This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Monthly Vulnerability Review – July 2020

wmahmood
By Community Manager Community Manager
Community Manager

Summary

In July, Secunia research issued 674 advisories for 83 unique vendors in 361 products and 475 unique versions, while issued 97 rejection notice advisories. An increase of 34.5% advisories from the previous month.

A Zero-day vulnerability was reported in Cisco ASA firewall and FDA products.

Oracle overtook RedHat as a top vendor with most vulnerabilities.

The amount of browsers vulnerabilities and their relevant patches are Achilles’ heel of effective patch management.

Zero-Day

A vulnerability is reported in the web service system that allows remote access to Cisco ASA (Adaptive Security Appliance) – a network firewall and Cisco’s Firepower Threat Defence. An attacker can send a specially crafted HTTP request that can traverse the servers’ file system and also establish an SSL VPN or AnyConnect VPN session to the devices by impersonating another user. A lack of proper input validation causes it. There are reports of a publicly available exploit being used in targeted attacks.

 Cisco ASA 9.6 till 9.14 are affected. Secunia Research has issued SA96432, which has further details.

Call to Action

 

  • Cisco ASA running lower than 9.6 version should migrate to the latest supported software 9.6.4.42 or above.
  • Versions from 9.6 till 9.14 needs to update to latest versions as described here.  
  • Cisco FDA 6.2.2 till 6.6.0 are affected and should be updated to the latest fixed released versions as mentioned on the above link.

Operating Systems:

  • SUSE Linux   =  58
  • Amazon Linux  =  49
  • Ubuntu  =  37
  • Fedora  =  35
  • Oracle Linux  =  34
  • Red Hat Enterprise Linux =  28
  • CentOS Advisories  =  7
  • Microsoft OS Advisories  =  7

Top Vendors with the most Advisories

 

adv.png

Key Points

  • Oracle has taken over Red Hat as a top vendor with staggering 72 advisories.
  • Microsoft moved down to the 10th place with 24 advisories. 7 for its primary OSes. A highly critical advisory – SA96100 affecting Windows 10 and Server 2019.  Out of band patches were issued for Microsoft Edge Chromium.
  • Linux/Unix based Operating systems are among the top software with most vulnerabilities – as usual.  

Advisories for Browers

  • Microsoft Internet Explorer 9 & 11: 1 Advisory - Apply Microsoft Update as listed on the official site
  • Microsoft Edge (HTML Based - Legacy): 1 Advisory -  Update to the latest version as mentioned in the above link
  • Microsoft Edge (Chromium Based): 2 Advisories – Upgrade to 84.0.522.49
  • Google Chrome: 2 Advisories – Upgrade to 84.0.4147.125
  • Mozilla Firefox: 6 Advisories –  Update to version 68.11
  • Mozilla Thunderbird – 3 Advisories – Update to 68.11.

 

Advisories by Criticality

Secunia Advisory criticalities are further explained at this link.

 

Criticality.png

 

Advisories by Attack Vector.

65% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.

Attack.png

Advisories by Average CVSS Score

A CVSS score is a metric that is used to measure the severity of a vulnerability. CVSS3 specifications and the criteria details can be found at this link.

CVSS ranges from 0 to 10. 0 being the lowest and 10 being the highest score; the advisories spread is as below:

CVSS 3 Score

  • Advisories with Low CVSS3 under 4.0: 39  (5.79%)
  • Advisories with Mid CVSS3 range 4-7: 231 (34.27%)
  • Advisories with High CVSS3 range 7-10: 404 (59.94%)

 

CVSS.png

 

Advisories by Solution

 

Solution.png

 

 

Threat Score

An add-on by Software Vulnerability Research and Software Vulnerability Manager is Threat Intelligence. We give a score from 0 to 100 depending upon its severity, exploit availability, inclusion in penetration testing tools and the likelihood of being exploited. A detailed explanation of Threat Score calculation is available at this link.

Threat.png

 

  • Advisories with positive Threat Score (1+):            405 (60.09%)
  • None Threat Score SAIDs (=0):                                 269 (39.91%)
  • Low-Range Threat Score SAIDs      (1-12):               189 (28.04%)
  • Medium-Range Threat Score SAIDs   (13-23):       169 (25.07%)
  • High-Range Threat Score SAIDs     (24-44):             17 (2.52%)
  • Critical-Range Threat Score SAIDs (45-70):             14 (2.08%)
  • Very Critical Threat Score SAIDs  (71-99):               16 (2.37%)

Ransomware, Malware, and Exploit Kits:

 

  • Historically Linked to Ransomware:          10   (1.48%)
  • Historically Linked to Malware:                 79  (11.72%)
  • Linked to a Recent Cyber Exploit:              86  (12.76%)
  • Related to a Historical Cyber Exploits:      255 (37.83%)
  • Included in Penetration Testing Tools:     275  (40.80%)

 

Conclusion

 

The amount of reported vulnerabilities is on the rise. Linux/Unix based OS are most vulnerable. Browers patches are released from 3 to 6 times a month which makes patching effort quite tricky especially for Google Chrome and Mozilla Firefox. Zero days must be prioritized as a likelihood of an attack is very high.

A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.

‎Aug 10, 2020 06:11 PM