The Danger of Unknown, Unpatched, and Miscategorized Open-Source Vulnerabilities
The profile of Common Vulnerabilities & Exposures (CVEs) has risen in recent years. Organizations now pay far more attention to them than they used to. Of course, there are still plenty of cases on record of companies getting hacked due to failing to patch a CVE from a year or more ago. There are endless examples of companies taking weeks and sometimes months to act once a high-priority CVE after it is issued.
Nevertheless, in the vast majority of cases, CVEs are given almost gospel-like status in organizations. Some build their security response programs largely around issued CVEs. For example, if a CVE has a rating of 7 or above in severity, companies tend to put it to the head of the queue, leaving lower priority patches to be deployed at a later date – or in many cases not at all.
There are numerous flaws in this mode of operation. Cybercriminals have grown wise to this tactic. Yes, hackers search carefully for endpoints and systems that have failed to deploy high priority patches to address CVEs – and they rub their hands in glee when they find yet another inattentive victim. But they also now mount multi-faceted attacks that take advantage of lower-priority flaws that they know are often ignored. Thus, they will launch a campaign simultaneously probing for higher priority and lower-priority CVEs that are unpatched. If only the lower ones are available, they can be used to gain a foothold into the enterprise from which they can exact further damage.
New Research Asserts Open-Source Threats Overrated
JFrog just announced another shortcoming in CVE-oriented security defense programs. Their researchers analyzed the top 10 most prevalent open-source software vulnerabilities in 2022. Their findings? The severity ratings of most CVEs for open-source systems were overrated.
Severity ratings within the National Vulnerability Database (NVD) follow this scoring rubric: Critical severity levels are graded between 9 and 10. High severity is 7 to 8.9. A Medium rating is between 4 and 6.9, and a Low rating goes up to 3.9. However, when JFrog researchers assessed the real-world impact of these vulnerabilities and applied contextual analysis to their evaluations, they found that many of the scores attributed to open-source bugs were overinflated. Since it takes roughly 246 days to remediate a security issue completely, they recommended that security teams only deploy resources on the vulnerabilities that actually matter.
According to the report, most of the open-source vulnerabilities evaluated were much harder to exploit than reported, and therefore were undeserving of a high NVD severity rating. The consequence of following the NVD system, therefore, can sometimes cause organizations to “waste valuable time and resourcesto mitigate a vulnerability that is extremely unlikely to have any real-world impact on their systems,” said the report.
At Syxsense, we found a very similar issue across our customer base. Many organizations focus on remediating and patching the most severe vulnerabilities, but often do not have the time to tackle the medium or low severity vulnerabilities. They were simply inundated with the most severe or highest profile CVE for the day. However, that did not mean that those vulnerabilities weren’t relevant. In recent years, we have seen many medium or low severity vulnerabilities being exploited to gain an initial foothold into an enterprise.
This is why we developed a risk and prioritization rating based on an organization’s attack surface with vulnerabilities and endpoint posture. The Syxscore leverages NIST and vendor severity assessments in relation to the health status of the endpoints in your environment. It’s a personalized evaluation of what devices are vulnerable and the criticality of updates to the overall protection of your network, giving you the ability to target endpoints that pose the most serious levels of risk.
While vulnerability severity scores can be helpful, it is simply another data point. What organizations really need is customized context, including the security posture of their endpoints and existing security controls that can reduce the risk of a vulnerability.
Patching is the Key to CVE Remediation Success
Beyond context, patching is a critical component to managing vulnerabilities. Oftentimes, critical vulnerabilities will have patches released quickly – sometimes the same day that the vulnerability is made public. In these cases, keeping up is the most difficult part.
That’s why automation, inventorying, and patch deployment can eliminate long delays in patching programs. If you can constantly prioritize vulnerabilities with context based on your environment, patch the most important ones quickly, and validate that those patches have been applied appropriately, you will reduce your organizational risk and attack surface.