LABScon Replay | Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure

The US is still lagging behind China in terms of vulnerability discovery and disclosure. While the gap between the US National Vulnerability Database (NVD) and the Chinese NVD (CNNVD) has slightly shrunk over the last 5 years, there are still hundreds of vulnerabilities registered in China that are yet to be listed on the US NVD. The CNNVD is a known subsidiary of the Chinese Ministry of State Security’s Technical Bureau, which drives Chinese cyber espionage, and has a history of altering CVE disclosure dates and providing APT groups with exploits.

This talk walks through the discovery of a CNVD that is not listed on the US NVD, and the larger picture behind the discovery and disclosure of vulnerabilities in China. Kristin covers how and where they are sourced, including a newly discovered sourcing event, the scope of disparity between US and Chinese vulnerability reporting, and how researchers can proactively hunt to close this knowledge gap between US and Chinese CVEs.

Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure.mp4: Audio automatically transcribed by Sonix

Is CNVD ≥ CVE? A Look at Chinese Vulnerability Discovery and Disclosure.mp4: this mp4 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.

Kristin Del Rosso:
Hi, everyone. I'm Kristen and I work at Sophos. And today we are going to be talking about the gaps between the US and Chinese vulnerability databases.

And this is an area I've spent a lot of time on. Really, it's like a random rabbit hole. But how it started was I was threat hunting and I came across a vulnerability that was listed on the CNBC. So a database in China, but there was zero record of it in any US vulnerability databases. And so I was like, okay, well, what does it do? Who's it targeting? But also, is there any other vulnerability? Like how many other ones are out there that they are aware of that we are not aware of?

And it turns out there's a lot of vulnerabilities missing. And on top of that, they have a history of altering data and using high value cves for their own purposes. And so I think it's a gap that's really necessary to close. And they also made my slides really difficult because as I was trying to finish it, they were like deleting web pages and I was trying to get screenshots in. So like if I wasn't making the slide deck, I wouldn't have seen them doing this.

So how I want to work through this agenda is starting with just some key players in the vulnerability space. You know who they are. We know a few of them and it's the data I was using for my analysis.

Kristin Del Rosso:
Then I want to jump into the vulnerability that kind of kickstarted this whole investigation and who it's targeting and what we found. And then after that, I think it takes it makes sense to if you just take a step back to understand the context of the history of China's and their government's involvement in the vulnerability space, they're so how they source them, how they deal with the people who are submitting them and how the manipulations are gone for several years.

And then after that, there's a project that a friend and I who couldn't be here today. We've been working on trying to automate this gap analysis. And so I'll go through some of the challenges that we've faced working on automating that as well as what we found.

Okay, So the who's who in the vulnerability space, there's four on here and four of them that I was pulling data from. The two on the left you will probably know of you have the National vulnerability database as well as MITRE CVE project. You know, they are sponsored by the NSA. And then also MITRE's is sponsored by CISA and then DHS. You know us very common. I think everyone in the room knows what they are. Then on the left hand side, the right hand side, you have two in China. And these acronyms are going to get really annoying to say there's the C, N, and NVD, and then the CNVD, and then you also have CVEs.

Kristin Del Rosso:
So we're going to have lots of like mouth jumbles in this talk, but the CNNVD, it's run by CNITSEC, which is an arm from the Ministry of State Security in China. And that would essentially be like if we had the CIA running our NVD program. And then you have the China National Vulnerability Database that's managed by like a China cert, which they say they're non-government non profit, kind of questionable, don't really believe that. But people when they talk about Chinese vulnerability databases, they tend to say, oh, the China vulnerability database, like lumping it all in one.

Those two websites are actually very different, run by different people, have drastically different content. Some research was done in 2017, and 2018 that I'll get into later on the CNNVD, but no one's kind of paying attention to CNVD, who I think is like the new troublemaker that people should be paying attention to.

