Authors: Charl van der Walt, Head of security research & Wicus Ross, Senior security researcher
One of the challenges faced by security teams is determining the relative urgency and importance of different patches and mitigations. An average of approximately 18,000 new vulnerabilities per year were recorded from 2016 up to and including 20221. Combined with the overwhelming backlog of legacy vulnerabilities and the multitude of vulnerabilities that emerge from misconfiguration and other factors, these issues represent an overwhelming burden on IT and Security teams.
Yet not all vulnerabilities are born equal. Some are more serious than others. Vulnerabilities have different impacts. Some have been weaponized with reliable exploits while others have not. Some require existing level of access to be exploited while others do not. The assets potentially impacted by missing patches and other vulnerabilities are also not all of equal value or importance.
Does this then mean that security teams have a myriad of factors to consider when prioritizing vulnerabilities? Is this overthinking the approach? Are priorities assigned based on the severity rating of the vulnerability or do we assign higher priority to vulnerabilities that are valued more by attackers? Knowing that crafty attackers can, given the opportunity, leverage a mundane vulnerability on an endpoint then further develop their position to ultimately exploit other systems through lateral movement across the network if possible.
We will compare several proprietary datasets with known exploited vulnerabilities to determine potential exposure, thus making a case to prioritize exploited vulnerabilities, especially older vulnerabilities over newer vulnerabilities.
Patching intelligently
The notion of ‘Vulnerability Intelligence’ promises to enrich vulnerability reports with this additional information to assist security teams in determining what vulnerabilities need to be patched, and how urgently.
One valuable source of Vulnerability Intelligence is provided by the U.S. Cybersecurity and Infrastructure Security Agency or CISA, which keeps a catalog of vulnerabilities that are known to be exploited. It is officially referred to as the Known Exploited Vulnerabilities (KEV) Catalog. All U.S. Federal Civilian Executive Branch (FCEB) agencies must track the KEV Catalog and any vulnerability in the catalog must be patched by the required date. The KEV Catalog is freely available for download, indexed using the CVE ID, and at the time of writing contained more than 860 vulnerability entries. But one should note that it is primarily intended for US government agencies, and therefore might not perfectly reflect the priorities of civilian operations or organizations in other countries.
Similarly, a commercial group consisting of CSW, Securin, Cyware, and Ivanti published an analysis of vulnerabilities that are used by attackers to deploy ransomware. The report is titled ‘Ransomware Through the Lens of Threat and Vulnerability Management Index Update Q2 – Q3 2022’. Included in the report is a “Ransomware Index” that shows that the number of vulnerabilities exploited by operators and Initial Access Brokers grew from 310 in Q1 2022 to 323 in Q3 2022. The table listed below from Appendix B of that report will form part of this discussion as it contains their assessment of the Top 10 most exploited vulnerabilities:
CVE | Vendor | Product | Exploit Type | Probable Attack Vector |
Log4J | 175 products | |||
Atlassian | 3 products | |||
Microsoft | Exchange Server | |||
Microsoft | Exchange Server | |||
Microsoft | Exchange Server | |||
F5 | 16 products | |||
Microsoft | 10 products | |||
Fortinet | FortiOS | |||
Microsoft | 13 products | |||
Microsoft | Office |
Ransomware Index Top 10 most exploited vulnerabilities, Q2-Q3 20224
Remote Code Execution | Path Traversal | Elevation of Privilege | Network |
An examination of these vulnerabilities reveals a variety of different attack scenarios:
It is not clear how the Ransomware Index Top 10 was calculated, but we assume it is based on collected telemetry and information obtained from incident response teams.
We took our own vulnerability datasets extracted from the World Watch Advisories, Vulnerability Operations Center (VOC) scanning data, and Penetration Testing reports to determine the extent to which the Ransomware Index Top 10 and the KEV Catalog features in what we observe and report on our client’s estates.
If these are the most serious and urgent vulnerabilities we know about, how often are we warning our clients about them, and encountering them on our clients’ systems?
