On December 17, 2024, MITRE announced five new CVE Numbering Authorities (CNA) on their Twitter feed as well as their news page. However, there were actually seven added according to the CNAs page based on tracking it daily. Last year, when I asked about a discrepancy in tracking the CNAs, MITRE promptly replied to clarify. Earlier this year, when I asked about another discrepancy I didn’t receive a reply at all. That question was basically the same as what happened on the 17th.
Why are some new CNAs occasionally skipped like this? I asked this very question last August and MITRE replied saying:
Some organizations prefer not to be announced publicly at all, even on the news page. However, they are all listed here: https://cve.org/PartnerInformation/ListofPartners
I still don’t understand why an organization would go through the trouble of becoming a CNA, only to ask for it not to be announced. Like you may, I have my guesses. However, that isn’t the point of this blog, just one aspect that led to the actual topic. When evaluating the seven new CNAs it quickly became apparent that MITRE is phoning it in when it comes to minting CNAs. They simply aren’t taking the time to properly train CNAs in the whole process, which should include creating a proper advisory page and assigning CVEs to existing issues, but doesn’t. In my opinion, MITRE is just trying to increase the CNAs for show.
Let’s briefly look at those new CNAs and what they represent. One that wasn’t announced was Bizerba SE & Co. KG. Looking at their first advisory we see that they do not reference CVE IDs for vulnerabilities fixed in third-party libraries. Other advisories as recent as October that disclose vulnerabilities in their products, don’t have a CVE. That means during the minting process, MITRE doesn’t walk the CNA-to-be through assigning an ID for an actual vulnerability. That seems like a glaring oversight or MITRE simply does not care about the core purpose of the CVE program..
Next, Cepheid is another new CNA and their advisory page is a train wreck. Advisories are run together in a single page, there is no disclosure date (only updated), they don’t appear to be in a logical order, many don’t reference a fixing version, and some don’t reference the vulnerable version of the software. One advisory (“TLS Version 1.0 Protocol Detection…”) doesn’t cite CVE IDs, rather two Tenable Nessus plugins. Their “Java Update Notification” advisory should be a huge concern to customers as it begs the question, “What about the other hundreds of Java vulnerabilities before/after these?“
The third new CNA was Roche Diagnostics who showed only three advisories. None of the advisories reference a CVE ID which again makes me wonder, what’s the point of becoming a CNA if you aren’t referencing CVE IDs in addition to minting new IDs? It’s also concerning that Roche does not reference the CISA ICS Medical advisory covering their products with five CVE IDs.
New CNA Delinea’s advisory page blocks archive.org, which is not in good spirit of preserving vulnerability information in the long-term. The biggest oversight though, is that they don’t have advisories for more than half of the publicly disclosed vulnerabilities, still many without a CVE ID. This would be a perfect opportunity for a new CNA to show they are serious about participating in the CVE ecosystem.
Unrelated to the seven new CNAs mentioned above, I was still attempting to get a follow-up confirmation about an advisory and CVE assignment from a CNA minted in 2016, Huawei. I contacted their PSIR in March, 2024 asking about a publicly disclosed vulnerability and if it had a corresponding advisory. They replied that it “has been fixed and SA has been released to our customers” but didn’t provide a CVE ID or link to the advisory, so I asked again. They replied again saying the “iInformation about this vulnerability is disclosed based on the NEED-TO-KNOW principle, including the vulnerability ID (HWPSIRT ID)” and asked me “what you need this vulnerability ID for?” When I said that we had mutual customers and that they rely on us for vulnerability intelligence, Huawei replied the vulnerability corresponded to HWPSIRT-2023-78293.
The biggest problem with that is there are literally zero Google hits for it, meaning the ID isn’t even public. I asked yet again for a link to the advisory which they did provide, but it requires authentication to access. In my next reply I asked if there was a CVE ID associated and received no response. Jump to December when I pinged them again asking about a CVE ID and they finally replied that no, there was no CVE ID assigned. If CNAs can selectively assign IDs to publicly disclosed vulnerabilities, opting not to for some, it erodes the trust and value of the CVE program. I know that in such cases I could turn to the CNA of last resort, MITRE, to assign an ID but if I did that every time this happened, it would literally be a full-time job.
Every week that MITRE publishes newly minted CNAs, it further enforces that it is for show. I have blogged about this previously pointing out additional examples, the growth of CNA minting, the rising number of newly minted CNAs without a public advisory, and more. Until MITRE starts better training CNAs and more importantly, holding them accountable, the CVE ecosystem will continue to grow but not in a healthy way. Ultimately, this is going to have a cascading effect in the near future, where these CNAs continue to publish advisories that may or may not include CVE IDs which causes more work than necessary for the downstream customers.
We can only guess at the rationale behind the CNA minting program at MITRE but on the surface, it doesn’t seem like logic and care are being applied. So what’s the point of increasing the CNA count? If it’s not bringing value and not working toward the mission of cataloging vulnerabilities, are they being held to some standard regarding growth in that fashion? If so, by whom? Perhaps this goes back to that 2017 letter from Congress to DHS/MITRE asking questions. That is when the growth of CNAs really started.
In the meantime, if any of the companies named above would like free, detailed advice about improving the quality of their central advisory page and/or advisories, I am more than happy to take the time to assist you.
[12/28/2024 Update: Woland points out that Delinea is a company that repeatedly didn’t respond to or acknowledge a critical authentication bypass when coordinated disclosure was attempted by two parties. They only finally acknowledged it two days after a proof-of-concept came out. You can see the timeline in the researcher’s disclosure. This is not a company that should be a CNA unless held to stricter oversight.]
[2/26/2025 Update: This week, MITRE minted a new CNA (Saviynt). They stood out to me because not only do they break from a long-term historical policy, again, they do it in a new way. Traditionally MITRE was adamant that a CVE must reference a publicly available source for provenance. The last few years they have broken from that, largely due to being hands-off and doing zero QA on the submissions, but they allowed for IDs to be assigned to advisories behind a paywall. Saviynt is a bit different in that not only do they have a paywall that requires them approving access to, but then you must sign a mutual NDA to view the advisory. There is only one advisory published there, and despite being approved still can’t see it. So, I don’t know if there is a new CVE ID there, an existing ID (e.g. third-party library usage), or an advisory without a CVE ID.]
Leave a Reply