There's two more things I want to point out. If you look at the green numbers at the bottom, those are numbers that I pulled on September 16th. Those are the number of vulnerabilities that have been submitted to each website as of that date. And there's kind of some important things to note here.

On the left in the US, the gap between those two, it's 50 vulnerabilities. If you're going solely by count, the NVD has 99.9% of the vulnerabilities that the CVE website has. But on the Chinese side there is a 91% coverage gap.

Kristin Del Rosso:
So it's about 18,000 vulnerabilities missing between those two Chinese vulnerability databases. But then you have a different problem where the CNNVD has about what is it, 12,000 more vulnerabilities than any of our databases. And the CNVD has about 6000 less than any of our databases. So not only is there a gap between the US and the Chinese databases, but internally they're also not syncing.

And that's a third problem where the naming convention. So if you're trying to analyze all the different vulnerabilities, you know, the naming, if they were all named the same way, that would be really useful. But they're not. So these numbering conventions here, they're actually all the same vulnerability. But at least in the US, you know, on the far right, CVE dash the year and then dash whatever the five digits are, we can search by CVV number on the NVD website or on the MITRE CVE website. Same thing.

But if you go to the Chinese websites, the far left, the CNNVD, it's year in the month and then three or four digits, whereas CNVD is year and then five digits. So not only are they kind of obfuscating their naming convention because when the vulnerabilities come in, they're not always chronologically, like in order of what you would expect them to be. And I think I stumbled across like some patterns, but not enough to be conclusive of if I was on the CNVD website, if it started with a four, sometimes like it would not have a CVE mapping, but if it was a five, like it would or like if it was a Microsoft product, the middle number would be a three versus like Oracle would be a four. Like they were some patterns, but then it would kind of break after a little bit.

But so they're obfuscating it in a way which I guess makes sense. But worst part about all of this is if you're on the CNNVD website, you can search their database by CNNVD ID or CVE, but you can't search by the other Chinese format and vice versa. Same for that website. So if I'm on the CNVD website, I can search by CNVD or CVE but not by CNNVD, so they've made it really difficult to kind of close the gap between their own two country databases.

And also the other point I want to make here is if you look at the dates of these are all the same vulnerability, but the official government run Chinese website got it in April, the nonprofit got it in May, and we didn't get it till December. So we are also drastically behind on how quickly we respond to closing these vulnerability gaps. And it's just we have very different systems and we can get into this later, but we don't do the best job with encouraging reporting, trying to like incentivizes it.

Kristin Del Rosso:
They have honor management, they have certificates and awareness. You have to register to submit vulnerabilities, and we don't do any of that. It's kind of like on your own honor, like submit it if you find something and we have a backlog of we have CNAS, which are CV naming authorities basically like Sophos or Oracle. If I find a bug in Sophos, Sophos will take care of it. But if you submit a vulnerability for a product that does not have a company on that CNA board, it kind of sits in this like limbo. We'll get to it when we get to it. Depending on severity. We're trying is very proactive in kind of closing that vulnerability gap and going out to get them.

So this is kind of what started the rabbit hole. CNVD-2021-28277. So I was threat hunting with a friend and we came across a box that just had, you know, it was initially very suspicious. Chinese IP address improperly secured, and it had a list of vulnerabilities and exploits and a list of what appeared to be 205 potential targets. 137 of which were regional Subdomains, and that's the sacred corporation of China.

And it was basically listing through every region in China, of all the energy providers, their mail servers, their online payment portals. And I was like, okay, why? Who's going after the Chinese energy grid? And so what I did is digging further. I thought it was odd.

Kristin Del Rosso:
It appeared to be a Chinese speaking user. The exploits and the comments were in Chinese. They were the vulnerabilities were linked to CNVDs as well as CVEs. But so I thought it was odd. Maybe it was a pen tester, but is it an authorized pen tester? Why is it available on the internet? I shouldn't be finding this. It was just all very odd.

