Threat intelligence experts, Recorded Future, have published their assessment of Russia’s National Vulnerability Database (NVD). The assessment is called Pavlov’s Digital House, Russia focuses Inward for Vulnerability Analysts.
This is the third in a series of assessments that has previously looked at the NVDs of the USA and China. Analysis of the assessment shows that Russia’s NVD is not fit for purpose.
This analysis is remarkably simple to arrive at. The basic facts are Russia:
- publishes just 10% of known vulnerabilities
- takes on average 83 days more than China and 50 days more than the US to publish
- contains incomplete information
- focuses only on vulnerabilities that primarily present a threat to Russian state information systems.
The latter point is important. This approach leaves Russian consumers and businesses at risk of having their systems exploited by hackers. It, strangely, acts as a significant intelligence trove for foreign governments. The latter can determine what technology, hardware and software is used by state institutions.
What is a vulnerability database?
National vulnerability databases (NVDs) provide a list of known vulnerabilities targeting computer systems. An NVD should describe each vulnerability and the impact on affected systems along with any patches issued by vendors. Vulnerability rankings are based on severity. They are used by vendors, researchers and IT security teams to ensure that systems are patched against each identified vulnerability.
An NVD is normally taken to be a public service. Russia is different. Its NVD is:
- run by the Federal Service for Technical and Export Control of Russia (FSTEC)
- part of the Ministry of Defence (MOD)
- has the remit is to protect state systems not those used by businesses and consumers.
According to the research report: “FSTEC also runs a vulnerability publication database, to which it provides public access via the website bdu.fstec.ru/vul. The homepage states that the purpose of the database is to “increase the awareness of interested persons in existing threats to information security systems” and that it is designed for a wide range of customers, operators, developers, information security professionals, testing laboratories, and certification bodies.”
Coverage of vulnerabilities related to APTs
The under-reporting of vulnerabilities means coverage of vendor Common Vulnerabilities and Exposures (CVEs) is similarly skewed. When comparing coverage of vendors and software using the 10% of total vulnerabilities figure, there is extremely uneven coverage. Some vendors – such as those relating to Adobe, Linux, Microsoft, Apple and Google – are over-covered. In contrast, IBM, Huawei and the three main CMS’ are under-covered.
The FSTEC has published more vulnerabilities concerning Adobe than any other vendor. Despite this, it has failed to list over 871 which have a CVSS score greater than 8. Of these, 386 have a score of 10. The scale used by CVSS is zero (least secure) to 10 (most severe). One of the reasons for not listing the most severe vulnerabilities may be related to how Advanced Persistent Threat (APT) groups use vulnerabilities.
Recorded Future looked at the relationship between those vulnerabilities listed and APTs. The report states: “..we identified 49 vulnerabilities that had been utilized by Russian APT groups in that timeframe. Thirty of those 49 vulnerabilities, or 61 percent, were published by FSTEC. This is substantially higher than FSTEC’s average of 10 percent.“
It also compared the vulnerabilities used by APT28, which has been attributed to the Russian military’s Main Intelligence Directorate (GRU). Again, 60% were published by FSTEC.
What does this mean
Failing to maintain a valid public NVD makes no sense. There is a good risk that any organisation, private or public, will be attacked. Attackers look to steal data, encrypt it and ransom it back and even destroy that data. They also steal information that gives them access to financial systems allowing them to steal money.
Recorded Future offers up three hypotheses for this failure:
- FSTEC is vastly under resourced and can only focus on key technologies for Russian users and key vulnerabilities of these technologies
- FSTEC is a military organization and is publishing “just enough” content to be credible as a national vulnerability database; the Russian government needs vulnerability research as a baseline for FSTEC’s other technical control responsibilities, such as requiring reviews of foreign software
- FSTEC has a dual offensive and information security mission and publishes only what suits it, based on the competing needs; this would be similar to how China’s NVD (CNNVD) functions.
The report concludes that the failure of Russia’s NVD is down to the second of these hypotheses.
Organisations looking to buy or integrate systems with Russian businesses need to take note. Any interaction would require a thorough review of security and patching processes. It would also require updating and bringing systems and software up to Western standards.