Cyberwar Bulletin: Iran and Albania

Top Scanners Fail to Flag DHS CISA-warned Known Exploited Vulnerabilities (KEV)

Posted on Mar 2, 2022 | Updated on October 03, 2022 | By Pavithra Shankar

Did you know 68 actively exploited vulnerabilities in the CISA KEV catalog are not being detected by popular scanners?

Security teams rely on vulnerability scanners to scan their network, systems, and assets for vulnerabilities. When the same scanners fail to detect critical vulnerabilities, organizations are exposed to risks and threats that could have been prevented.

On November 3, 2021, a directive from the Department of Homeland Security CISA was published to reduce the significant risk of exploited vulnerabilities. Since then, CISA has maintained a list of known exploited vulnerabilities that’s being updated multiple times in a week, if not more. Considering that previously exploited vulnerabilities are a common vector for malevolent cyber actors, CISA emphasizes these vulnerabilities as the most serious threats and must be promptly remediated.

We looked into the catalog and found that 68 actively known exploited CVEs were missed by top scanners such as Nessus, Nexpose, and Qualys. 

CISA Known Exploited Vulnerabilities

837

Known Exploited Vulnerabilities Undetected by Scanners

68

CVEs with Known Exploits

17

KEVs that are likely to be Exploitable

65

RCE/PE

10

Trending CVEs

32

Ransomware Association

9

APT Groups

1

 

On a positive note, two of the vulnerabilities we had called out here now have plugins available on the Nexpose scanner : CVE-2022-37042 and CVE-2022-29499. This is a step in the right direction and we look forward to scanners releasing plugins for the rest of the vulnerabilities as well.

We examined the vulnerabilities missed by top scanners and found that organizations that depend on these scanners to have their back are at a huge disadvantage -Vulnerabilities missed by Scanners

  • From a total of 837 KEVs, 316 CVEs were missed by Nexpose, 143 CVEs by Nessus, and 98 by Qualys. 
  • 68 vulnerabilities are being missed by all three scanners - a worrying aspect for organizations. 
    • Ten of these vulnerabilities are RCE/PE bugs
    • Nine of these vulnerabilities are tied to five ransomware strains.
    • One of them is being used by an APT Group.
  • Severity scores of these vulnerabilities revealed that -
    • 40 are rated critical
    • 16 are rated high
    • 8 are rated medium
    • 2 CVEs are rated low severity
  • 65 of the vulnerabilities get a high rating in our Threat Intelligence Platform, indicating a higher probability of exploitation based on the intense interest in hacker channels.  

The fact that scanners are not detecting these vulnerabilities should be a cause of concern for organizations and their security teams who need to rethink their scanning strategy.

DHS CISA KEVs Scanner Analysis

Nexpose

316

Nessus

143

Qualys

98

Trending in Google

According to google search interest, 32 CVEs (out of 68 KEVs missed by scanners) have been trending in the past 30 days. We also spotted hackers discussing the release of exploits briefly for some of the CVEs on the Metasploit forum. 

Due to hackers' keen interest in publishing exploits, malware targets, and attack types generates a lot of Google searches.

This also makes these 68 vulnerabilities dangerous for organizations as they are unaware of their exposure.

Old Vulnerabilities

58 (out of 68) vulnerabilities that the scanners are not detecting are old weaknesses discovered between 2007 to 2021.

Vulnerability scanners are designed to uncover vulnerabilities within a target by comparing them against a database of known vulnerabilities. Despite the multiple CISA warnings, these popular scanners continue to remain with outdated databases, exposing critical assets.

The case in question is this:  If all these DHS CISA-warned KEVs are known old vulnerabilities, then why do the scanners still skip them?

These false-negative scanner outcomes and the long disclosure timeline of the vulnerabilities work as an easy advantage for threat actors, who can then find exploits, eventually leading up to ransomware attacks against organizations.

Common Weaknesses Enumeration Analysis

Upon analyzing the code weaknesses, we found that over 80% of the known exploited vulnerabilities missed by the scanners came under the MITRE’s 2021 CWE Top 40 Most Dangerous Software Weaknesses.

  • With 20% of CVEs, CWE-78 (Improper Neutralization of Special Elements in an OS Command) is the most exploited weakness among the KEVs overlooked by scanners. CWE-78 ranks fifth on the list of most dangerous software weaknesses.