Our World Watch service works on behalf of the customer to collect, analyze, prioritize, contextualize and summarize the essential threat and vulnerability data customers need to make informed decisions. The Orange Cyberdefense Computer Emergency Response Team (CERT) analyses information from public and partner sources that is enriched with our proprietary threat intelligence. The information is triaged to determine accuracy, significance, relevance, and risk level before being shared to our clients.
Our World Watch Advisories covered 8 of the 10 Ransomware Index Top 10 CVEs during the period October 2021 to September 2022.
The Log4J vulnerability, CVE-2021-44228, was mentioned in 6 World Watch Advisories or updates. At the time, the flaw was considered extremely serious. Security professionals were convinced that this flaw, if left unpatched, could result in devastating breaches.
The vulnerabilities not covered by our World Watch Advisories are CVE-2020-5902 - a remote code execution vulnerability in the Traffic Management User Interface (TMUI) of F5 BIG-IP - and a remote code execution vulnerability in the Microsoft VBScript Engine, tracked as CVE-2018-8174. We opted not to publish advisories containing explicit references to these CVEs.
When comparing vulnerabilities mentioned in the World Watch Advisories with the full KEV Catalog we see a slightly different story, but with familiar elements. Bear in mind that the KEV Catalog has over 860 entries at the time of writing, so we are sampling across a much larger set.
Our CERT team warned customers of 95 of the 860+ vulnerabilities that appear in the KEV Catalog, the first ten of which are shown above. Log4J was discussed the most, as already mentioned.
The second highest number of mentions is a tie between a remote code execution vulnerability impacting Microsoft MSHTML (CVE-2021-40444), a vulnerability in Atlassian Confluence (CVE-2022-26134), and a vulnerability impacting the Microsoft Windows Support Diagnostics Tool (CVE-2022-30190).
Six of the 10 vulnerabilities mentioned here overlap with the Ransomware Index Top 10. These are CVE-2021-44228, CVE-2022-26134, CVE-2017-11882, CVE-2021-31207, CVE-2021-34473, andCVE-2021-34523.
Now let’s consider the occurrence of the Ransomware Index Top 10 CVEs in the findings recorded in our VOC scanning data for October 2021 to September 2022.
On the assumption that our vulnerability scanners have a reasonable chance of detecting these vulnerabilities, we’re asking whether we ever identify these issues on client estates.
We only see half of the potential Ransomware Index Top 10 vulnerabilities reported in the sample of client assets we examined.
Ransomware Index Top 10 Vulns reported on client assets in a subset of OCD VOC Scanning Data
Percentage of Assets impacted by vulnerabilities listed in Ransomware Index Top 10
Looking at the number of impacted assets, we see that the Microsoft vulnerabilities CVE-2017-11882, CVE-2018-8174, and CVE-2017-0199 impacts the most assets of all the vulnerabilities listed in the Ransomware Top 10. The Log4J vulnerability, CVE-2021-44228, still looms close to the forefront. Comparably the Atlassian Confluence Server vulnerability impacts a handful of assets compared to the first four present on assets scanned.
When cross-referencing the VOC scanning data with the 860+ entries in the full KEV Catalog, we see a rather different picture: Microsoft vulnerabilities dominate the first 20 records, as pictured below. We also observe a large chunk of Cisco IOS vulnerabilities relating to an SNMP flaw in the assets we scanned.
The table lists the descriptions of the relevant vulnerabilities related to the VOC/KEV Catalog chart.
