X

​Internet's security bug tracker faces its 'Y2K' moment

From critical exploits to the tiniest bug, many security holes receive a tracking number through the US government. The system is being revamped to handle the ever-growing number of bugs, but the cure could create problems of its own.

Seth Rosenblatt Former Senior Writer / News
Senior writer Seth Rosenblatt covered Google and security for CNET News, with occasional forays into tech and pop culture. Formerly a CNET Reviews senior editor for software, he has written about nearly every category of software and app available.
Seth Rosenblatt
4 min read

large-hero-heartbleed-2.jpg
From insignificant bugs to catastrophic vulnerabilities like Heartbleed, they each get a tracking number. CNET

Unless you spent the first part of the year under a rock or offline, you've probably heard of Heartbleed. But chances are you don't know the devastating vulnerability by its proper name: CVE-2014-0160.

The three letters stand for Common Vulnerabilities and Exposures, 2014 refers to the year, and the last four digits tick up each time a new bug is reported.

That number is inching ever closer to 9,999 -- and the alphanumeric combo is about to face a Y2K moment.

There's a good chance the bug number will skate perilously close to the uncharted waters of five digits this year for the first time in the nearly 15-year history of the system. And as with many 15-year-old computer systems forced to suddenly upgrade, the situation could get messy.

The CVE is both more than and less than another vulnerability database. Created in 1999 by Mitre, a not-for-profit group that runs numerous federally-funded research and development centers, funding for the CVE database bounced between several government agencies starting around 2000 until landing permanently at the Department of Homeland Security. The CVE database provides a way to share information about bugs and the tools used to fix them, but it lacks specifics like the risks posed by a vulnerability, or detailed technical information.

Although part of the government, the CVE is maintained by Mitre, a not-for-profit group that runs numerous federally-funded research and development centers.

Steve Christey Coley, a principal information security engineer at Mitre, said that even Mitre doesn't know "all the different products" that use CVEs.

"In 1999, we assigned four digits [to the CVE] because we couldn't imagine a situation where [the CVE database] would have to cover 10,000 vulnerabilities in a single year," Coley said.

A bit ruefully, he added: "Famous last words."

The CVE is governed by a 24-member editorial board that Coley moderates, and voted in May 2013 to expand the CVE syntax from four to five digits dynamically, so that when six or seven digits become required, the number could grow as necessary. It was the board's first formal vote in 12 years.

Perhaps not too surprisingly, the collection of brainiacs tasked with guiding the CVE initially couldn't agree on a solution. Three finalist options were voted on, with a tie between the top two, necessitating a run-off and resulting in what Coley called "passionate" language between some board members.

"I felt like I was watching a cage match," he said. "For a dry, technical issue, things sure got personal sometimes."

But once the board made its decision on a 15-to-3 vote -- with five voting members not participating and Coley not eligible to vote -- the hard work and the nature of the CVE's Y2K moment suddenly lay ahead.

Companies, nonprofits, and government organizations from around the world have relied on a four-digit CVE, and it isn't clear how their systems will handle five digits.

Coley explained some of the potential bad outcomes -- buffer overflows, major bug identifiers getting overwritten by minor ones -- as leading to security risks.

"A major flaw could be replaced by a minor open-source bug if these tools are not updated," Coley said, making it difficult -- if not impossible -- to track serious bugs.

Much like Y2K's shift on the eve of the new century from using two digits to four digits to track years in computer programs, the CVE switchover to longer identifiers is happening regardless of whether CVE's users have adapted to the new paradigm. Mitre has promised that by January 13, 2015, it will have tested at least one five-digit CVE -- and that might actually happen before the end of the year.

The problem that Coley is wrestling with is that some organizations that use CVE's still don't know about the potentially impending doom and so haven't checked for compatibility between their software and the new identifier system.

"People are still surprised to hear about this syntax change," he said.

Some are onboard, though, such as Oracle, Red Hat, IBM, Microsoft, Symantec, NIST, China's NSFocus, Security Tracker and CERT in the US, Japan and France.

"The big thing is," Coley said, that "time is running out, and we know stuff will break. I hope that things will break quietly."

Heartbleed may have been turned into a successful educational and warning campaign because of its ubiquity -- a fact that earned its CVE more than 30 times the traffic of the next top 10 CVEs combined. But without a universal, functional tracking system behind it, the people who fight security bugs may suddenly have a much harder time getting their job done.

Correction, September 18 at 2:40 p.m. PT: The story incorrectly stated the origins of the CVE database. The CVE was created in 1999 by Mitre, a not-for-profit group that runs numerous federally-funded research and development centers. Starting around 2000, funding for the CVE database bounced between several government agencies until landing permanently at the Department of Homeland Security.

Correction, 11:05 a.m. PT: The meaning of the acronym CVE has been fixed.