  • The most dangerous software weakness, CWE-77, leading to Improper Neutralization of Special Elements used in a Command, accounted for 11% of the vulnerabilities missed by the scanners. 

  • 12% of the KEVs with critical and high severity ratings do not have a specific CWE identifier assigned to them. 

  • 79% of these KEVs skipped by the scanners are categorized under OWASP CWE Top 10:2021.

CWE

Count of CVE

CWE-119

2

CWE-121|CWE-787

1

CWE-20

1

CWE-20|CWE-77|CWE-78

2

CWE-200

2

CWE-22

4

CWE-264

1

CWE-269

2

CWE-287

2

CWE-287|CWE-668|CWE-94

1

CWE-287|CWE-697

1

CWE-310

1

CWE-425|CWE-352

1

CWE-434

1

CWE-434|CWE-78

1

CWE-436|CWE-434

1

CWE-502

1

CWE-610

1

CWE-77

2

CWE-77|CWE-787

2

CWE-77|CWE-918

1

CWE-78

11

CWE-787

2

CWE-79

3

CWE-79|CWE-80

2

CWE-798

1

CWE-843

1

CWE-863

1

CWE-863|CWE-284

1

CWE-863|CWE-285

1

CWE-89

3


 

Table: CWE Analysis of CISA KEVs Missed by Top Scanners

Relying solely on legacy methods for detection and response tools or even on a simple vulnerability management program is not an adequate defense. Organizations that continue with outdated scanner systems are especially vulnerable to ransomware threats.  Therefore, we recommend scanner users employ a threat and risk-based strategy rather than depending only on the scanner's results and severity ratings.

Affected Vendors 

We then examined the affected vendors and their products vulnerable to these KEVs missed by scanners and found a total of 41 vendors affected by these CVEs. Further, we observed that 17% of CVEs impact D-link products. 

Vendor

Count of Vulnerabilities

Alcatel

1

Amcrest

1

Arm

1

Aviatrix

1

ChakraCore

1

Checkbox

1

Code Aurora

1

D-Link

11

D-Link and TRENDnet

1

FatPipe

1

Hikvision

1

IBM

4

Kaseya

2

LG

1

McAfee

1

Meta Platforms

1

Micro Focus

1

Microsoft 2

Mitel

1

MongoDB

1

Netgear

2

Oracle

1

Oracle Corporation

1

Owl Labs

1

QNAP

5

QNAP Systems

1

Realtek

2

SAP

3

Schneider Electric

1

SIMalliance

1

Sumavision

1

Tenda

3

TP-Link

1

TVT

1

Ubiquiti

1

Unraid

2

WatchGuard

2

Yealink

1

Zimbra

1

Zoho 1

Zyxel

1

 

Table: CISA KEVs Missed by Top Scanners

Risk-Based Vulnerability Management: A Framework to Reduce Cyber threats!

A Pentester's Viewpoint on Why Scanners Still Skip Known Bugs -

The flawed trend of vulnerability scanners relying on CVSS scores rather than a risk-based approach is changing now. Scanners have begun focussing on associations such as weaponization, malware, ransomware, and other trends. However, there are still issues that need to be addressed, such as CVE assignment latency. It's high time for scanner owners to think about risk and threat-based approaches for cyberspace management.

The reliability of a vulnerability scanner is determined by the testing procedures it employs as well as the frequency with which its crawling algorithm is updated. With popular scanners such as Nessus, Nexpose, and Qualys missing critical vulnerabilities, users are blind to the fact that they are unknowingly vulnerable to cyber attacks leveraging concealed weaknesses.

It is essential that organizations be aware of their inventory not just in terms of hardware and software, but also in terms of infrastructure and third-party services. Likewise, organizations need to rely only on continuous vulnerability scanning solutions (VMaaS), Attack Surface Management (ASM), and security companies that offer vulnerability intelligence feed to gather information on vulnerability detection and remediation. CSW provides all three key solutions to its customers and has been helping them gain cyber resilience against increasing instances of cyber-attacks and evolving threats.

 

The countdown is on! The Scanners do not have your back, are you rethinking your scanning strategy?
If not, CSW's security experts can help you build a continuous and risk-based vulnerability management strategy. Talk to us

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito