Security flaws in CISA’s Known Exploited Vulnerabilities (KEV) catalog should be treated with urgency based on environmental context assessments, according to a new report from Israeli startup Ox Security.
With approximately 1,300 vulnerabilities flagged as exploited in the wild, the KEV catalog is a trusted source for defenders, but the broad areas it covers means that these bugs should not be treated with equal urgency.
A “patch everything” approach, Ox says in its report, is ineffective, as it creates unnecessary workloads and diverts resources from important issues. Instead, organizations should rely on context to determine the criticality of these security defects and their impact on their environments.
Ox Security said it analyzed the impact of the KEV list on cloud containerized environments and found that 10 of the 25 bugs in KEV that impact cloud native applications (out of 10,000 most common CVEs) do not represent an actual threat to them.
Examining more than 200 separate environments, the report concluded that these 10 vulnerabilities are either technically unexploitable or require specific conditions to exploit in cloud containerized environments (although some of these were detected tens of thousands of times in open source containers).
Of the 10 vulnerabilities, six require Android-specific environments, physical access, or terminal access (albeit two impact all platforms using Linux kernel and can be chained with other flaws), three impact Chrome, and one affects Apple’s Safari browser.
Four of the six Android defects are not exploitable on cloud environments, while the other two require a fix only if local access or internet access is available. The Chrome flaws can be exploited only if the service is used for image, video, or font processing, while the Safari bug can be ignored on non-browser platforms.
According to Ox Security, the software defects listed in CISA’s KEV catalog should not be ignored, as they represent significant threats, many impacting cloud environments, and their remediation should remain a high priority. Instead, each CVE should be treated based on its relevancy to the organization.
Defenders should never strip a CVE of its original context but carefully assess the need for patching and its urgency based on the impact it has on their organizations’ environment, as some vulnerabilities could prove entirely harmless, Ox says.
Identifying the platforms impacted by a CVE, identifying publicly available exploits, understanding how the bug can be exploited in real-world scenarios, assessing its relationship to sensitive information, and understanding the outcome of successful exploitation are essential in determining the impact of a vulnerability.
“This additional contextual information would enable security teams to implement a more precise and efficient workflow when handling critical vulnerabilities in their environments, reducing alert fatigue and focusing resources where they matter most,” the company said.
The security firm, which breaks down each of these vulnerabilities and explains why they have no or little impact on containerized environments, suggests that platform-specific relevance indicators, CVE origin information, and context on attack paths and attack chains could enhance the KEV catalog.
The report comes one week after CISA and NIST proposed LEV (Likely Exploited Vulnerabilities), a new cybersecurity metric meant to enhance KEV by assessing the likelihood that a security defect has been exploited in attacks.
Related: Exploitation Long Known for Most of CISA’s Latest KEV Additions
Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative
Related: EU Cybersecurity Agency ENISA Launches European Vulnerability Database
