Third Party Thursday: monthly vulnerability trends

Flexera
Flexera
4 2 956

June was been the hottest month both in Europe and around the world since 1880. The heatwaves we have seen are more frequent and more severe than climate change models have predicted. Geert Jan van Oldenborgh of the Royal Netherlands Meteorological Institute said:

“If the observed trend in heatwaves continues, [even] at the Paris goal of 2C of warming a heatwave like this will be the norm in June. Both observations and models show a strong trend towards stronger heatwaves. However, the observed trend is stronger than the modeled one, and we do not yet know why.”

What does climate change have to do with software vulnerabilities? Well, similarly to climate change, global hacking campaigns and exploitation of software vulnerabilities by malicious actors and nation-states have become increasingly more severe and, certainly, more unpredictable than ever before.

In the previous blog release, I looked into several high profile vulnerabilities in detail that continue to represent a potential danger to millions of users/devices to date. These high-profile flaws were just a handful of the vulnerabilities reported by Flexera in May 2019. Hundreds of other security vulnerabilities did not get the same attention, but in reality, those issues are just as important to patch. 

We have previously mentioned that hackers will often target the least expected vulnerabilities because this allows them to stay under the radar. We saw concrete examples of vulnerabilities that may often remain overlooked, while having been successfully exploited in hacking campaigns by malicious actors.  

Threat Intelligence module data shows that nearly half of the security advisories publicized by Secunia Research each month disclose vulnerabilities that have an exploit code available before their official public disclosure. 

At least half of the new advisories issued each month that contain a positive threat score are identified by Flexera with low or moderate criticality ratings and low or moderate CVSS scores. This creates significant unpredictability and uncertainty for every vulnerability team that has to defend a network in order to figure out what vulnerability might be targeted. 

Every month, there are hundreds of new software security flaws that would increasingly add pressure to security teams until the point of becoming physically impossible for smaller/medium-sized teams to handle all software flaws in accordance with accepted regulatory compliance requirements. This leads to a point where organizations can no longer cope with the vulnerability numbers on time. Exposure time expands largely. 

To cope with the ever-increasing severity and exploitation unpredictability, every organization must consider investing into a vulnerability management solution that provides perfectly accurate tracking and full visibility of each software vulnerability that is reported publicly every day.

To increase their chances, businesses must effectively build a prioritization system that can effectively deliver proper remediation of software vulnerabilities before there is any chance of them being exploited. The solution the business invests in must be able to:

  • cut through the noise caused by hundreds of new software flaws reported every month by discarding (rejecting) the invalid/unrealistic vulnerabilities from your priority lists
  • provide direct visibility of the issues that have been identified to have an exploit code available

Flexera offers two separate products that fit that description and purpose. Both Software Vulnerability Research (SVR) and the Software Vulnerability Manager 2019 (SVM 2019) have been designed with these capabilities in mind. Both solutions can be enabled with Threat Intelligence and can deliver Secunia Research vulnerability intelligence in real-time. 

The SVR solution can also solely report on "Rejected Advisories" – security issues reported by other vendors that did not pass the Secunia Research vulnerability validation against best-security practices and realistic exploitation mechanisms. "Rejected Advisories" are a significant tool in your arsenal to discard vulnerability information by unknown or unverified sources and focus on verified intelligence.

Monthly Vulnerability Overview

Now, let's look at a summary of the software vulnerabilities reported through Flexera from May 24 to June 27. I'll take an interesting approach in analyzing the statistics to provide an alternative point of view and hopefully provide an interesting analysis that can be helpful. 

Flexera issued a total of 384 new Secunia Advisory IDs (SAIDs). Out of those, 197 security advisories report on multiple software vulnerabilities each. 

all advisories.png

A sample graph showing some of the new vulnerabilities reported by Flexera

The "Rejected Advisory" status has been assigned to 92 Secunia Advisories. This number illustrates a large amount of unverified and inconsiderable vulnerability reports that are published online. For the current period I tracked, this number represents 24% of 384 confirmed SAIDs. We would not count "Rejected Advisories" any further in this blog, as this information is only provided here for you to draw your conclusions. 

Here is a breakdown of the criticality ratings assigned to 384 security advisories: 

  • Extremely Critical = 2 SAIDs
  • Highly Critical = 69 SAIDs
  • Moderately Critical = 154 SAIDs
  • Less Critical = 106 SAIDs
  • Not Critical = 53 SAIDs

If we sum all the CVSS scores of all SAIDs in this period, we will get a Total CVSS score of 2748.

