Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Telemetry Report Shows Patch Status of High-Profile Vulnerabilities

How quickly are high risk vulnerabilities patched?

How quickly are high risk vulnerabilities patched?

A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user.

Twenty percent of this year’s new vulnerabilities were given a ‘high severity’ scoring by NVD. Given the speed with which malicious actors can begin to exploit these vulnerabilities, researchers at Trustwave decided to investigate and report (PDF) on how quickly industry patches them.

The researchers selected a range of high profile vulnerabilities, and used Shodan to detect instances of the vulnerabilities still extant on the internet. They conducted searches on July22, August 16, and August 31 to detect the progress of patching.

Seven vulnerability disclosures were selected for the analysis: MS Exchange Server (ProxyShell and ProxyToken); Apache Tomcat (HTTP request smuggling and QNAP NAS command injection); VMware vCenter (multiple vulnerabilities); Pulse Connect (authentication bypass); F5 BIG-IP (RCE vulnerability); MS Exchange Server (ProxyLogon); and Oracle WebLogic Server (RCE).

The results are not encouraging. For example, the ProxyShell and ProxyToken vulnerabilities were patched by Microsoft in April and May, and disclosed in July. “As of August 31, 2021,” say the researchers, “facet analysis on Shodan reports ~45K instances verified were vulnerable to ProxyShell.” That is 21.17% of MS Exchange Servers remained unpatched.

The pattern is similar across the other analyzed vulnerabilities. More than half of all Apache Tomcat vulnerabilities remained unpatched at August 31, 2021; and more than20% of Pulse Connect instances were unpatched. The F5 and MS ProxyLogon vulnerabilities are both down to around 5% of instances, but have both only reduced by around 2% since July 22, 2021.

The Oracle WebLogic vulnerability is a bit more complex. It was patched by Oracle in January 2021. However, by July 22, 2021, Shodan showed that 72% of Internet-facing WebLogic instances had not been updated to the new version. But based on actual application exploitability, this number fell to 5.6% by the end of August. Worryingly, this is slightly higher than the 5.34% detected on August 16, 2021.

There are many reasons why companies fail to patch their systems quickly. However, the point to note here is that cybercriminals use the same research techniques as those used Trustwave; that is, Shodan and other internet scanning tools. Every single vulnerable instance found by Trustwave in this exercise is also known to the criminal fraternity. Those companies that are yet unexploited probably remain so simply because the attackers have cherry-picked other targets to attack first.

Advertisement. Scroll to continue reading.

“It is imperative,” say the researchers, “that organizations proactively identify vulnerabilities and patch them.” This is complicated by organizations not always knowing the entirety of their IT estate – it is not unknown for servers to become unused and forgotten (and therefore unpatched), yet remain connected to and accessible from the internet. Similarly, the ease with which new servers are spun up in the cloud, used for a single task (such as testing) and then abandoned and forgotten, adds to a company’s invisible IT estate. These effectively unknown systems will still be found by Shodan and potentially exploited by criminals to gain an undetected foothold into the network.

“It is crucial to have an up-to-date inventory of assets, particularly for targets accessible via the Internet,” says Trustwave. “Exploits to critical vulnerabilities are usually available anywhere from less than a day to a month, and it is important for organizations to continuously monitor, track and update assets with the latest security updates.”

Related: NIST and Microsoft Partner to Improve Enterprise Patching Strategies

Related: Attacks Exploiting VMware vSphere Flaw Spotted One Week After Patching

Related: Did Microsoft Botch the PrintNightmare Patch?

Related: Microsoft Ships Massive Security Patch Bundle

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Threat intelligence firm Team Cymru has appointed Joe Sander as its Chief Executive Officer.

Madhu Gottumukkala has been named Deputy Director of the cybersecurity agency CISA.

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.