By Tenable Security Response Team
As uncertain times lead to a shift in how we work, identifying, prioritizing and addressing critical flaws that have been exploited in the wild is paramount.
We recently shared some insights into how the worldwide response to COVID-19 has expanded the attack surface for businesses. These insights, shaped by our own research and open-source intelligence, provide a glimpse into some of the key areas organizations need to address given the dynamics of a changing workforce.
With tens of thousands of vulnerabilities being discovered each year, honing in on the highest-risk issues is key.
The state of CVSS
The Common Vulnerability Scoring System (CVSS) is an industry-standard system used to provide valuable insight into the scope and severity of vulnerabilities. CVSS scores are typically defined at the time they were generated for a CVE. However, they don’t always account for changes to the impact of a vulnerability until much later.
For example, a vulnerability in the Pulse Connect Secure Secure Socket Layer (SSL) Virtual Private Network (VPN), identified as CVE-2019-11510, was originally assigned a CVSS score of 8.8 on May 9, 2019, resulting in the flaw being categorized as a high-severity vulnerability. However, despite the availability of a proof of concept for the vulnerability on August 21, 2019, the CVSS score was not updated to reflect the critical nature of the flaw until a month later on September 20, 2019.
Similarly, a vulnerability in the FortiGuard SSL VPN, identified as CVE-2018-13379, initially received a CVSS score of 7.5 on June 5, 2019. However, its CVSS score was not updated until September 19, 2019, one month after research about the flaw became publicly available on August 9 as well as the external attempts to identify the vulnerability in the wild along with CVE-2019-11510 on August 22.
CVSS scores are a useful indicator of a vulnerability’s severity and should not be disregarded, but relying solely upon them to prioritize vulnerabilities for remediation can at times be problematic.
Prioritize patching these vulnerabilities
Through Tenable’s Predictive Prioritization, vulnerabilities are given a Vulnerability Priority Rating (VPR) that not only factors in CVSS, but also leverages a machine learning algorithm coupled with threat intelligence to prioritize vulnerabilities. To aid in protecting the expanding attack surface, we are providing the following list of the vulnerabilities our team and the data science team have identified as the most critical for organizations to patch along with their VPR.
Facilitating remote work
SSL VPN software like Pulse Connect Secure, FortiGate, GlobalProtect and Citrix Application Delivery Controller and Gateway is used by organizations to provide secure access to a company’s network. Several vulnerabilities have been discovered in these applications and they’ve been exploited in the wild by threat actors. Therefore, it is increasingly important that organizations using any of these SSL VPNs ensure they’ve been appropriately patched.
Additionally, Remote Desktop Services enables individuals to virtually connect to machines within the company’s environment as if they were physically present in front of the system. CVE-2019-0708, a remote code execution vulnerability in Remote Desktop Services, dubbed “BlueKeep,” is another flaw that received considerable attention because of its potential to facilitate the next “WannaCry” attacks. While such attacks never came to fruition, reports did emerge that it had been exploited in the wild several months later. However, Remote Desktop in and of itself is an area organizations should be routinely monitoring for exploitation attempts as well as identifying exposed RDP targets.
CVE | Product | CVSS v3.x | VPR* | Threat Intensity |
---|---|---|---|---|
CVE-2019-11510 | Pulse Connect Secure | 10 | 10 | Very High |
CVE-2018-13379 | FortiGate SSL VPN | 9.8 | 9.6 | Very High |
CVE-2019-1579 | Palo Alto Networks GlobalProtect | 8.1 | 9.4 | High |
CVE-2019-19781 | Citrix Application Delivery Controller and Gateway | 9.8 | 9.9 | Very High |
CVE-2019-0708 | Remote Desktop Services | 9.8 | 9.9 | Very High |
*Note Tenable VPR scores are calculated nightly. This blog post was published on April 13 and reflects VPR at that time.
Vulnerabilities used in malicious emails and exploit kits
As cybercriminals seized on COVID-19 fears, one of the most popular vulnerabilities leveraged in malicious documents is CVE-2017-11882, a stack overflow vulnerability in the Equation Editor component of Microsoft Office. It has been a fixture in malicious email campaigns for years, and will remain one of the common tools in the toolbox for threat actors.
Another tool in the threat actor arsenal is the use of exploit kits, software designed by cybercriminals to fingerprint the presence of popular software applications on a victim’s machine and select the most appropriate vulnerability to exploit. While vulnerabilities in Adobe Flash Player, such as CVE-2018-15982 and CVE-2018-4878, have been a staple in several exploit kits, the pending end-of-life for Adobe Flash Player coupled with the shift toward HTML5 has forced some exploit kits to drop Flash Player vulnerabilities entirely and search for other vulnerabilities to utilize instead. CVE-2018-8174, a use-after-free vulnerability in the VBScript Engine, dubbed “Double Kill” by researchers because it corrupts two memory objects, is one such vulnerability that has become favored in exploit kits.
CVE | Product | CVSS v3.x | VPR* | Threat Intensity |
---|---|---|---|---|
CVE-2017-11882 | Microsoft Office | 7.8 | 9.9 | Very High |
CVE-2018-15982 | Adobe Flash Player | 9.8 | 9.9 | Very High |
CVE-2018-8174 | Internet Explorer (VBScript Engine) | 7.5 | 9.9 | Very High |
CVE-2018-4878 | Adobe Flash Player | 7.5 | 9.8 | Very High |
CVE-2017-0199 | Microsoft Office | 7.8 | 9.9 | Very High |
*Note Tenable VPR scores are calculated nightly. This blog post was published on April 13 and reflects VPR scores at that time.
Other vulnerabilities exploited in the wild
For organizations using certain versions of Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, it is important to patch CVE-2018-0296, a denial-of-service flaw in the web interface of these devices, causing unexpected reloads. Cisco cautions that certain vulnerable versions of ASA won’t reload, but an unauthenticated attacker could view sensitive system information on the device. At the end of 2019, reports emerged that exploitation attempts for this vulnerability had spiked.
Additionally, CVE-2019-0604, an improper input validation vulnerability in Microsoft SharePoint, the popular collaboration platform used for document storage and management, has been exploited in the wild since May 2019. Initially, this flaw was given a CVSSv3 score of 7.8. It was revised in June 2019 to an 8.8, and updated again in December 2019 to 9.8. If your organization uses Microsoft SharePoint, it is critical that this flaw gets patched.
CVE | Product | CVSSv3.x | VPR* | Threat Intensity |
---|---|---|---|---|
CVE-2018-0296 | Cisco ASA and Firepower | 7.5 | 8.8 | Very Low |
CVE-2019-0604 | Microsoft SharePoint | 9.8 | 9.4 | Low |
*Note Tenable VPR scores are calculated nightly. This blog post was published on April 13 and reflects VPR scores at that time.
Navigating through a sea of uncertainty
With all the changes to how we work during these uncertain times, organizations need to understand how the attack surface shifts and how best to respond. Knowledge is power, both in understanding your risk by knowing what assets you have in your environment, but also the insights to make risk-based decisions. Implementing a risk-based vulnerability management program within your organization can help you navigate through these uncharted waters.