High-severity vulnerabilities are being identified in software faster than enterprise security teams can respond to them, according to a recent survey of application vulnerabilities that warned cybercriminals are targeting out-of-date software that is unlikely to be prioritised in software-patching exercises.
A review of the Common Vulnerabilities and Exposures (CVE) database, conducted as part of the recent Tenable Vulnerability Intelligence Report (VIR), found that 15,038 new vulnerabilities had been reported for the entirety of 2017, with the first half of this year showing a 27 percent increase over the year-ago period.
That rate of growth meant that there would likely be more than 18,000 new vulnerabilities discovered this year – and with some 61 percent of discovered vulnerabilities rated as having a High severity, enterprise application managers must prioritise the patching of an average 870 CVEs per day across 960 assets.
“Managing vulnerabilities is a challenge of scale, velocity and volume,” the report’s authors note. “It is not just an engineering challenge, but requires a risk-centric view to prioritise thousands of vulnerabilities that superficially all seem the same.”
Even if enterprises only address Critical-rated vulnerabilities – those given a severity score of 9.0 to 10.0 – they will still have had to deal with more than 900 such vulnerabilities by year’s end, the firm’s analysis warned as it launched a Top 20 Vulnerabilities Chart highlighting the vulnerabilities most frequently seen in real-world network scans.
Some of them were application-specific, while others grew out of continued use of antiquated protocols: for example, 27 percent of enterprises were still running services using old and insecure SSLv2 and SSLv3 versions.
Red Hat Enterprise Linux had the most high-risk vulnerabilities, with Orace Linux and Novell SUSE Linux approximately even and CentOS Linux nearly on par with Microsoft operating systems.
Mozilla’s Firefox browser had the highest percentage of high-severity CVEs, with Adobe and Google’s exposure also dominated by high-severity issues.
Rampant and persisting vulnerabilities don’t only pose a threat to the companies themselves: with cybercriminals targeting increasingly destructive attacks at sectors such as the manufacturing and media organisations, unfixed vulnerabilities can leave companies not only compromised internally – but leveraged to launch leapfrog attacks into affiliated companies.
Half of all attacks analysed in the recent Carbon Black Quarterly Incident Response Threat Report (QIRTR) involved such ‘island hopping’ and 30 percent of respondents had seen victim websites converted into ‘watering holes’ where a compromised network is used to attack associated companies within a network.
“This means that not only is your organisation’s data at risk,” the report warns, “but so is the data at your customers, partners and every other point in your supply chain.”
Common and pervasively-installed tools were often providing attackers with the means to conduct lateral movement, Carbon Black found, with 89 percent of surveyed hackers citing PowerShell as useful in this way and 65 percent leveraging WMI.
The ubiquity of such tools was facilitating external compromises through commonly used applications, which were measured by Tenable’s new Top 20 vulnerabilities Chart.
The single most-common vulnerability was CVE-2018-8202, a .NET Framework elevation of privilege vulnerability that affects Microsoft applications – found in 32 percent of scanned enterprise environments.
Also found in at least 28 percent of scanned enterprises were a Google Chrome stack-based buffer overflow, Microsoft Internet Explorer VBScript flaw, Oracle Java DB flaw that can be utilised to gain elevated privileges; and a Microsoft .NET Framework vulnerability that can be used to bypass that platform’s Device Guard framework.