consider that at the time of publication, the CNAsList.json file shows 398 CNAs while the CVE web site only shows 397. A little more rigor and attention to detail is certainly needed.
Why 400 Just Isn’t So
Earlier in this blog I said that an “organization needs to have some form of advisory process on their side presumably” and emphasis is really on the last word. You would think this a natural component of the workflow of minting a CNA that publishes advisories. While tracking CNAs over the years one thing stood out to me was the number that were minted but had no public advisories. More peculiar was that many of the vendors had either vulnerabilities disclosed in their products by researchers, or more odd, the vendors themselves had published advisories prior to minting.
To me, part of the training process of becoming a CNA should be to actually assign CVE IDs to your previously disclosed vulnerabilities. What better way to learn the process and ensure your historical disclosures were cataloged? It also gives the new CNA a great opportunity to consolidate their prior disclosures, standardize them, update old advisories, and index them in a helpful format.
So how many times have there been cases of “No Advisories at Time of Minting” (NAaToM)? A considerable 55 times, the first in 2017.
I understand that some organizations have no prior disclosures, often despite there being publicly disclosed vulnerabilities in their products. However, it seems odd to me that MITRE is chasing such organizations while there are many hundreds that steadily produce advisories already, and still are not CNAs. This, to me, leds to the notion that MITRE is minting anything they can because the numbers look good and “reflect” (not really) them doing a good job in maintaining and growing the CNA ecosystem. This is disingenuous in my opinion and illustrates that it isn’t about running a mature federated model, rather, it is MITRE just maintaining an appearance as it reflects many millions of dollars of income each year.
Parting Thoughts
In the context of CNAs, there is a lot more to it. They are literally a backbone of the CVE ecosystem and represent more CVE assignments than MITRE does themselves. Understanding the major players can really help you understand the flow of assignments.
I had originally planned to make this blog more comprehensive, covering some CNAs that do not adhere to the official CNA rules, the CNAs that do nothing to stop the CVE farmers, the CNAs that have the best and worst CVE descriptions, and more. I had thought to point out the volume of CVE assignments by CNA over time, but pretty sure that has been done by the newly minted “data scientists” dabbling in this field.
The bottom line is that not all CNAs are created equal. The second important point to remember is that NVD and its slowdown is not the only part of the CVE ecosystem. So as early as tomorrow, we may see two or three more CNAs minted and MITRE subsequently announce they reached 400! It’s a milestone! A great achievement! A testament to blah blah blah. In reality, if a CNA isn’t minting CVE IDs, are they really a CNA? If not, then they still have 57 – 58 more mintings to go.
[8/14/2024 Update: As I expected, MITRE hit 400 CNAs yesterday. Yay?]
[8/16/2024 Update: Ironically, two of the three CNAs minted this week had no advisories at time of minting. However, one of them has prior disclosures and did not convert their blogs into advisories and populate the page. The third had a single disclosure, just a link to a CVE entry, and not their own advisory.]
[6/1/2025 Update: Scooterthetroll has done analysis of CNAs and determined that 106 out of 458 (23%) have not assigned a CVE.]