The rise of a unique vulnerability disclosure system in China adds complexity to global cybersecurity. Unlike the globally recognized CVE system, China manages two separate databases: the CNVD and CNNVD. These systems operate independently, with varied disclosure timelines and priorities, often keeping vulnerabilities hidden from Western defenses for significant periods.
Information Asymmetry and Security Risks
This dual-database system creates a significant security challenge through informational asymmetry. By delaying the public release of vulnerability information, threat actors can exploit security gaps in widely used software, such as Microsoft OneDrive, before global patch cycles can address these issues. This delay poses a substantial risk to enterprise security teams that depend on timely data to prioritize their responses.
When vulnerabilities are reported in Chinese systems months before appearing in the U.S. National Vulnerability Database (NVD), organizations face a blind spot to potential threats. For instance, a Microsoft OneDrive DLL hijacking vulnerability was documented in Chinese databases long before a CVE was issued internationally. This time lag allows attackers to exploit these ‘Red Vulns’ by bypassing standard detection protocols and establishing a foothold in compromised networks.
Understanding the Dual Database System
Researchers at Bitsight conducted an in-depth analysis of publication timelines across both Chinese and global databases. Their findings indicate that while CNNVD largely mirrors the MITRE CVE list, CNVD often operates on its own timelines with unique entries. This analysis illustrates the growth of these databases, showing how Chinese authorities have expanded their repository to match global standards.
The critical insight, however, lies in the strategic delays in the disclosure process, transforming vulnerability data into a national security asset rather than a public utility. This systematic delay in releasing details of high-severity vulnerabilities leaves global defenders without the necessary Indicators of Compromise (IOCs) to identify early-stage attacks.
Mitigating the Impact of Strategic Delays
The most alarming aspect of this situation is the intentional delay in providing high-severity vulnerability details to the international community. This tactic effectively conceals the infection vectors of new exploits, depriving global security teams of vital information needed to detect and respond to threats. A significant portion of CNVD entries do not align with a CVE immediately, creating a ‘shadow’ inventory of security flaws.
To counter this issue, security professionals are advised to expand their intelligence sources beyond the NVD. By incorporating data from international databases such as CNVD and CNNVD, organizations can achieve a more comprehensive understanding of the threat landscape.
In conclusion, the dual vulnerability databases maintained by China present a considerable challenge to global cybersecurity efforts. By recognizing and adapting to these systems, security teams can better protect their networks and minimize exposure to potential threats.