CVE | Impact | Exploit Type | Probable Attack Vector |
Windows Common Log File System Driver | |||
Microsoft Windows Support Diagnostic Tool (MSDT) | |||
Simple Network Management Protocol (SNMP) subsystem of Cisco IOS | |||
Simple Network Management Protocol (SNMP) subsystem of Cisco IOS | |||
Simple Network Management Protocol (SNMP) subsystem of Cisco IOS | |||
Simple Network Management Protocol (SNMP) subsystem of Cisco IOS | |||
Simple Network Management Protocol (SNMP) subsystem of Cisco IOS | |||
Simple Network Management Protocol (SNMP) subsystem of Cisco IOS | |||
Simple Network Management Protocol (SNMP) subsystem of Cisco IOS | |||
Cisco IOS and Cisco IOS XE | |||
Windows CSRSS | |||
Active Directory Domain Services | |||
Windows LSA | |||
Windows Common Log File System | |||
Windows User Profile | |||
NET Framework, SharePoint Server, and Visual Studio | |||
Windows COM+ Event System | |||
Windows Print Spooler Elevation of Privilege Vulnerability | |||
Windows | |||
Windows Print Spooler |
First 20 Vulns found when comparing vulns in VOC with the KEV Catalog
Remote Code Execution | Path Traversal | Elevation of Privilege | Network | Authentication Bypass | Denial of service | Local |
As we can see the top 20 vulnerabilities discovered by the VOC in terms of the KEV is dominated by two enterprise vendors namely Microsoft and Cisco. Microsoft products are very popular, and any vulnerability in a core Microsoft product will quickly result in many reported vulnerabilities.
The chart below also includes the Log4J vulnerability, CVE-2021-44228, tacked on to show its relative impact. There are at least 10 other KEV vulnerabilities we reported at VOC clients more often than Log4J.
Top 10 KEV CVEs with Log4J Vuln impacting percentage of VOC clients
A more useful perspective, perhaps, is to consider: At how many clients did we see vulnerabilities in the KEV catalog reported. We can search a sample of vulnerability scan reports for a significant subset of our clients to determine how frequently vulnerabilities in the KEV are reported on client assets. We note that this is a limited sample biased by the obvious fact that these clients have implemented robust, professional vulnerability management programs, and would thus not be fully representative of the entire cyberspace.
This perspective is reflected below:
Distribution of KEV CVE across our scanning client base
The chart above depicts what proportion of the KEV catalog has been reported across our client base between October 2021 and September 2022. The Y-axis reflects a proportion of KEV, while the X-axis reflects the proportion of the clients we sampled.
The resulting distribution is illustrated above. An examination of this data reveals the following:
Are our penetration testing teams exploiting these vulnerabilities?
When we compare the Top 10 vulnerabilities from the Ransomware Index with the vulnerabilities reported by our Penetration Testing teams (represented by a sample of 1,400 test reports we analyzed), the only vulnerability in common between the two is the Log4J vulnerability (CVE-2021-44228), and that was only reported once.
The three Microsoft vulnerabilities; (CVE-2018-8174, CVE-2017-0199, and CVE-2017-11882), for example, are potentially suited to phishing attacks, which is often considered out of scope of ‘traditional’ penetration testing engagements.
Comparing the vulnerabilities in the penetration testing dataset with the much larger KEV Catalog, we observe a small number of vulnerabilities shared across the datasets:
CVE | Impact | Exploit Type | Probable Attack Vector |
Microsoft Remote Desktop Protocol | |||
Microsoft Windows SMB | |||
Microsoft Windows SMB | |||
F5 BIG-IP | |||
Microsoft Server Active Directory | |||
Microsoft Server Active Directory | |||
Log4J |
Remote Code Execution | Elevation of Privilege | Network |
These vulnerabilities are therefore being listed in the KEV catalogue and being exploited by our analysts during penetration tests. Here’s what we see:
Once again, we can determine how frequently vulnerabilities in the KEV are reported at our clients, this time in penetration testing reports. We note again that, because these clients have robust, professional vulnerability management programs, our sample is biased and not necessarily representative of the entire Internet.
The chart above is based on an examination of a sample of 1,400 test Penetration Test reports that we analyzed. Each colored series reflected in the legend reflects a proportion of our sample client base, while the size of the segment in the pie reflects the proportion of the KEV observed.
The following very small numbers emerge:
This is rather surprising, as one would think the list presents prime vulnerability candidates for penetration testing teams to exploit. Exposed services such as Atlassian Confluence Server, Microsoft Exchange, Fortinet FortiOS devices, and F5 TMUI would be easy pickings for our testers. It appears that we are simply not encountering vulnerable versions of these platforms within the scope of the tests we sampled, or that exploiting these vulnerabilities is being precluded by the test scope.
At the 44Con security conference in London in 2011, a security researcher called Haroon Meer delivered a presentation titled ‘Penetration Testing considered harmful’.