Vulnerability Management news and publications #1

Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management.

On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. Keeping track of the news is part of our job as vulnerability and security specialists. And preferably not only headlines.

Alternative video link (for Russia): https://vk.com/video-149273431_456239095

I usually follow the news using my automated telegram channel @avleonovnews. And it looks like this: I see something interesting in the channel, I copy it to Saved Messages so that I can read it later. Do I read it later? Well, usually not. Therefore, the creation of news reviews motivates to read and clear Saved Messages. Just like doing Microsoft Patch Tuesday reviews motivates me to watch what’s going on there. In general, it seems it makes sense to make a new attempt. Share in the comments what you think about it. Well, if you want to participate in the selection of news, I will be glad too.

I took 10 news items from Saved Messages and divided them into 5 categories:

1. Active Vulnerabilities
2. Data sources
3. Analytics
4. VM vendors write about Vulnerability Management
5. de-Westernization of IT

Active Vulnerabilities****🔴 “CISA warns of hackers exploiting PwnKit Linux vulnerability (CVE-2021-4034)” by BleepingComputer

The Cybersecurity and Infrastructure Security Agency (CISA) has added a high-severity Linux vulnerability known as PwnKit to its list of bugs exploited in the wild. Unprivileged users can exploit this vulnerabilities to gain full root privileges on Linux systems with default configurations. Reliable proof-of-concept (PoC) exploit code has been shared online less than three hours after Qualys published technical details for PwnKit. It was January 25th. The vulnerability was found in the Polkit’s pkexec component used by all major distributions (including Ubuntu, Debian, Fedora, and CentOS). It has been hiding in plain sight for more than 12 years since pkexec’s first release in May 2009.

The US cybersecurity agency gave all Federal Civilian Executive Branch (FCEB) agencies three weeks, until July 18, to patch their Linux servers against PwnKit and block exploitation attempts. Even though this directive only applies to federal agencies, CISA also strongly urged all US organizations from the private and public sectors to prioritize patching this bug.

Well, it would be correct to say that not only the Americans should quickly patch this.

🔴 “Atlassian Confluence OGNL Injection Remote Code Execution (RCE) Vulnerability (CVE-2022-26134)” by Qualys

On June 02, 2022, Atlassian published a security advisory about a critical severity Unauthenticated Remote Code Execution vulnerability affecting Confluence Server and Data Center. According to the advisory, the vulnerability is being actively exploited and Confluence Server and Data Center versions after 1.3.0 are affected. In order to exploit a vulnerable server, a remote attacker can send a malicious HTTP GET request with an OGNL payload in the URI. The vulnerable server once exploited would allow the attacker to execute commands remotely with user privileges running the Confluence application.

To detect CVE-2022-26134, the detection sends HTTP GET request with a specially crafted OGNL payload to determine the vulnerability on the target Confluence application. The OGNL payload creates a custom HTTP response header containing the output of the system command executed on Linux and Windows systems. The detection also consists of a Qualys customized OGNL payload which is platform-independent, eliminating false positives and works irrespective of the host operating system by creating a custom HTTP response header with Qualys specified value.

In this detailed technical article, Mayank Deshmukh from Qualys describes OGNL Injection, RCE Payload, Exploit POC, Exploit Analysis and Source Code Analysis. If you are interested in how such vulnerabilities are exploited and detected, check out this article.

Data sources****🟠 “New Vulnerability Database Catalogs Cloud Security Issues” by DarkReading

Organizations traditionally have struggled to track vulnerabilities in public cloud platforms and services because of the lack of a common vulnerability enumeration (CVE) program like the one that MITRE maintains for publicly disclosed software security issues. A new community-based database launched this week seeks to begin addressing that issue by providing a central repository of information on known cloud service-provider security issues and the steps organizations can take to mitigate them.

The database — cloudvulndb.org — is the brainchild of security researchers at Wiz, who for some time have been advocating the need for a public catalog of known security flaws on platforms and services run by the likes of AWS, Microsoft, and Google. The database currently lists some 70 cloud security issues and vulnerabilities. Such as Azure Open Management Infrastructure (OMI) Elevation of Privilege, OMIGOD. Anyone is free to suggest new issues to add to the website or to suggest new fixes to existing issues.

It’s not clear if a separate database is really needed. It seems that all of these entries can be added as NVD CVEs. Moreover, many vulnerabilities in this database already have CVE IDs. But the initiative is good. It proves once again that MITRE and NVD have problems with coverage.

Analytics****🟢 “MITRE shares this year’s list of most dangerous software bugs (CWE Top 25)” by BleepingComputer

MITRE shared this year’s top 25 most common and dangerous weaknesses impacting software throughout the previous two calendar years. These bugs are considered dangerous because they’re usually easy to discover, come with a high impact, and are prevalent in software released during the last two years.

Let’s see what’s on top:

1 CWE-787 Out-of-bounds Write2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')4 CWE-20 Improper Input Validation5 CWE-125 Out-of-bounds Read6 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Seems to be true, although ‘OS Command Injection’ could be higher. Well, we need to remember that CWE identifiers are assigned manually to vulnerabilities by some analysts and therefore there may be classification errors. But it’s still interesting.

