Decoding CISA Known Exploited Vulnerabilities

Top Scanners Fail to Flag DHS CISA-warned Known Exploited Vulnerabilities (KEV)

Posted on Mar 2, 2022 | Updated on January 23, 2023 | By Pavithra Shankar, Priya Ravindran

Did you know 55 actively exploited vulnerabilities in the CISA KEV catalog are not being detected by popular scanners?

Security teams rely on vulnerability scanners to scan their network, systems, and assets for vulnerabilities. When the same scanners fail to detect critical vulnerabilities, organizations are exposed to risks and threats that could have been prevented.

On November 3, 2021, a directive from the Department of Homeland Security CISA was published to reduce the significant risk of exploited vulnerabilities. Since then, CISA has maintained a list of known exploited vulnerabilities that’s being updated multiple times in a week, if not more. Considering that previously exploited vulnerabilities are a common vector for malevolent cyber actors, CISA emphasizes these vulnerabilities as the most serious threats and must be promptly remediated.

We looked into the catalog and found that 55 actively known exploited CVEs were missed by top scanners such as Nessus, Nexpose, and Qualys. 

CISA Known Exploited Vulnerabilities

871

Known Exploited Vulnerabilities Undetected by Scanners

55

CVEs with Known Exploits

13

KEVs that are likely to be Exploitable

49

RCE/PE

8

Trending CVEs

24

Ransomware Association

4

APT Groups

1

 

On a positive note, we see many vulnerabilities having received their plugins with more recent updates. This is a step in the right direction and we look forward to scanners releasing plugins for the rest of the vulnerabilities as well.

We examined the vulnerabilities missed by top scanners and found that organizations that depend on these scanners to have their back are at a huge disadvantage -Vulnerabilities missed by Scanners

  • From a total of 871 KEVs, 320 CVEs were missed by Nexpose, 107 CVEs by Nessus, and 90 by Qualys. 
  • 55 vulnerabilities are being missed by all three scanners - a worrying aspect for organizations. 
    • Eight of these vulnerabilities are RCE/PE bugs
    • Four of these vulnerabilities are tied to four ransomware strains.
    • One of them is being used by an APT Group.
  • Severity scores of these vulnerabilities revealed that -
    • 27 are rated critical
    • 16 are rated high
    • 4 are rated medium
    • 2 CVEs are rated low severity
    • 6 CVEs do not have a severity rating
  • 49 of the vulnerabilities get a maximum rating in our Threat Intelligence Platform, indicating a higher probability of exploitation based on the intense interest in hacker channels.  

The fact that scanners are not detecting these vulnerabilities should be a cause of concern for organizations and their security teams who need to rethink their scanning strategy.

DHS CISA KEVs Scanner Analysis

Nexpose

320

Nessus

107

Qualys

90

Trending in Google

According to google search interest, 24 CVEs (out of 55 KEVs missed by scanners) have been trending in the past 30 days. We also spotted hackers discussing the release of exploits briefly for some of the CVEs on the Metasploit forum. 

Due to hackers' keen interest in publishing exploits, malware targets, and attack types generates a lot of Google searches.

This also makes these vulnerabilities dangerous for organizations as they are unaware of their exposure.

Old Vulnerabilities

24 vulnerabilities that the scanners are not detecting are old weaknesses discovered between 2007 and 2019.

Vulnerability scanners are designed to uncover vulnerabilities within a target by comparing them against a database of known vulnerabilities. Despite the multiple CISA warnings, these popular scanners continue to remain with outdated databases, exposing critical assets.

The case in question is this:  If all these DHS CISA-warned KEVs are known old vulnerabilities, then why do the scanners still skip them?

These false-negative scanner outcomes and the long disclosure timeline of the vulnerabilities work as an easy advantage for threat actors, who can then find exploits, eventually leading up to ransomware attacks against organizations.

