A record number of new security vulnerabilities (18,352) were reported in 2020. This year, the number is likely to be higher (13,002 by September 1). The problem with a zero-day vulnerability is that it remains a zero-day until it is patched by both the vendor and the user.
Twenty percent of this year’s new vulnerabilities were given a ‘high severity’ scoring by NVD. Given the speed with which malicious actors can begin to exploit these vulnerabilities, researchers at Trustwave decided to investigate and report (PDF) on how quickly industry patches them.
The researchers selected a range of high profile vulnerabilities, and used Shodan to detect instances of the vulnerabilities still extant on the internet. They conducted searches on July22, August 16, and August 31 to detect the progress of patching.
Seven vulnerability disclosures were selected for the analysis: MS Exchange Server (ProxyShell and ProxyToken); Apache Tomcat (HTTP request smuggling and QNAP NAS command injection); VMware vCenter (multiple vulnerabilities); Pulse Connect (authentication bypass); F5 BIG-IP (RCE vulnerability); MS Exchange Server (ProxyLogon); and Oracle WebLogic Server (RCE).
The results are not encouraging. For example, the ProxyShell and ProxyToken vulnerabilities were patched by Microsoft in April and May, and disclosed in July. “As of August 31, 2021,” say the researchers, “facet analysis on Shodan reports ~45K instances verified were vulnerable to ProxyShell.” That is 21.17% of MS Exchange Servers remained unpatched.
The pattern is similar across the other analyzed vulnerabilities. More than half of all Apache Tomcat vulnerabilities remained unpatched at August 31, 2021; and more than20% of Pulse Connect instances were unpatched. The F5 and MS ProxyLogon vulnerabilities are both down to around 5% of instances, but have both only reduced by around 2% since July 22, 2021.
The Oracle WebLogic vulnerability is a bit more complex. It was patched by Oracle in January 2021. However, by July 22, 2021, Shodan showed that 72% of Internet-facing WebLogic instances had not been updated to the new version. But based on actual application exploitability, this number fell to 5.6% by the end of August. Worryingly, this is slightly higher than the 5.34% detected on August 16, 2021.
There are many reasons why companies fail to patch their systems quickly. However, the point to note here is that cybercriminals use the same research techniques as those used Trustwave; that is, Shodan and other internet scanning tools. Every single vulnerable instance found by Trustwave in this exercise is also known to the criminal fraternity. Those companies that are yet unexploited probably remain so simply because the attackers have cherry-picked other targets to attack first.
“It is imperative,” say the researchers, “that organizations proactively identify vulnerabilities and patch them.” This is complicated by organizations not always knowing the entirety of their IT estate – it is not unknown for servers to become unused and forgotten (and therefore unpatched), yet remain connected to and accessible from the internet. Similarly, the ease with which new servers are spun up in the cloud, used for a single task (such as testing) and then abandoned and forgotten, adds to a company’s invisible IT estate. These effectively unknown systems will still be found by Shodan and potentially exploited by criminals to gain an undetected foothold into the network.
“It is crucial to have an up-to-date inventory of assets, particularly for targets accessible via the Internet,” says Trustwave. “Exploits to critical vulnerabilities are usually available anywhere from less than a day to a month, and it is important for organizations to continuously monitor, track and update assets with the latest security updates.”
Related: NIST and Microsoft Partner to Improve Enterprise Patching Strategies
Related: Attacks Exploiting VMware vSphere Flaw Spotted One Week After Patching