Why does China spot security vulnerabilities quicker than the US?

Hackers could have a head start on researching exploits that US firms have not yet caught wind of

In a world of state-sponsored hackers, highly motivated cybercrime gangs and determined hacktivists, mitigating software vulnerabilities is an essential part of the job for IT security teams. Many look to authoritative centralised sources to help manage their risk exposure, like the US government’s National Vulnerability Database (NVD). However, new research has found that bugs appear far quicker in the Chinese equivalent: the CNNVD.

This not only means Chinese firms could theoretically make themselves more resilient to attack quicker than their Western counterparts, but it could actively give hackers a head start on researching exploits that US firms may not yet have caught wind of. Given the huge resources Washington ploughs into offensive cyber-operations, it’s surely not much to ask that it gets more proactive about helping organisations’ vulnerability management efforts.



Recorded Future analysed 17,940 vulnerabilities between September 2015 and 2017, examining how many days after the initial public disclosure they appeared in the NVD and CNNVD. It found an average delay of 38 days for NVD, versus just 13 days for CNNVD. In fact, the CNNVD captures 90% of all vulnerabilities within 18 days, while the NVD takes 92 – an even bigger gap.

The explanation appears to lie with how the two databases are managed and operate. The NVD is managed by the Security Testing, Validation and Measurement Group of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST). However, it only includes CVEs (vulnerabilities) once they have been published in the CVE Dictionary run by the non-profit MITRE Corporation. MITRE is responsible for managing the entire CVE process, including the selection and management of CVE Numbering Authorities (CNAs). Major software developers like Oracle and Microsoft are CNAs. They typically disclose info about a vulnerability, its potential impact, any affected products and available patches in a security bulletin on their website. However, at this point the process breaks down as they don’t automatically then update the MITRE CVE Dictionary. As Recorded Future explains:

“NVD publication delays of weeks and months occur because NIST and MITRE are waiting for the voluntary submissions of the vendors and CNAs associated with the vulnerabilities. MITRE manages the process, but doesn’t enforce timely submissions to the CVE Dictionary. NVD uses the CVE Dictionary as its sole source. The end result is that there is no U.S. government ‘comprehensive cybersecurity vulnerability database’.”

On the other hand, the CNNVD isn’t directly integrated into the CVE assignation process, but instead monitors the web extensively for vulnerability information and then lists said data in a centralised place. Because it doesn’t rely on voluntary industry submissions it’s getting information into the hands of IT security teams much quicker.


Way too slow

Recorded Future found 1,746 CVEs currently available in CNNVD that aren’t in the NVD. What does this mean? In short, that Chinese firms following the database and implementing its findings are more likely to be better protected than those relying on NVD. It also means that any hackers wanting to capitalise on the tardy NVD can use the info in the CNNVD to craft exploits with a good chance of success, at least against those organisations relying on the US database.

The black hat community has always been more agile than those tasked with defending infrastructure. But in this case the US government appears to be helping them with a system which fails to publish new CVEs quickly enough. Recorded Future claimed that privilege escalation vulnerability CVE-2016-5195, aka ‘Dirty Cow’, was detected and disclosed on 19 October 2016, translated and published on a Russian cybercrime forum two days later and a proof-of-concept exploit code made available in less than a week. So, hackers had the tools to use this in an attack for two weeks before the CVE finally found its way onto the NVD on 10 November. By contrast, it was up on the CNNVD just two days after the initial disclosure and 20 days before the NVD.

There are some caveats, Recorded Future Chief Data Scientist, Bill Ladd, tells me. “Users of CNNVD have quicker access to a more complete centralised resource for vulnerability information then do users on NVD. However, CNNVD entries in many cases are not as comprehensive as NVD, and users still must act on the information to be protected,” he says.


Time to get proactive

However, this is a serious issue, and one not merely confined to the US: the CVE identifier system and NVD “are used world-wide as basic infrastructure for describing vulnerabilities and determining risk”, claims Ladd. With White House advisers warning in August of an impending 9/11-style attack on the nation’s critical infrastructure (CNI), these organisations are particularly exposed by deficiencies in the NVD system.  

“Every industry needs access to comprehensive and timely vulnerability information, CNI included,” Ladd explains. “Hackers in particular are actively looking for relevant vulnerabilities for CNI, so it is even more important to manage vulnerabilities in these applications than most.”

This is all a moot point, of course, if organisations don’t act on the information they receive. As the WannaCry ransomware campaign proved, there are still hundreds of thousands out there failing to apply critical patches. Fraser Kyne, EMEA CTO at Bromium, claims that a whole new approach is required which bypasses the need for resource-intensive emergency patching.

“It is simply impractical to expect enterprise organisations to continually upgrade – even when they have licences, the actual deployment creates huge disruption, or in some instances would require an entire hardware refresh and result in huge upfront capital costs. We need to accept that reality, understand that enterprises are not in a position to constantly patch and upgrade, and apply security that meets the needs of the real world, not the ideal one,” he tells me.

“Micro-virtualisation – whereby individual web pages, documents and workloads can be performed in isolated containers – is the only practical solution to address this problem. By isolating applications, then even if a hacker does take advantage of an unpatched vulnerability, the threat is contained.”

In the meantime, the NVC should “extend its mission to proactively gather vulnerability information as its Chinese counterpart (CNNVD) does”, to make us all that bit safer, according to Recorded Future. We know now, thanks to the Vault7 and Shadow Brokers leaks, exactly how extensive the US government’s research is into exploits for use in offensive operations against nation states. It might also want to think a little more about helping to protect its own from cyber threats first.