Divided by 384, this makes an average CVSS score of 7.6 per unique advisory. That is a pretty high average considering that more than one-third of all advisories are identified with low criticality ratings. In the following pie chart, we can see a breakdown of the total CVSS score across the various criticality ratings where Moderately Critical holds 42.54% of the total CVSS score via 154 new advisories identified with this rating. 

cvss3 by criticality graph.png

Criticality Rating shares measured by total summing of their CVSS scores

Next is the overall summary of the various threat scores assigned to the 384 total advisories. In total, 178 SAIDs have Threat Score 0, meaning that there is no known exploit code for issues disclosed through these advisories.

The remaining 53.7% have a positive threat score, meaning that each of 206 SAIDs with threat score disclose on vulnerabilities that have evidence of exploitation. The next pie chart displays the share of each threat score. 

threat score graph.png

A breakdown of the share of each Threat Score based on 206 SAIDs that include evidence of exploitation

We compared the total CVSS score summing of 384 advisories against their Attack Vectors and Criticality Ratings. This provides us with an easy to understand graphic of the fair share of each Attack Vector within each Criticality Rating range measured against the total CVSS score. 

AV vs Criticality and AV.png

Attack Vector analysis within each Criticality Rating range measured by their total CVSS score summing

Furthermore, 250 out of 384 advisories (65.1%) have been identified with the “From Remote” attack vector. In the past two Third Party Thursday periods, this equaled 55.1% for May and 60.6% in April. We can see in the previous graph that 5/6 of the advisories in the moderate range included the "From Remote" attack vector.

Moderately Critical rating is assigned to a predominant number of new advisories each month. According to Threat Intelligence data, more vulnerabilities are being exploited in the CVSS range between 4-7 where most of the moderate advisories reside normally. That is a good example of why prioritizing only Highly Critical and Extremely Critical vulnerabilities can turn into a very bad practice in the long run. 

To illustrate the impact accordingly, let's remember the WannaCry Ransomware attack in mid-2017, which exploited moderate SMB vulnerabilities with Local Network attack vector. The result of overlooking that vulnerability was devastating for hundreds of businesses and shocking to the whole world. 

wannacry.png

CVE-2017-0144 Criticality Rating example

Vendor & Advisory Prioritization

Secunia Research assigned Zero-Day advisory status to SA89600 [Drupal], SA89164 [Mozilla Firefox/ESR] and SA89596 [Waterfox]. The last two had been linked to recent cyber exploits, malware, remote access Trojans and penetration tools. It is imperative to patch these two extremely critical issues immediately.

In this period, Flexera assigned the following 15 SAIDs to various Microsoft products which also covers the vulnerability disclosures around the regular monthly Patch Tuesday.

Microsoft.png

All Secunia Advisory IDs for Microsoft products by Flexera fetched through SVR public APIs 

A total of 159 new SAIDs have been issued for Unix-based vulnerabilities, for the following Linux flavors:

Linux Kernel [4 SAIDs]; Ubuntu [38 SAIDs]; SUSE [10 SAIDs]; Debian [19 SAIDs]; Red Hat Linux [25 SAIDs]; Amazon Linux [13 SAIDs]; Alpine Linux [6 SAIDs]; CentOS [8 SAIDs]; Oracle Linux/Solaris [35 SAIDs]; Gentoo [1 SAID]

In the commonly used third-party software space, there have been four security advisories issued for Apple, three for Google (including Android OS), four for Mozilla, and two new SAIDs for Adobe.

In the big-tech space, IBM has 58 new advisories, Cisco has 23 new SAIDs, while Oracle Corporation had a handful of advisories for their WebLogic and VM servers (excluding Oracle Linux/Solaris SAIDs).

Final Prioritization List

The following list of advisories is my recommendation for customers to patch immediately. 

If you happen to maintain any of the software mentioned in this list, consider that this software carries an imminent danger to your network. I did hide the actual Threat Scores from this list to protect our intellectual property, but you can easily identify them by enabling Threat Intelligence in your accounts. 

Final list.png

Recommended final prioritization list based on multiple vulnerability factors, and Threat Intelligence scores

NOTE: The Third Party Thursday blog posts are provided for informational and educational purposes and for raising general awareness. We recommend organizations perform prioritization based on their business policies, their compliance requirements and their internal vulnerability management policies. 

2 Comments
Flexera
Flexera

This is great information!

Flexera
Flexera

To subscribe to the monthly vulnerability review blog, simply click on the "Monthly Vulnerability Reviews" label under the blog and then find "Subscribe" on the top-right corner of the page. Thank you in advance for doing so.

Senior Technical Support Engineer Cheshire