The number of critical security vulnerabilities reached a record high in 2020, but sysadmins have been warned against focusing solely on high-scoring CVEs in their patch process
Organizations should look beyond CVSS scores when evaluating the threat posed by security vulnerabilities, according to a new report.
Based on an analysis of more than 18,000 vulnerabilities logged by the US National Institute of Standards and Technology (NIST) in 2020, security firm Redscan says it’s important to take so-called ‘low-risk’ vulnerabilities seriously.
More security vulnerabilities were disclosed in 2020 than ever before, with an average rate of 50 CVEs per day.
Overall, Redscan found that 57% of these were classified as being ‘critical’ or ‘high’ severity under the widely used Common Vulnerability Scoring System (CVSS) – and, understandably, it tends to be these that receive the most attention from security teams.
However, the number of low complexity CVEs is on the rise, amounting to 63% of vulnerabilities disclosed in 2020.
And, says Redscan, many high-severity vulnerabilities are never actually exploited in the real world because they are too complex, or require attackers to have access to high level privileges.
“Just because a vulnerability is classified as high severity doesn’t necessarily mean that it presents any greater risk than one that is medium severity,” George Glass, Redscan’s head of threat intelligence, tells The Daily Swig.
“Defence in depth in vitally important, and this is also true when deciding which vulnerabilities to patch, for example a low-scoring exploit on and internet facing appliance could pose a greater risk than a higher scoring vulnerability which would take a much more skilled adversary to exploit.”
Meanwhile, low risk flaws can be chained, making them more dangerous than might immediately be apparent.
“For example, one vulnerability could provide an attacker with a low privilege shell on a host,” says Glass.
“The attacker could then move on to exploit another vulnerability to allow them to become root or perform lateral movement and achieve their real objectives, whether that’s installing ransomware or stealing data.”
The weakest link
During the course of last year, Redscan saw several examples of chaining vulnerabilities in edge networking technology. These included Fortinet and MobileIron devices with the Zerologon vulnerability, which allowed threat actors to pivot from a low privilege account on the network edge to obtain administrator access to an entire domain.
But rather more reassuringly for security teams, Redscan found a drop in the percentage of vulnerabilities which require no user privileges to exploit – down from 71% in 2016 to 58% in 2020.
Meanwhile, Edgescan's Vulnerability Stats Report reveals that nearly two thirds of the CVEs it found in 2020 were more than three years old, with half of those dating back to 2015 or before.
“Malware is exploiting common old vulnerabilities, which could easily be patched,” says the firm.
Glass urges caution when using automated vulnerability scanning tools to identify security flaws, warning that without the full context they can give a misleading picture.
“To aid decision-making, security teams need a practical understanding of the potential impact vulnerabilities pose and information about how readily they are being exploited in the wild,” he says.
“A key way for organisations to improve vulnerability management is to keep up with what’s happening in the threat landscape and use this information to help prioritise the specific vulnerabilities that present the greatest risk to their own organisation at any point in time.”