Monthly Vulnerability Review – February 2020

Flexera
Flexera
4 1 865

Summary:

373 advisories for 62 unique vendors in 310 products and 390 unique versions, while issued 84 rejected advisories. Secunia Research helps Security teams cut the clutters in the noisy vulnerability space.   

A zero-day vulnerability in Google Chrome was reported on February 24th.

IBM was the top vendor with most vulnerabilities in Tivoli, WebSphere, DB2, and Java - among others. 

Microsoft slipped back to the top 10 vendors with most advisories.  

Linux-based Operating systems were once again among the top Operating systems with most advisories.

7 instances of Trident Exploit exploiting vulnerabilities in Remote Desktop of Microsoft Operating Systems.  

Zero-Day

There are many misconceptions of Zero-day definition in the security industry. The most widely accepted and used by Secunia Research is “the vulnerability that is being actively exploited on or before the day of its public disclosure.” A patch may or may not exist on the day of its discourse.

A zero-day vulnerability in Google Chrome was disclosed on February 24th which is after three days of another patch. The patch for this vulnerability was available on the day of its public disclosure.

Call to Action

The patch for the Zero-day is 80.0.3987.122 while there has been another advisory for Google Chrome, so the latest patch version for Google Chrome is  80.0.3987.132 (at the time of publication).  

Operating Systems:

  • 28 advisories affecting Red Hat Enterprise Linux 6,7,8
  • 32 advisories for Ubuntu 12.04, 14.04, 16.04 and 18.04
  • 33 advisories for SUSE Linux Enterprise Linux Server (SLE) version 11 through 15
  • 20 advisories for Oracle Linux 6 and 7 and one advisory for Linux Solaris.
  • 17 advisories for Debian 10.x and GNU/Linux 9.x.
  • 16 advisories for CentOS 6.x and 7.x
  • 12 advisories for Amazon Linux AMI and 2.
  • 1 advisory for each of the Microsoft Client and Server Operating systems.

 

Advisories by Vendors

wmahmood_0-1583700002148.png

 

 

Key Points

  • Almost all of the Linux/Unix based operating systems were vulnerable.
  • Microsoft had  17 advisories and slipped back to 8th position. Out of band patches were issued for Microsoft Edge on Feb 7th and 26th.
  • IBM and Cisco are only vendors with advisories that are not affecting Operating Systems in the top 10 list.

 

Call to Action

  • Make sure to Install relevant patches from Linux, Ubuntu, IBM, SUSE, and yum update repositories.
  • Follow Not only the Patch-Tuesday but also install the Out of Band patches for Microsoft Product and Browsers. Advisories for Microsoft Edge were highly critical and had a positive threat score.

Average Criticality per Vendor

5 being the highest criticality, the below graph shows the average criticality per vendor, which is sorted based on the number of advisories.

wmahmood_1-1583700002155.png

 

Advisories by Criticality

Secunia Research at Flexera categories the severity of vulnerabilities into five criticalities ranging from Extremely to Not Critical. It helps executives, system administrators, and Non-security people to quickly understand the gravity of issues.

wmahmood_2-1583700002160.png

 

 

If we remove Rejected advisories, then the criticality spread looks like as shown below.

wmahmood_3-1583700002162.png1. Extremely Critical, 2. Highly Critical 3. Moderately Critical 4. Less Critical 5. Not Critical

 

Count of Advisories versus Attack Vector.

57.9% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.

wmahmood_4-1583700002164.png1. Remote. 2. Local Network. 3. Local System

Advisories by Average CVSS Score

A CVSS score is a metric that is used to measure the severity of a vulnerability. It takes into account the attack vector, complexity of exploit, and if the user interaction is required, and its impacts if it is successfully exploited.

CVSSv3 provides insights into the level of severity and criticality. It includes Base Score metrics, temporal score, and Environmental Score. Some parameters are constants and provided by Secunia Research, but some can be changed according to each organization’s needs and sensitivity of the affected asset.

CVSS 3 Score

  • Advisories with Low CVSS3 under 4.0: 11  (2.86%)
  • Advisories with Mid CVSS3 range 4-7: 152 (39.48%)
  • Advisories w/ High CVSS3 range 7-10: 222 (57.66%)

 

wmahmood_5-1583700002167.png

 

 

Here we rank the Vendors and average of CVSS scores for the vulnerabilities reported in their relevant advisories.

wmahmood_6-1583700002170.png

 

Advisories by Solution

87% of vulnerabilities had a vendor patch available, while only 3.2% had no fix while the same amount had a vendor suggested workaround.

wmahmood_7-1583700002173.png

 

 

Threat Score

Security teams have completing priorities, so patching or remediating everything is not possible. CSO/CISO have to make informed decision to prioritize the vulnerabilities and their limited resources based on risk. A detailed threat score helps security professionals to make the right decision when faced with multiple vulnerabilities at the same time.

wmahmood_8-1583700002178.png

 

  • Advisories with positive Threat Score (1+):                      188 (50.40%)
  • None Threat Score Advisories (=0):                                   185 (49.60%)
  • Low-Range Threat Score Advisories  (1-12):                    156 (41.82%)
  • Medium-Range Threat Score Advisories  (13-23):          23 (6.17%)
  • High-Range Threat Score Advisories  (24-44):                 7 (1.88%)
  • Critical-Range Threat Score Advisories  (45-70):             1 (0.27%)
  • Very Critical Threat Score Advisories  (71-99):                1 (0.27%)

Ransomware, Malware, and Exploit Kits:

5 instances of Fallout Exploit Kit with CVE CVE-2019-11135 in Oracle, Red hat Linux, SUSE and CentOS.

4  instances of Trident Exploit in Microsoft Windows Operating systems’ Remote Desktop exploiting vulnerability CVE-2020-0655 and 3 occurrences in CVE-2020-0660                                  

3 instances of MyKings Botnet malware that can exploit CVE-2019-12418 in  Avaya Call management system, Oracle Solaris, and Macfee Web Gateway. CVE-2019-12418                                      

3 instances of Mdrop Trojenhorse affecting Red Hat and Oracle Linux Kernal. CVE-2019-17666                                               

1 instance Satan malware exploiting CVE-2018-20843  affecting IBM Security Site Protector 3.x.

1 instance of Wcry Ransomeware is exploiting CVE-2020-0618 in Microsoft SQL Server 2012, 2014, and 2018.

 

  • Historically Linked to Ransomware:   1 (1.04%)
  • Historically Linked to Malware:          23  (6.17%)
  • Linked to a Recent Cyber Exploit:       46  (12.33%)
  • Related to a Historical Cyber Exploits: 162 (43.43%)
  • Included in Penetration Testing Tools:  63  (16.89%)

Conclusion

Update and install the Operating System patches regardless if it is Linux/Unix based system or a Microsoft Operating system. Browsers are the most prevalent software with extreme exposure to malicious resources. Browsers should be kept up-to-date, and remediation efforts shouldn’t be delayed for monthly patch cycles. Deploy the updates, upgrades, and patches where and when available where required.

A comprehensive information system is required, which can help to prioritize remediation based on the actual risk and exploit vector. A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.

1 Comment
Moderator Moderator
Moderator

A great article, thank you! I really think the value of rejections are often overlooked, so I'm happy to see it called out here. Looking at NVD alone, we see the number of vulnerabilities continuing to rise year over year, but things aren't so bleak if you filter out the noise. When prioritizing patching efforts, the ability to focus only on what matters means a smaller, focused workload which is incredibly valuable for teams struggling to mitigate vulnerabilities for a large portfolio of applications.