🟠 “Cyberattacks via Unpatched Systems Cost Orgs More Than Phishing” by DarkReading

This article is based on research of Tetra Defense, a leading incident response, cyber risk management and digital forensics firm based in Madison, Wisconsin.

Attackers continue to find significant success targeting unpatched servers and vulnerable remote-access systems, researchers say — and these types of compromises cost victim organizations 54% more than compromises caused by user actions (i.e., falling for phishing and opening malicious documents).

According to a report by Tetra Defense, which analyzed incident data from the first quarter, unpatched vulnerabilities and exposing risky services—such as Remote Desktop Protocol (RDP)—account for 82% of successful attacks, while social-engineering employees to take some action accounted for just 18% of successful compromises. The article also mentions known vulnerabilities ProxyShell exploit for Microsoft Exchange servers, Log4Shell vulnerability in Java Log4j library.

Two controls — comprehensive patching and using multifactor authentication (MFA) — could have prevented nearly 80% of the investigated incidents.

Good point in the article: “Data on successful compromises can help companies determine the most critical attack vectors to address, but it should be noted that the conclusions depend greatly on the specific incident-response firm”. But the fact that MFA and patching is very important is true.

🔴 “Zero-Days Aren’t Going Away Anytime Soon & What Leaders Need to Know” by DarkReading

The article was written by Dan Schiappa, Chief Product Officer of Arctic Wolf, Security Operations company.

Both Google and Mandiant tracked a record number of zero-days last year. More zero-days are being discovered because security companies are getting better at finding them — not necessarily because hackers are coming up with new vulnerabilities. Not all zero-days are created equal. Some require sophisticated and novel techniques, like the attack on SolarWinds, and others exploit simple vulnerabilities in commonly used programs like Windows. Thankfully, there’s some basic cyber hygiene strategies that can keep your organization sufficiently prepared to mitigate zero-day exploits.

1. Ensure that the technology your organization has is sufficient for protecting from the unknown. Many zero-days may never hit a hard drive, so pointing threat detection tools there could be fruitless.
2. Patching is integral to protection against exploits. Staying on top of guidance from industry organizations like International Information System Security Certification Consortium (ISC)2 or federal authorities like the Cybersecurity and Infrastructure Security Agency is a good way to prioritize the exploit.
3. Zero-day exploits are those that the vendor doesn’t know exist, and therefore no patch is available. In some cases, protection technologies can use behavioral detections to block certain activities, while in other cases, using detection technologies or human expertise in a security operations center is the only defense. Investing in the human element of security will place an organization in the best position to limit the financial and data losses zero-days can incur.

While patching is proper preparation, the investment in trained security professionals, in-house or outsourced, is the best defense against zero-days.

In general, I agree with everything. My opinion: while critical known vulnerabilities are not fixed promptly, it is premature to think about Zero-Days. And of course, dealing with Zero-Days is primarily the task of the SOC.

VM vendors write about Vulnerability Management

I would like to start here with an article with a provocative title

🟡 “Why We’re Getting Vulnerability Management Wrong” by DarkReading

The article was written by Liran Tancman, CEO of Rezilion, a platform vendor that allows you to map, validate and eliminate software vulnerabilities.

Sometimes, too much information is a mixed blessing. Security teams use multiple vulnerability scanners in an attempt to cope with a significant rise in both attack surface diversity and software vulnerabilities. But they soon find themselves overwhelmed with results, which leads to a growing backlog of bugs that need to be fixed.

A recent analysis from RAND Corporation found no notable reduction of breaches in organizations with mature vulnerability management programs.

By the way, an interesting study, it would be right to give it a separate episode, I guess. Leave a comment if you’d like it.

Rezilion’s own runtime research analysis finds, on average, only 15% of discovered vulnerabilities are loaded into memory, which makes them exploitable. That means, on average, only 15% of flaws require priority patching — or patching at all.

Also an interesting topic that deserves a separate episode.

Rezilion conducted an analysis of 20 of the most popular container images. The findings showed more than 4,347 known vulnerabilities. 75% of those rated as critical or high in severity did not load to memory and posed no risk. Organizations can use runtime analysis to prioritize remediation of vulnerabilities. A vulnerability in a package that isn’t being loaded to memory can’t be exploited by an attacker.

This is a long-standing dispute: is it necessary to fix vulnerabilities in software that is not running at the moment? Well, usually the answer is yes, it is necessary. Because no one can guarantee that the software will suddenly not be launched. But if it is possible to identify vulnerabilities in software that is currently running or was launched not so long ago, then this is a good source of data for additional prioritization. Why not. It’s good that Rezilion highlights this.

🔴 “Risk-based Remediation Powered by Patch Management in Qualys VMDR 2.0” by Qualys

To tell the truth, I have long been interested in what’s new in Qualys Vulnerability Management, Detection and Response.