Common Weaknesses Enumeration Analysis

Upon analyzing the code weaknesses, we found that over 80% of the known exploited vulnerabilities missed by the scanners came under the MITRE’s 2021 CWE Top 40 Most Dangerous Software Weaknesses.

  • With 20% of CVEs, CWE-78 (Improper Neutralization of Special Elements in an OS Command) is the most exploited weakness among the KEVs overlooked by scanners. CWE-78 ranks fifth on the list of most dangerous software weaknesses.

  • The most dangerous software weakness, CWE-77, leading to Improper Neutralization of Special Elements used in a Command, accounted for 7% of the vulnerabilities missed by the scanners. 

  • 18% of the KEVs with critical and high severity ratings do not have a specific CWE identifier assigned to them. 

  • 69% of these KEVs skipped by the scanners are categorized under OWASP CWE Top 10:2021.

Weakness

Count of CVEs

CWE-119

2

CWE-20

1

CWE-22

3

CWE-22|CWE-287

1

CWE-264

1

CWE-287

1

CWE-310

1

CWE-77

1

CWE-78

6

CWE-79

2

CWE-843

1

CWE-89

2

Table: CWE Analysis of CISA KEVs Missed by Top Scanners

Relying solely on legacy methods for detection and response tools or even on a simple vulnerability management program is not an adequate defense. Organizations that continue with outdated scanner systems are especially vulnerable to ransomware threats.  Therefore, we recommend scanner users employ a threat and risk-based strategy rather than depending only on the scanner's results and severity ratings.

Affected Vendors 

We then examined the affected vendors and their products vulnerable to these KEVs missed by scanners and found a total of 32 vendors affected by these CVEs. Further, we observed that 19% of CVEs impact D-link products.

Vendor 

Count of CVEs

D-Link

11

IBM

4

Samsung

3

Tenda

3

Netgear

2

Realtek

2

TIBCO

2

Unraid

2

WatchGuard

2

Alcatel

1

Amcrest

1

Arm

1

Aviatrix

1

ChakraCore

1

Code Aurora

1

D-Link and TRENDnet

1

FatPipe

1

Hikvision

1

Kaseya

1

LG

1

Meta Platforms

1

Micro Focus

1

Mitel

1

MongoDB

1

Owl Labs

1

Schneider Electric

1

SIMalliance

1

Sumavision

1

TP-Link

1

TVT

1

Ubiquiti

1

Yealink

1

Zyxel

1

 

Table: CISA KEVs Missed by Top Scanners

Risk-Based Vulnerability Management: A Framework to Reduce Cyber threats!

A Pentester's Viewpoint on Why Scanners Still Skip Known Bugs -

The flawed trend of vulnerability scanners relying on CVSS scores rather than a risk-based approach is changing now. Scanners have begun focussing on associations such as weaponization, malware, ransomware, and other trends. However, there are still issues that need to be addressed, such as CVE assignment latency. It's high time for scanner owners to think about risk and threat-based approaches for cyberspace management.

The reliability of a vulnerability scanner is determined by the testing procedures it employs as well as the frequency with which its crawling algorithm is updated. With popular scanners such as Nessus, Nexpose, and Qualys missing critical vulnerabilities, users are blind to the fact that they are unknowingly vulnerable to cyber attacks leveraging concealed weaknesses.

It is essential that organizations be aware of their inventory not just in terms of hardware and software, but also in terms of infrastructure and third-party services. Likewise, organizations need to rely only on continuous vulnerability scanning solutions (VMaaS), Attack Surface Management (ASM), and security companies that offer vulnerability intelligence feed to gather information on vulnerability detection and remediation. CSW provides all three key solutions to its customers and has been helping them gain cyber resilience against increasing instances of cyber-attacks and evolving threats.

 

The countdown is on! The Scanners do not have your back, are you rethinking your scanning strategy?
If not, CSW's security experts can help you build a continuous and risk-based vulnerability management strategy. Talk to us

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito