The Chinese vulnerability disclosure program is lagging behind when it comes to publishing details about critical flaws and vulnerabilities exploited by Chinese-linked cyber-espionage groups.
According to a report published last month by US threat intelligence firm Recorded Future, China's National Vulnerability Database (CNNVD) far outperforms the US' National Vulnerability Database (NVD) when it comes to publishing details about vulnerabilities to the general public.
An analysis of how vulnerabilities are added to each country's vulnerability database shows that the CNNVD only takes about 13 days from when the vulnerability is discovered and added to the national database, and local companies are alerted.
On the other hand, the US NVD takes 33 days to add new vulnerabilities to its program, and the NVD is still lacking information on 1,746 vulnerabilities that are included in the CNNVD.
But in a new report published yesterday, Recorded Future has found two situations in which the CNNVD is way behind the US NVD.
For starters, the CNNVD mysteriously loses its efficiency when it comes to reporting and including details in its database about vulnerabilities with high CVSS severity scores.
The second anomaly Recorded Future analysts spotted has to do with the reporting of vulnerabilities used by Chinese APT groups. Just like in the case of high-severity bugs, the CNNVD takes longer to report on these issues when compared to other cases.
In both cases of high-threat bugs, vulnerabilities made it in the CNNVD from between 21 to 156 days after they were discovered, well above CNNVD's average reporting time.
A few particular cases stand out. For example, the CVE-2017-0199 vulnerability was added in the CNNVD 57 days later after Microsoft disclosed it, during which time several Chinese-linked cyber-espionage groups deployed it in internal and external campaigns [1, 2].
Another case that stood out was the backdoor in the Adups firmware found in several low-priced Android devices, which the CNNVD added to its database a whopping 236 days later.
Due to this huge lag in reporting, Recorded Future experts believe the backdoor was not an accident, as Adups claimed in official statements, and was "possibly associated with Chinese government surveillance" program.
Recorded Future, which is backed by the CIA and Google, also believes that the CNNVD is actually under the control of China’s Ministry of State Security (MSS), both being located in the same building, on the same floor, and using the same contact phone numbers.
Previous Recorded Future research also pointed out that the MSS is actually at the top of a branch-like structure through which it controls state-level hacking via regional agencies and private contractors.
One of the agencies under the Ministry of State Security's umbrella is also the China Information Technology Evaluation Center (CNITSEC), which has the legal power to conduct "national security reviews" of foreign companies that want to do business in the Chinese market.
According to Recorded Future analysts, the MSS has most likely imposed different reporting and evaluation procedures at the CNNVD when it comes to dealing with high-threat vulnerabilities, intentionally delaying disclosures and avoid drawing the public and private sector's attention to vulnerabilities it's using, or it deems usable for future operations.
These actions are in contrast with what's happening right now in the US after the White House has moved to declassify some of the procedures of the vulnerabilities equities process (VEP), a US government program that decides if to reveal details to tech companies about vulnerabilities in their software, or keep and weaponize the security bugs for offensive cyber-weapons.
The video below shows White House Cybersecurity Coordinator Rob Joyce explaining the new VEP rules at an event held Wednesday by the Aspen Institute.