According to the recently released Verizon DBIR report, vulnerability exploitation continued to be one of the top three attack vectors exploited by bad actors in 2021 to break into organizations. As of this writing, it’s only June, but more than 10,000 vulnerabilities have already been disclosed in 2022, according to the National Vulnerability Database (NVD). As if that weren’t bad enough, the rate of increase of ransomware attacks last year was more than the last five years combined.

1. The resources required to patch all these vulnerabilities have not kept up with the pace at which vulnerabilities are disclosed and exploited.
2. The correct remediation path is not always straightforward. In some cases, patching a vulnerability can require deploying a patch, making a configuration change, or both.

All these introduce delays in the remediation process.

Qualys VMDR 2.0 introduces TruRisk scores that help organizations prioritize vulnerabilities based on risk ratings that weigh multiple factors such as exploit code maturity, exploitation in the wild, and multiple other factors that accurately measure risk.

In general, it looks like Tenable vulnerability priority rating (VPR). It’s probably generated the same way. But the technical details of TruRisk are not given here.

A key step in any remediation workflow is good communication between the vulnerability management (VM) team and the remediation team. However, these two teams use different products and different terminology. The VM team understands the risk and QIDs. The remediation team understands patches. Qualys maps the selected vulnerabilities to the right patches and configuration changes required to remediate them specific to the organization’s unique environment. For some assets, this entire process can be automated with VMDR 2.0. For example, a zero-touch automation job can be created to patch non-mission critical assets that will automatically execute as soon as a new vulnerability with a Qualys Detection Score >90 is detected.

Integrated Patch Management is Simply Faster. On average, organizations that use Qualys VMDR + Patch Management remediate vulnerabilities 35% faster than organizations that use separate tools. Even better, with some vulnerabilities the difference can be 63% faster with a combined solution.

I agree that the focus of the VM should be on Remediation and it’s good that Qualys is pushing this topic. Is there enough new features to call this update VMDR 2.0? I don’t think so yet. It seems that if Remediation were fully automated for 100% of the hosts (which requires a fundamentally different approach to functional testing after the patch), then it would be 2.0. But marketers of Qualys know better.

🟢 “Modern IT Security Teams’ Inevitable Need for Advanced Vulnerability Management” by Threatpost (sponsored by Secpod)

Today’s modern attack surface needs a next-gen, advanced vulnerability management approach to deal with the complex, ever-evolving attack surfaces and to curb cyberattacks. Why Conventional Vulnerability Management is not the Best-fit for Modern Security Landscape

1. Vulnerabilities beyond CVEs are overlooked. Numerous security risks exist like a poorly configured setting, asset exposures, deviation in security controls, missing security patches, and security posture anomalies.
2. Lack of integrated remediation controls. Most of the traditional vulnerability management tools in the market do not come with integrated patching to remediate vulnerabilities. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.
3. Siloed Interfaces and Multiple-point Solutions Approach. Conventional vulnerability management solutions rely on multiple tools to execute each step, making it hard for IT security teams.
4. Manual Methods and Repetitive Processes. Traditional Vulnerability management tools are still not fully automated.

And to overcome these issues, you need Advanced Vulnerability Management from Secpod. In general, the list of cons looks fair, and the fact that they pay attention to vulnerabilities in addition to CVEs seems to me very correct.

de-Westernization of IT

I have nothing against people or companies from Western countries. According to Google analytics, the majority of visitors to my avleonov.com blog are actually from the US (then India, China, and Russia). However, that’s how it goes. Some companies stop working in Russia because of the sanctions. And Russian information security specialists should take into account these risks, mitigate them and warn colleagues who may also face these problems.

Last week there was news that SAP and Microsoft will block Russian companies’ access to software updates, including security updates, in August. For some reason, the news was published in Bloomberg without reference to the source.

“It’s not just industry that’s affected. SAP SE and Microsoft Corp. are due to stop updates and services for Russian companies in August, leaving businesses and government services that rely on their software potentially vulnerable to security breaches and viruses.”

Some time later, this paragraph was rewritten. The mention of August was removed. Unfortunately, the fact that the leading Western media are spreading propaganda and rumors is no longer surprising. I do not even want to give a link to the article, whoever is interested can google it on their own.

However, what if this really happens? What if we can no longer use WSUS and SCCM to update the Windows infrastructure? And even more, if we get some malicious functionality in the updates, which will be activated over time. Unfortunately, what once seemed like a minor risk and paranoia is now becoming more than real. Therefore, we need to think in advance about network isolation, alternative ways to update the Windows infrastructure, implement control over backups, implement information security tools that could compensate for the lack of patches to some extent. And most importantly, we need to quickly reduce dependence on the software of unstable vendors. And this is now relevant not only for Russia, but also for the BRICS countries and other countries that are already under US sanctions or may potentially face them.

I also finally decided to launch a Russian-language telegram channel “Управление Уязвимостями и прочее” @avleonovrus. I think it will be updated a little more often, and there will be more reactions to our local Russian topics. Therefore, those who are interested, subscribe.

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.