October 2020: Patch Watch Digest
Posted on 23rd Nov, 2020 | By Pavithra Shankar
In this digest, we bring you the overall list of vulnerabilities & weaknesses that were fixed in October.
- CISA has issued alerts for 47 vulnerabilities.
- Out of 1159 vulnerabilities, 65 CVEs were associated with Known exploits.
- Patches for 246 old vulnerabilities have released.
- Top 25 CVEs Exploited by Chinese Sponsored Hackers.
- Microsoft has published patches for 87 vulnerabilities.
- Oracle has released 402 bug fixes in the year’s final batch update.
In the October edition, we have a total of 65 CVEs that were correlated with known exploits. Out of 65 CVEs, 26 vulnerabilities are RCE bugs, that are not only critical but also easily exploitable. We found 16 CVEs linked with web app exploits, which are systematically targeted by the attackers.
Table 1: Weaponized Vulnerabilities
Among the 47 CISA alerts, 25 were issued for the Top 25 vulnerabilities that are being exploited by the Chinese sponsored hackers. We analyzed and found that –
- 13 CVEs are rated critical, 14 has high severity, 18 with medium, and 2 of low severity.
- 6 CVEs were associated with APT Groups.
- 4 CVEs were mapped with 21 Ransomware families.
- 20 CVEs are known to be weaponized vulnerabilities.
Table 2: CISA Alerts
As of October, patches for 246 Old vulnerabilities (ranging from 2010 to 2019) have been released. CVE-2010-2544, CVE-2010-3272, and CVE-2010-1922 are the oldest vulnerabilities that were patched by Check Point. Interestingly, these three vulnerabilities are associated with WEBAPP exploits with a CVSS V3 Score of 4.3 and 7.5.
Table 3: Old Vulnerabilities
Failing to fix old vulnerabilities that are more than a year will definitely put your organization at higher risk.
Microsoft has released patches for 87 vulnerabilities, including the wormable TCP/IP with RCE bug. October Patch Tuesday vulnerabilities have been fixed now in which 6 CVEs were previously known to be publicly exploitable. In a total of 87 CVEs, 11 vulnerabilities were rated critical, 75 are high, and one is of medium severity.
Oracle plugged 402 security bugs with the 2020’s last batch of the patch update. We found that out of 402 vulnerabilities, 82 CVEs are rated critical, in which two are ranked with a CVSS V3 Score of 10, and 65 CVEs have CVSS V3 Score between 9.4 and 9.8.
Our security researchers analyzed these findings and had many interesting insights to share and came out with a multitude finding of these vulnerabilities. Out of these 25 CVE’s that are targeted by Chinese Sponsored hackers (APT41 Group ). Click here to know more about these vulnerabilities.
- 18 CVEs have Known exploits
- 21 CVEs rank under Top 25 Common Weakness Enumeration (CWE)
- 1 CVE is associated with Lazarus Malware
- 4 CVEs are associated with 21 Ransomware Families
- 12 CVEs with RCE capabilities
- 3 CVEs with Privilege Execution
- 6 CVEs are associated with APT Groups
Significantly, CSW called out vulnerabilities CVE-2019-19781 and CVE-2019-11510 in our Cyber Risk in Remote Desktop and Cyber Risk in VPN, and warned about their association with with Revil and Sodinokibi Ransomware.
The following vulnerabilities are waiting to be weaponized so patching them today would be optimum for cyber hygiene.
Table 4: Vulnerabilities Yet to be Weaponized
We recommend organizations to place an increased priority on patching the vulnerabilities that are being exploited routinely. Watch this space for more information and subscribe to our monthly digest to prioritize your patches.