Monthly Vulnerability Review – November 2019

Flexera
Flexera
5 0 878

Summary

In November, Secunia Research issued 391 advisories from 70 unique vendors in 236 products and 311 unique versions. This is a decrease of 12.8% from last month.

Google Chrome issued a zero-day advisory which was dubbed as Halloween Night scare. Also, there were 2 advisories issued for Linux and IBM with vulnerabilities that are responsible for ransomware attacks.

90% of advisories had a solution on the day of publishing which means vulnerability management solutions can help to remediate these vulnerabilities almost immediately.

Here are the top vendors by the count of vulnerabilities.

Advisories by Vendors

 wmahmood_16-1576164216004.png

RedHat, SUSE and Amazon are among the top vendors which reported vulnerabilities in Linux based operating systems. While Oracle Linux is in 6th and Microsoft is at 9th Place with 13 advisories. The notion of Microsoft with most vulnerable products has changed over time where Open source has taken over top vendors with most vulnerabilities.

5 being the highest criticality, the below graph shows the average criticality per vendor which is sorted based on the number of advisories.

 wmahmood_17-1576164311474.png

Advisories by Criticality

November only had 2 Extremely critical vulnerabilities where Google Chrome issued an urgent patch with version 78.0.3904.87 on the Halloween Night which resulted in a Secunia Advisory SA91892. The other extremely critical advisory was attributed to Microsoft Internet Explorer version 9,10 and 11 where relevant Microsoft KBs were issued on Microsoft Patch Tuesday.

wmahmood_18-1576164476926.png

1. Extremely Critical, 2. Highly Critical 3. Moderately Critical 4. Less Critical 5. Not Critical

Count of SAID versus Average CVSS 3 score

As usual, most vulnerabilities can be exploited from remote which makes the remediation efforts even more important.

   wmahmood_19-1576164578131.png

Advisories by Average CVSS Score

Common Vulnerability Scoring System – CVSS is a common industry standard to rate the severity of vulnerabilities. It ranges between 10 and 0 with 10 being the highest. Currently, CVSS standards are version 3.

    wmahmood_0-1576168119433.png

Advisories by Solution

90% of vulnerabilities had a solution while 89.5% percent of vulnerabilities had a patch on the day the advisory was released.

 wmahmood_1-1576168165330.png

 

Threat Landscape

The new feature in Software vulnerability Research and Software Vulnerability Management solutions helps our customers to prioritize and remediation based on the accurate threat landscape. There were a couple of vulnerabilities with a very high threat score. Google Chrome and Internet explorers were among the software with the highest threat score.

SAIDs with positive Threat Score (1+):       223 (57.03%)

None Threat Score SAIDs (=0):                168 (42.97%)

 wmahmood_2-1576168165332.png

Low-Range Threat Score SAIDs (1-12):    180 (46.04%)

Medium-Range Threat Score SAIDs   (13-23):   37 (9.46%)

High-Range Threat Score SAIDs     (24-44):   4 (1.02%)

Critical-Range Threat Score SAIDs (45-70):   1 (0.26%)

Very Critical Threat Score SAIDs  (71-99):   1 (0.26%)

Ransomware, Malware, and Exploit Kits

CVE-2019-11043 in Red Hat Collection was linked to Ransomware while IBM Security QRadar SIEM 7.x  had CVE-2018-12130 vulnerability linked to historical ransomware and CVE-2019-1125 in recent cyber exploits, malware, and ransomware exploits.

Historically Linked to Ransomware: 2   (0.51%)

Historically Linked to Malware: 30  (7.67%)

Linked to Recent Cyber Exploits:       95  (24.30%)

Linked to Historical Cyber Exploits:  187 (47.83%)

Linked to Penetration Testing Tools:       66  (16.88%)

CVSS 3 Score

 wmahmood_3-1576168165333.png

 

SAIDs with Low CVSS3 score >= 4.0: 25  (6.39%)

SAIDs with Mid CVSS3 range 4-7: 146 (37.34%)

SAIDs w/ High CVSS3 range 7-10: 220 (56.27%)

 

Conclusion

The month of November saw a lower number of advisories issued as compared to past months while Google Chrome and Internet Explorer vulnerabilities stole the headlines. Many enterprises were caught off-guard with the Google Chrome Zero-day advisory during the holiday period. Vulnerabilities in the Open Source Operating system mainly Linux and other software are on the rise while Microsoft vulnerabilities are declining. Microsoft follows its Patch Tuesday religiously which helps enterprises to devise an effective patch management strategy for Microsoft estate while third party patch management remains the Achilles’ heel for most enterprises.