Download Ransomware Index Update Q1 2022

CISA Releases a Directive Asking Organizations to Patch Known Exploited Vulnerabilities

Posted on Nov 22, 2021 | Updated on July 1, 2022 | By Surojoy Gupta, Priya Ravindran

DHS CISA released a Binding Directive mandating organizations to patch a list of Known Exploited Vulnerabilities on November 03, 2021, with specified deadlines. From 287 vulnerabilities at the start, the count stands at 786 today. This blog performs risk-based scrutiny of the vulnerabilities and urges organizations to prioritize these KEVs without further delay. 

 

Our researchers deep-dived into these vulnerabilities to understand the criticality of these CVEs and why they need to be addressed within the deadlines specified by CISA.

Firstly, let us look at how many vulnerabilities ought to be patched immediately.

CVEs to be patched by July 2022

We have already crossed the patching deadline for 129 of the CISA KEVs. There are a further 33 vulnerabilities that need to be patched by the end of July 2022. Here is a look into those vulnerabilities:

 

We also deep-dived into the CISA KEVs and here are the highlights from our analysis.

Threat Analysis

A major part of our vulnerability research is the analysis of threat groups including Advanced Persistent (APT) Groups and ransomware groups that are exploiting the vulnerabilities. In this section, we discuss the threat groups associated with the Known Exploited vulnerabilities warned about by CISA.

Overall, 269 of the 786 vulnerabilities have either a ransomware or an APT association. 91 of them have both ransomware and APT associations, making them highly dangerous and important to prioritize for patching. 

APTs

183 of CISA KEVs have APT associations, with over 50% of the CVEs linked to multiple groups. A huge majority of these APT groups have links to China, followed by Russian state-sponsored groups.

CVE-2012-0158, CVE-2017-11882, CVE-2021-1871 and CVE-2021-30661 have over 20 APT groups associated with each of them, making them highly favorites of threat actors.  

  • CVE-2012-0158 is a remote code execution vulnerability in Microsoft’s Windows Common Controls (MSCOMCTL.OCX). With a critical CVSS severity of 9.3, the vulnerability belongs to the weakness CWE-94, leading to code injection issues.

  • CVE-2017-11882 is a remote code execution vulnerability that exists in Microsoft Office versions 2007 to 2016.  Its weakness CWE-119, leads to Improper Restriction of Operations within the Bounds of a Memory Buffer, one of the Top 20 Most Dangerous Software Weaknesses as listed by MITRE.

  • CVE-2021-1871 is a critical severity vulnerability in Apple iOS devices, warranting a CVSS V3 score of 9.8. It is popularly called the Apple iOS Privilege Escalation and Code Execution Chain vulnerability, and is associated with popular groups such as APT29, FIN7 and Mustang Panda.

  • CVE-2021-30661, the Apple iOS Webkit Storage Use-After-Free vulnerability, is a high severity vulnerability. It is a manifestation of CWE-416, which could lead to programs crashing, using unexpected values, or executing unintended code.

APT29 or the Nobelium group is the single most prolific APT group amongst this group, with links to most of the APT vulnerabilities. This is the threat behind the Solarwinds supply chain attack back in December 2021.

Ransomware

177 of CISA KEVs have ransomware associations, with over 50% linked to multiple groups. Six vulnerabilities have been identified as exploited by more than 10 ransomware groups each.

CVE-2018-4878 has a whopping 41 ransomware families linked to it. The vulnerability is an arbitrary code execution vulnerability discovered in the Adobe Flash Player v28.0.0.161. With a critical CVSS rating of 9.8, the vulnerability leads to memory references after it has been freed, and is categorized under CWE-416.

A notable call out is CVE-2017-0143 which has 11 ransomware associations and 9 APT associations, marking it as a formidable threat to organizations using Microsoft Server Message Block servers.

Read more about the vulnerabilities called out by CISA that are associated with ransomware here.

Exploit Analysis

Of the 786 CISA KEVs, known public exploits are available for 365 of these vulnerabilities. These include exploits falling into four different categories:

  • Remote Code Execution that can allow attackers to execute custom code from anywhere

  • Privilege Escalation providing attackers with elevated privileges once they gain entry into a network

  • Denial of Service that can lead to network takeovers or complete shutdown

  • Web Application Exploit codes capable of compromising web applications.

Let's look into an exploit breakdown for the CISA vulnerabilities.

Exploit Type

No. of CVEs

RCE/PE

312

RCE

265

PE

164

DoS

51

WebApp

200


Note: Some CVEs have multiple exploits associated with them.

With over 40% of the vulnerabilities having dangerous RCE/PE exploit codes, it is of utmost importance that organizations address these vulnerabilities at the earliest. If exploited, the consequences could be grave.