So I started digging and I went through all the files on here, which you can see three of the exploits on there. They were mapped to vulnerabilities that had cves. But then at the very bottom, I came to read_log.txt, and this was an error message. This really unique string up top, this ui/extend/varkind/custom.jsp and this is the error message. And so I started googling around that and also is a useful tool, so I recommend it to anyone. If you're trying to find code or strings or from repos, it has a great repo search function.

So I was just googling around and I end up coming across some blog posts that said this is a really common error message for a proof of concept for this vulnerability, which is 2021-28277, which is basically an arbitrary file read vulnerability for this obscure Chinese software like an office automation software. So we know what it is, you know, like some Chinese software. But then I wanted to figure out who it could potentially be targeting.

Kristin Del Rosso:
I tried Shodan, I tried Census, didn't get any results. Then I came across from one of the blog posts explaining how to use this vulnerability. And they included like this lovely screenshot of like what to search for. So I put it in and what I thought was interesting was forget the fact that Shodan and census didn't give me any results, but this expectedly gave me a results in China, but it also gave me 53 results in the United States. So I was like, Who in the US is using this weird LAN Lang office automation software?

So off the bat I thought that was interesting, that there's a vulnerability that we don't have that also has a presence to be exploited in the United States. Let's dig a little bit further. Like, is it being used? Is it are they targeting energy grids based on that list or what?

And so this is where I finally came across this thing where a blog post after blog post. I found this reference to H.W. and that seemed a bit odd, couldn't find anything, but then it turned out to be a transliteration error where instead of H.W., they meant HPV. And so then once I figured that out with the right Chinese characters to search after, there's this thing called the HPV action or HPV operation, and per one of their blogpost websites, it's the equivalent of a CISAs cyberstorm.

Kristin Del Rosso:
So it's this Ministry of Public Security sponsored countrywide red teaming, blue teaming event going after critical infrastructure, finances, banks, energy, all large corporations. And so this was actually a vulnerability that was used in the 2021 HVV contest. And it's something that the government actively recruits for or tries to get them out there for.

The earliest date for this contest I could find going back was 2020. And so maybe it's on the newer side. But long story short, they seem to publish the results of it every single year, and it includes vulnerabilities that we have not looked at yet. So I think also, if you're trying to stay on top of what China is doing from an offensive and defensive perspective, definitely looking at the results of HVV action would be really useful.

So that's kind of like how I found it and what it tied into. But with that context, if you take a few steps back to 2016 and get into the history of how China's been manipulating this, we literally just found a vulnerability that was used in a nationwide critical infrastructure security context that we didn't know about. So why don't we know about it?

So just for some history, in 2016, China used to have like this free, open source vulnerability reporting platform, and it's called Wu Yan. But in 2016, it got taken offline. Ten people were arrested and it wasn't really clear why. But they think that there's rumors of a vulnerability reporter from this platform actually found an error in one of the Chinese government websites and by reporting it essentially like leaked secrets, they didn't like it. It made the government kind of embarrassed. So they took it down and arrested everyone.

And from that point, they kind of took control of the vulnerability ecosystem in China. So in 2017, the Ministry of State Security banned vulnerability researchers from going overseas to like different vulnerability conferences, really trying to hoard vulnerabilities within China, understanding like they had Tian Fu Cup, they had other things, you know, they have this HVV operation and then where it gets interesting Recorded Future put out some really good research in 2017 and 2018.

First they started saying, Hey, there's a vulnerability gap. They were looking at the CNNVD and then they were theorizing also that the Ministry of State Security was influencing when vulnerabilities were published. And then finally in 2018, they confirmed that the Ministry of State Security was altering the public the publicly available data. You know, they were backdating when vulnerabilities were made public to make it seem like they had reported them six months ago, when in reality they didn't. And by their analysis of when they were actually published, you know, 99% of the time they beat the United States in terms of like speed of publication by like weeks or months. But then there were really high value vulnerabilities that somehow mysteriously were reported way, way later, just like way outliers and were tied to Chinese APT group malware.

Kristin Del Rosso:
So they were strategically hoarding vulnerabilities that they found of use because of their collective, you know, they're very good at going out and finding the vulnerabilities. And so they have a known history of already doing that on the CNNVD government run website.

But then this is where kind of like the gap analysis comes into play. And this is like my least favorite website in the entire world now, after looking at it for so long. But I went through and just pulled all the vulnerabilities in 2022 so far. So blue, you have the US Purple, the CNNVD, which is the group that was reported by Recorded Future as altering vulnerabilities. And then in green you have the CNVD.

So ever since Recorded Future called them out for altering these dates. You know, if you log in and make an account on CNN, VD, you can easily download an XML file of all the vulnerabilities published to date, and every single one of those has a matching CVE, which it didn't used to have. And also they had delayed dates. But what I find really odd is despite the fact that the NVD and CNNVD are really on par every single month, the CNVD has a half or a third, the amount of vulnerabilities that these other two websites have. So I'm looking at them.

Kristin Del Rosso:
And then so what happened? I have been on this website every day for the last month now. It's terrible. Like literally before we even started scripting this, if I just like clicked through a few too many sites, like it would block my IP address after five or six clicks like this just doesn't like you on their website. I had to change my IP address like every 5 to 10 clicks, just like go through through every state in the US. Then all these countries, like just going through my VPN there.

We mentioned like they have abnormal numbering logic. So that's a problem when you're trying to script this. It seemed like they were throttling the speed of the website. Again, they put up fake 404 is like I could have been on there looking at their home page, like I can get to their home page, no problems. And then as soon as I click on vulnerabilities, it will instantly block it, say four or four pages and exist unless I change my IP address. Now they just don't like it.

And unlike the CNNVD, where you can download an XML file, you can't do that from this website. So again, just really not easy. But so the goal from this though, we wanted to number all the potential ID combinations theoretically that could exist CNVD dash 2022 dash whatever the five digits are. So number is zero through 70,000, let's say. And so I was working initially I started realizing I was getting some false negatives in there and have to add in proxy to the script.

Kristin Del Rosso:
But so we started going through it just from the last two months alone again. So you can see in July, for example, the US, we have almost 2000 vulnerabilities. China, again, the CNBC, about the same number, CNBC had 749 and of the 749, only 717 had CVS tied to them. So that's off the bat. 32 vulnerabilities that we don't have in our records. But then the greater question is like, what are the missing 1200 vulnerabilities right there? Maybe they directly overlap with the CNNVD, but because of the naming conventions, it's very, very hard to automate and it's like really a manual process to go through and figure out what actually exists on top of each other.

And again, in August, you know, 2333, whereas CNNVD only reported 1070 and 12 of them didn't have CVEs. So it kind of leaves you with two problems. You know, you can you know what you're missing, but you also don't know what you don't know, but at least you have a starting point of where to look.

And this is where I felt like I was going insane, because you might think that if you're like, okay, well, it's good and useful to stay on top of this, but what's the point of caring about, like obscure office automation softwares in China? Like we need something useful? Well, in the last few months, you know, there was a vulnerability for a Siemens Smart energy management platform that didn't have a CVE for it.

Kristin Del Rosso:
But on the Chinese website it says Siemens published a patch, find it here and it was Siemens dot com, like there's nothing there. Or then you had this Schneider modern web server vulnerability and this was published September 2nd. This one is the bane of my existence finishing up this PowerPoint because what happened was I found it on September 2nd. But as you can tell by its labeling, this is where it was at least consistent. It's labeled 2014 like it was published September 2nd, 2022, but labeled CNVD 2014. And I flagged it to a friend. And this is how I'm not no, I'm not going crazy because I was like, Hey, look at this. This looks odd that it says 2014, but it was published then.

