New Open CVDB project puts cloud vulnerabilities in the spotlight
“There is currently no universal standard for cloud vulnerability enumeration..."
A group of leading cloud security researchers have launched a new Open Cloud Vulnerability Database, in an attempt to improve the cataloguing and reporting of cloud vulnerabilities.
Director of data and threat research at Wiz, Alon Schindel; Wiz threat researcher Amitai Cohen; and AWS security expert Scott Piper of Summit Route, built the Open CVDB on the back of Piper’s long-running “Cloud Service Provider security mistakes” Github repo. (Wiz is also a sponsor of the CVDB.)
All the vulnerabilities listed in Piper’s project have been incorporated into CVDB, and the new project has its own Github repository where issues can be submitted and edited.
“There is currently no universal standard for cloud vulnerability enumeration – CSPs rarely issue CVEs for security mistakes discovered in their services, there are no industry conventions for assessing severity, no proper notification channels and no unified tracking mechanism,” said the CVDB admins.
“In most cases, CSPs respond quickly to fix the security issue on their side but the lack of standardization leaves many cloud customers vulnerable and unaware of the issues in their environments.”
OMIGOD RCE vulnerability in Azure: Patch it yourself, says Microsoft
Along with Piper, who has long been an advocate for better processes around cloud vulnerability reporting, Schindel has also been vocal about improving the current ad-hoc system.
In November 2021 he co-authored a post with Shir Tamari calling for a centralised cloud vulnerability database, which pointed out many CSP vulnerabilities don’t fall neatly into the “rough working arrangement” where CSPs are responsible for physical security, hardware, and managed services, and users for configuration, software, identities, and data protection -- giving examples from AWS and Microsoft where the cloud providers swiftly fixed issues – but existing users were left unaffected, and dependent on email notifications from the CSPs on the need to fix the issue; perhaps needless to say, many affected users never did address the issue.
“The problem here is that users weren't aware of the vulnerable configuration and the response actions they should take. Either the email never made it to the right person, or it got lost in a sea of other issues,” wrote Schindel and Tamari.
The new Open CVDB aims to address this, by providing a standardised way for cloud vulnerabilities to be reported. Anyone can contribute to the database by creating a pull request to add an issue or edit an existing one.
On Twitter Piper said he was “thrilled” to see his list become a community-driven project, and said: “Sunlight is the best disinfectant. This will continue that.”
The CVDB admins also said they are open to feedback on the project: “It's important that this conversation continue, as we don't yet claim to have all the answers about the exact form and scope this database should have. What we hope to do here is set a milestone in the ongoing effort to make the cloud even more secure.”