Monthly Vulnerability Review – May 2020

Flexera
Flexera
2 0 276

Summary

Secunia Research issued 448 advisories for 80 unique vendors in 253 products and 336 unique versions, and issued 76 rejected advisories. A 28% decrease in the total number of advisories from the previous month.

The number of updates for browsers is increasing—no Zero-day advisories in May.  

Secunia advisories combine vulnerabilities for the same products together for easy consumption and decision making. 76 advisories were rejected so that security teams can focus on the correct priorities.

Browsers

The frequency for Brower advisories and updates is growing each month and usually need multiple update cycles.

Two highly critical advisories were issued for Google Chrome. Similarly, two highly critical advisories for Mozilla Firefox each.

One advisory for Microsoft Internet Explorer 11.x and 9.x, and Mozilla Thunderbird.

Call to Action

Keep your browsers updated due to exposure.

  • Update Mozilla Firefox 75.x and 68.x ESR.
  • Update Google Chrome to the latest version.
  • Install the updates for Internet Explorer 11.x and 9.x that were shipped with Patch Tuesday.  

Operating Systems:

  • 21 advisories for Red Hat Enterprise Linux 6,7,8 and  44 advisories for Fedora 30 and 31.
  • 26 advisories for Ubuntu 14.04, 16.04 and 18.04
  • 45 advisories for SUSE Linux Enterprise Linux Server (SLE) version 11 through 15
  • 12 advisories for Oracle Linux 6 and 7.
  • 20 advisories for Debian 10.x and GNU/Linux 9.x.
  • 12 advisories for CentOS 6.x and 7.x.
  • 18 advisories for Amazon Linux AMI and 2.
  • 4 advisory for Microsoft Client and Server Operating systems. One for each Microsoft OS pair.  

Advisories by Vendors

 

1.png

 

Advisories by Criticality

Secunia Advisory criticalities are further explained at this link.

2.png

 

Count of Advisories versus Attack Vector.

A large proportion of vulnerabilities (68%) can be exploited from remote – usually the case.  

3.png

 

Advisories by CVSS Score

CVSS v3 is the industry standard to define the severity of the vulnerabilities, its exploitability, impact metrics, and environmental metrics.

4.png

 

Advisories by Solution Status

5.png

 

Threat Score

The criteria for Threat Score calculation are outlined at this link.

6.png

 

Ransomware, Malware, and Exploit Kits:

5 instances of kinsing , Loncom, and Mandrake with CVE-2020-6819 and CVE-2020-6820 related to Mozilla Firefox, ESR, Thunderbird, and Seamonkey.   Similarly, Amazon Linux, Fedora, CentOS has shipped updates for these software.

CVE-2020-1048 can be exploited by Stuxnet malware. Vulnerability results in the elevation of Privileges in Windows Print Spooler services in  Microsoft Windows Server 2019, 2016, 2012, 2008, and Windows 7, 8.1, and 10.                                     

 

  • Historically Linked to Ransomware:          7 (1.12%)
  • Historically Linked to Malware:                 50  (8.03%)
  • Linked to a Recent Cyber Exploit:              44 (7.06%)
  • Related to a Historical Cyber Exploits:      189 (30.34%)
  • Included in Penetration Testing Tools:     186  (29.86%)

Conclusion

The number of advisories decreased from the last month. However, the frequency of operating systems and browser patches is increasing.

A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.