And so I was making my slide deck and I was like, Let me put this information in and I put in the URL to go find the CV or CNVD, and it says 404 page doesn't exist. I changed my IP address three times. It still doesn't exist. It's like taken offline. But luckily a week after I found it, I was still googling. I had all my tabs open and I found a PDF from a search talking website and it was a ten page pdf of just a ton of vulnerabilities from 2014 and this specific one was listed on there.

Kristin Del Rosso:
So I know that they've known about this vulnerability since 2014, but then the page claims not to exist. As of late two days ago when I was trying to download the PDF and like screenshot it and put it in this report. So as you can see, I tried to download it. It says failed no file. So I screenshotted the entire pdf just to keep it and look at it. But what was interesting about a week ago. This middle search result from SXX DCKJ that wasn't there a few weeks ago. And this website, maybe it's like late crawling and uploading or something, but it's as if like another vulnerability company just published the same content of the CNVD website and they said, Hey, this vulnerability was published September 2nd, 2022, and it's still online then.

So I don't know if China is going to yell at them and make them take it down, but so just this kind of shows that they are actively still altering what vulnerabilities they want you to think are available. And it makes sense that they would pivot away from the CNNVD website and move to the CNVD website. And that's kind of where we are today.

And so why I think this matters and why how we can go about this moving forward. Crowdstrike put out a report in 2022 for their global threat report, and it said China Nexus actors are deploying exploits for new vulnerabilities at a significantly elevated rate in 2021 compared to 2020.

Kristin Del Rosso:
They're changing the types of vulnerabilities they want to go after, but they have a lot more than we do. And so I think not only the lack of transparency and the fact that just in general, in terms of being aware from a defensive or offensive perspective like this would be really useful. Like this is something a gap we should work towards closing.

But also we already know that they've been giving it to APT groups when they need it. But I think a broader conversation around how we fix our reporting system is also needed because again, China does a really good like a really good job gamifying it. They incentivize people you like earn your certificates and badges. You're a top reporter and they're proactively sourcing them, whereas we don't really do that yet.

And then the last tricky step would be we can do our analysis for CNVD. We can we're already on par with CNNVD because they're not going to show us anything more. But the trouble is going to be now mapping the two Chinese websites against each other to see where that overlap actually is. But that was kind of like my rabbit hole that I went down and it was fun. I hope you liked it. So I'll take any questions. Mark, whenever you get a microphone, I can just be loud. Go for it.

Interesting rabbit hole. Googling. And it looks.

Kristin Del Rosso:
Like. Thank you. They do admit. And it looks like Japan. Germany also has one, and I have not dug into these yet. So a lot. Thousands of rubbish. How many resources are you going to give me to figure this out? Because there's a lot. But yeah, there's I think people who would consider adversaries, frenemies, friends all have their own vulnerability reporting systems. And I just think from staying on top of it, if we're trying to be proactive, we should do that maybe. So I think it's worth it. Again, scripting was a bit of a pain because this website, it was absolutely terrible JavaScript and everything, but it can be done. There's smart people here.

Yes, I have a I have a question for you, Christine. How often are you sitting around with a friend saying, Hey, let's go threat hunting? You said it twice.

Kristin Del Rosso:
Yeah, I wish. So. Thank you. Penny.

Thank you.

My friend is a staff.

Sonix is the world’s most advanced automated transcription, translation, and subtitling platform. Fast, accurate, and affordable.

Automatically convert your mp4 files to text (txt file), Microsoft Word (docx file), and SubRip Subtitle (srt file) in minutes.

Sonix has many features that you’d love including collaboration tools, secure transcription and file storage, advanced search, automated translation, and easily transcribe your Zoom meetings. Try Sonix for free today.

About the Presenter

Kristin Del Rosso works at Sophos as a product manager focusing on Incident Response, Threat Intelligence, and the SecOps ecosystem.

Previously, she was an analyst on Lookout Mobile Security’s Threat Intelligence team, with a focus on reversing Android surveillanceware, and tracking threat actors and their infrastructure.

About LABScon

This presentation was featured live at LABScon 2022, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.