Latency Analysis

As part of our exploit analysis, we studied the latencies in NVD disclosure that magnified the impact of the exploited vulnerabilities. 

Latency Metrics

Overall

Critical

High

Medium

Low

Exploit before patch

89

44

39

7

0

Same day

53

29

23

1

-

Exploit after patch

175

80

82

13

-

Further, we also compared latencies with respect to patches released for the vulnerabilities to understand the trends behind attacks waged by hackers and threat actors alike.

Latency Metrics

Overall

Critical

High

Medium

NA

Same day

166

67

85

13

1

Patch after NVD

158

75

66

16

-

Patch before NVD

431

153

221

55

2

We identified some interesting observations from our latency analysis of the CISA KEVs.

  • Attackers are going after vulnerabilities even if they have existing patches or workarounds. Interestingly, most of the exploit codes were made publicly available after a patch was released for the vulnerability. This makes a strong case for organizations to revisit their patching cadence and address the vulnerabilities with a higher probability of exploitation.

  • Vulnerabilities are often identified and patched before they are added to the NVD. Thus, while the NVD is a reliable source, organizations must look beyond to proactively remediate potential threats.

Read more about our deeper analysis into the latencies here.

Interesting Nuggets

CISA temporarily removes Windows vulnerability: On May 13, 2022, CISA removed CVE-2022-26925 from its KEV catalog as Microsoft botched its May patch update that was being exploited could result in authentication failures. CISA continues to urge administrators to apply the May updates to Windows client devices and non-domain controller Windows servers.

Weakness Analysis

The 786 CISA KEVs are manifestations of 74 different weaknesses in software. Almost 70% of these common weakness enumerations (CWEs) are part of MITRE’s Top 41 CWEs, and 57% are categorized under OWASP’s Top 10 error categories. This highlights the serious implications of these vulnerabilities that are present across hundreds of products currently being used by thousands of users. 

Here is a look into the top five weaknesses paving the way for the CISA KEVs:

Weakness

Description

Number of vulnerabilities

OWASP Ranking

MITRE Ranking

CWE-20

Improper input validation

76

A3 (Sensitive Data Exposure)

4

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

73

-

17

CWE-787

Out-of-bounds Write

66

-

1

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

43

A3 (Sensitive Data Exposure)

5

CWE-269

Improper Privilege Management

43

A4 (XML External Entities)

29

All developers need to be aware of the weaknesses they are introducing during the design stage and take steps to avoid such errors at the source.

CSW Has Called Out Almost 30% of Vulnerabilities Listed by CISA

CSW’s researchers have called out 188 of the 786 vulnerabilities in the past through detailed blogs, exhaustive coverage of patch watch news items, and comprehensive reports. 

The detailed Ransomware Spotlight Report 2021 and its subsequent index updates, Q1 to Q3 and the newly published Ransomware Spotlight Report 2022, have warned about 129 of the vulnerabilities that have ransomware associations and are highlighted to be patched on priority.

Patch Analysis

About 47% of the CISA KEVs have direct patches available. For the rest, mitigations such as upgrades or workarounds are available. Overall, 50% of the CISA KEVs have workarounds. We strongly recommend organizations to immediately apply the workarounds in the event that they are unable to patch the vulnerabilities immediately.

Patching Deadlines

DHS CISA’s initiative of reducing risk through the Known Exploited Vulnerabilities (KEV) catalog is a remediation drive with strict timelines. Below, we look at the stipulated deadlines by which sets of vulnerabilities need to be patched. 

 Patching Deadlines 

 Number of CVEs 

December 2021

126

January 2022

3

February 2022

15

March 2022

103

April 2022

127

May 2022

218

June 2022

129

July 2022

33

August 2022

24

September 2022

8

 

A meticulous remediation drive is definitely the need of the hour, as it forces the hand of federal entities and critical organizations to take immediate action to improve their cyber hygiene.

 

However, with the CISA KEV list now expanding to include 700+ vulnerabilities, organizations that haven't managed to keep up are at a loss. With no threat context available, security teams are struggling to prioritize from amongst these KEVs. 

 

CSW researchers have been closely monitoring the developments, and we can help organizations understand why a certain KEV needs to be prioritized. Our definitive threat intelligence can provide the much needed threat context to connect the dots and close the gaps in your security strategy

Reach out to us for a CISA KEV assessment.

 

CSW’s security researchers have also performed the mapping of the CISA KEVs to Mitre TTPs, addressing data gaps and other challenges along the way. Read more on our research here.

 

Note: This story is continuously evolving, so please follow our blogs to keep abreast of the updates to the CISA KEV, and their detailed analysis.

 

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito