Download Ransomware Index Update Q1 2022

Top Scanners Fail to Flag DHS CISA-warned Known Exploited Vulnerabilities (KEV)

Posted on Mar 2, 2022 | Updated on May 19, 2022 | By Pavithra Shankar

Did you know 46 actively exploited vulnerabilities in the CISA KEV catalog are not being detected by popular scanners?

Security teams rely on vulnerability scanners to scan their network, systems, and assets for vulnerabilities. When the same scanners fail to detect critical vulnerabilities, organizations are exposed to risks and threats that could have been prevented.

On November 3, 2021, a directive from the Department of Homeland Security CISA was published to reduce the significant risk of exploited vulnerabilities. Since then, CISA has maintained a list of known exploited vulnerabilities that’s being updated multiple times in a week, if not more. Considering that previously exploited vulnerabilities are a common vector for malevolent cyber actors, CISA emphasizes these vulnerabilities as the most serious threats and must be promptly remediated.

We looked into the catalog and found that 46 actively known exploited CVEs were missed by top scanners such as Nessus, Nexpose, and Qualys. 

Vulnerabilities missed by Scanners

We examined the vulnerabilities missed by top scanners and found that organizations that depend on these scanners to have their back are at a huge disadvantage -

  • From a total of 663 KEVs, 207 CVEs were missed by Nexpose, 110 CVEs by Nessus, and 72 by Qualys. 
  • 46 vulnerabilities are being missed by all three scanners - is a worrying aspect for organizations. 
    • Seven of these vulnerabilities are RCE/PE bugs
    • Three of these vulnerabilities are tied to four ransomware strains.
    • One of them is being used by an APT Group.
  • Severity scores of these vulnerabilities revealed that -
    • 30 are rated critical
    • 12 are rated high
    • 3 are rated medium
    • 1 CVE rated as low severity
  • 30 (out of 46) vulnerabilities get a high rating in our Threat Intelligence Platform, indicating a higher probability of exploitation based on the intense interest in hacker channels.  

The fact that scanners are not detecting these vulnerabilities should be a cause of concern for organizations and their security teams who need to rethink their scanning strategy.

Trending in Google

According to google search interest, 23 CVEs (out of 43 KEVs missed by scanners) have been trending in the past 30 days. We also spotted hackers discussing the release of exploits briefly for some of the CVEs on the Metasploit forum. The following is an example of a hacker's public discussion on CVE-2021-36260.  

Due to hackers' keen interest in publishing exploits, malware targets, and attack types generates a lot of Google searches.

This also makes these 46 vulnerabilities dangerous for organizations as they are unaware of their exposure.

Old Vulnerabilities

43 (out of 46) vulnerabilities that the scanners are not detecting are old weaknesses discovered between 2007 to 2021.

Vulnerability scanners are designed to uncover vulnerabilities within a target by comparing them against a database of known vulnerabilities. Despite the multiple CISA warnings, these popular scanners continue to remain with outdated databases, exposing critical assets.

The case in question is this:  If all these DHS CISA-warned KEVs are known old vulnerabilities, then why do the scanners still skip them?

These false-negative scanner outcomes and the long disclosure timeline of the vulnerabilities work as an easy advantage for threat actors, who can then find exploits, eventually leading up to ransomware attacks against organizations.

Common Weaknesses Enumeration Analysis

Upon analyzing the code weaknesses, we found that 80% of the known exploited vulnerabilities missed by the scanners came under the MITRE’s 2021 CWE Top 40 Most Dangerous Software Weaknesses.

  • With 20% of CVEs, CWE-78 (Improper Neutralization of Special Elements in an OS Command) is the most exploited weakness among the KEVs overlooked by scanners. CWE-78 ranks fifth on the list of most dangerous software weaknesses.

  • The most dangerous software weakness, CWE-77, leading to Improper Neutralization of Special Elements used in a Command, accounted for 7% of the vulnerabilities missed by the scanners. 

  • 17% of the KEVs with critical and high severity ratings do not have a specific CWE identifier assigned to them. 

  • 26% of these KEVs skipped by the scanners are categorized under OWASP CWE Top 10:2021.

 

CWE ID

Count of KEVs Missed by Top Scanners

OWASP Ranking [2021]

MITRE Ranking [2021]

CWE-20

1

A03

4

CWE-200

1

A01

20

CWE-20|CWE-77

1

A03|A03

4|25

CWE-22

2

A01

8

CWE-269

1

A04

29

CWE-284

1

A01

 

CWE-287

2

A07

14

CWE-287|CWE-697

1

A07|

14|

CWE-425

1

A01

 

CWE-434

2

A04

10

CWE-77

2

A03

25

CWE-77|CWE-787

1

A03|

25|1

CWE-78

9

A03

5

CWE-787

2

 

1

CWE-787|CWE-121

1

 

1

CWE-79

1

A03

2

CWE-843

1

 

36

CWE-863

1

A01

38

CWE-863|38|

1

A01|A01

 

CWE-863|CWE-284

1

A01|A01

38|

CWE-89

1

A03

6

CWE-94|CWE-668

1

A03|A01

28|

N/A

8

   

Table: CWE Analysis of CISA KEVs Missed by Top Scanners

Relying solely on legacy methods for detection and response tools or even on a simple vulnerability management program is not an adequate defense. Organizations that continue with outdated scanner systems are especially vulnerable to ransomware threats.  Therefore, we recommend scanner users employ a threat and risk-based strategy rather than depending only on the scanner's results and severity ratings.

Affected Vendors 

We then examined the affected vendors and their products vulnerable to these KEVs missed by scanners and found a total of 34 vendors affected by these CVEs. Further, we observed that 15% of CVEs impact D-link products. 

Table: CISA KEVs Missed by Top Scanners

Risk-Based Vulnerability Management: A Framework to Reduce Cyber threats!

A Pentester's Viewpoint on Why Scanners Still Skip Known Bugs -

The flawed trend of vulnerability scanners relying on CVSS scores rather than a risk-based approach is changing now. Scanners have begun focussing on associations such as weaponization, malware, ransomware, and other trends. However, there are still issues that need to be addressed, such as CVE assignment latency. It's high time for scanner owners to think about risk and threat-based approaches for cyberspace management.

The reliability of a vulnerability scanner is determined by the testing procedures it employs as well as the frequency with which its crawling algorithm is updated. With popular scanners such as Nessus, Nexpose, and Qualys missing critical vulnerabilities, users are blind to the fact that they are unknowingly vulnerable to cyber attacks leveraging concealed weaknesses.

It is essential that organizations be aware of their inventory not just in terms of hardware and software, but also in terms of infrastructure and third-party services. Likewise, organizations need to rely only on continuous vulnerability scanning solutions (VMaaS), Attack Surface Management (ASM), and security companies that offer vulnerability intelligence feed to gather information on vulnerability detection and remediation. CSW provides all three key solutions to its customers and has been helping them gain cyber resilience against increasing instances of cyber-attacks and evolving threats.

 

The countdown is on! The Scanners do not have your back, are you rethinking your scanning strategy?
If not, CSW's security experts can help you build a continuous and risk-based vulnerability management strategy. Talk to us

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito