Unterschiede enthüllt: Vergleich der Schwachstellen-Datenbanken von USA und China

In der Cybersicherheit sind nationale Datenbanken für Schwachstellen entscheidend für die Klassifizierung und Bewertung von Software-Schwachstellen. Zwei prominente Datenbanken sind die National Vulnerability Database (NVD) der USA und die China National Vulnerability Database (CNNVD). In der Branche werden üblicherweise die Common Vulnerability Scoring System (CVSS)-Werte und deren Schweregradbewertungen (CVSS-Modell) genutzt, um Prioritäten für Maßnahmen wie das Patch-Management festzulegen. Dies unterstreicht die Bedeutung der Zuverlässigkeit und Konsistenz dieser Bewertungen. Dieser Blog bietet eine vergleichende Analyse der Schweregrade von 143.065 Schwachstellen, die von der NVD und CNNVD im Zeitraum von 2019 bis Oktober 2024 veröffentlicht wurden. Unsere zentrale Frage lautet: Wie unterscheiden sich die beiden Datenbanken in ihren Schweregradbewertungen von Schwachstellen? Die Ergebnisse zeigen bemerkenswerte Unterschiede auf und verdeutlichen, wie wichtig es ist, diese Abweichungen für globale Cybersicherheitsstrategien zu verstehen.

Zusammenfassung

Zusätzlich zum hohen Volumen und dem steigenden Trend kritischer Schwachstellen – und der Tatsache, dass diese laut der EPSS-Studie nur 37,4% der ausgenutzten Schwachstellen darstellen – verdeutlichen die Diskrepanzen zwischen NVD- und CNNVD-Schweregradbewertungen wichtige Einschränkungen, wenn Organizationen sich bei der Priorisierung von Schwachstellen ausschließlich auf CVSS-Modell verlassen. Wie in den aktuellen Studien Time to Change the CVSS und Software Vulnerability Exploitability Assessment hervorgehoben wird, mangelt es dem CVSS-Modell an ausreichenden Umgebungs- und Kontextfaktoren, um das Risiko genau einzuschätzen (u. a. Bedrohungsinformationen und Asset-Kritikalität). Diese Einschränkungen unterstreichen die Notwendigkeit differenzierterer, kontextsensitiver Ansätze wie der Stakeholder-Specific Vulnerability Categorization (SSVC). Im Gegensatz zu CVSS schlägt SSVC ein Entscheidungsbaum-Modell vor, das eine individuelle Priorisierung basierend auf der Bedrohungslandschaft und den spezifischen Anforderungen der Organisation ermöglicht. Wir entwickeln ein neues Modell, das auf über 100.000 Schwachstellen und zusätzlichen Bedrohungsinformationen basiert, um diese Herausforderungen zu beseitigen. Es bietet einen flexibleren und risikobewussteren Ansatz zur Schwachstellenbewertung.

Comparative Analysis of Vulnerability Numbers and Publication Dates

NVD and CNNVD categorize vulnerabilities into four severity levels: ‘‘Low’’, ‘‘Medium’’, ‘‘High’’, and ‘‘Critical’’. These ratings guide organizations in prioritizing their security responses. For our analysis, we have considered vulnerabilities reported from 2019 to October 2024 as depicted in the table below.

The results show that both databases have cataloged a similar number of vulnerabilities over six years. Examining critical vulnerabilities reveals that the NVD has identified a slightly higher count than the CNNVD. This examination also highlights a general upward trend in critical vulnerabilities over time. The latter is illustrated in the figure below.

Analyzing the publication timelines of NVD and CNNVD discloses significant differences in their publishing speeds:

The table above indicates that NVD has been more proactive in publishing vulnerability information ahead of CNNVD. Various factors, including differences in disclosure policies, resource allocation, and national security considerations, may influence this discrepancy. Understanding these dynamics is crucial for organizations to develop comprehensive and timely vulnerability management strategies.

Comparative Analysis of Vulnerability Severity

The following graphic presents a cross-tabulation of severity ratings between NVD and CNNVD over the specified period. In our data, the vulnerabilities for which severity ratings were unavailable were categorized as ‘‘None’’. One point of note is that while NVD assigns a score in addition to the severity rating (CVSS), CNNVD does not provide an equivalent scoring system:

Key Observations

1. Alignment in Severity Ratings: Many vulnerabilities have matching severity ratings in both databases, particularly in the ‘‘Medium’’ and ‘‘High’’ categories. For instance, 57,863 vulnerabilities are classified as ‘‘Medium’’ by NVD and CNNVD, and 49,026 as ‘‘High’’.

2. Discrepancies in Critical Ratings: 2,474 vulnerabilities are rated as ‘‘Critical’’ by NVD while CNNVD rates them lower. On the other side, 663 vulnerabilities are rated as ‘‘Critical’ by CNNVD while NVD rates them lower. This accounts for almost 3,000+ differences in vulnerability ratings in the higher end of the spectrum.

3. Variations in Low Ratings: 498 vulnerabilities are rated as ‘‘Low’’ by NVD while CNNVD rates them higher. On the other side, 530 vulnerabilities are rated as ‘‘Low’ by CNNVD while NVD rates them higher. This accounts for almost 1,000+ differences in vulnerability ratings in the lower end of the spectrum.

4. Missing Vulnerability Ratings: 3,829 vulnerabilities have missing ratings in NVD in the last 6 years while 992 vulnerabilities have missing ratings in CNNVD. This leads to different assessment by different stakeholders of the corresponding vulnerabilities. Given that many workflows and prioritization actions rely on these databases, this questions the reliability and consistency of this “ground truth”.

It’s Time to Prioritize Beyond Severity Ratings!

In addition to the high volume and upward trend of critically rated vulnerabilities — and the fact that these account for only 37.4% of exploited vulnerabilities according to the EPSS Study — the discrepancies between NVD and CNNVD severity ratings underscore key limitations of relying solely on these for patch prioritization. As suggested in recent studies Time to Change the CVSS, Software Vulnerability Exploitability Assessment, the (technical) severity rating model lacks sufficient environmental and contextual factors to assess risk accurately (e.g., threat intelligence and asset criticality). These limitations emphasize the need for more nuanced, context-sensitive approaches like the Stakeholder-Specific Vulnerability Categorization (SSVC). SSVC proposes a decision tree model that allows for customized prioritization based on threat landscape and organization’s specific needs​. We are developing a new model, trained on over 100,000 vulnerabilities and threat intelligence, providing a more flexible and risk-aware approach to vulnerability patch prioritization. Stay tuned for more updates as we refine this model and share our findings.