Legacy, nameless vulnerabilities are slipping by companies unpatched

Dive Brief:

Reported CVEs have increased 183% since 2015 — growing from 6,487 to 17,305 CVEs in five years, according to Tenable's 2020 Threat Landscape Retrospective report published Thursday. Data was compiled based on government advisories and publicly available breach notifications.
Directory traversal vulnerabilities have been known for decades, and Tenable expects more directory traversal flaws in 2021.
Legacy vulnerabilities, including Fortinet FortiOS SSL VPN Web Portal Information Disclosure and Citrix Application Delivery Controller (ADC) and Gateway, are directory traversal flaws, which attackers use for traversing the directory tree "to access files outside of the parent folder," Tenable said. VPN flaws were some of the most prominent CVEs in 2020.

Dive Insight:

Security professionals are responsible for distinguishing which vulnerabilities IT patches and which ones can wait. Making the distinction between severe and low-priority vulnerabilities is becoming more challenging.

This year, U.S. federal security agencies heightened CVE- related advisories, which was "most glaring," to Satnam Narang, staff research engineer at Tenable. In October, the National Security Agency (NSA) issued guidance and mitigation measures for "publicly known vulnerabilities" targeted by China-based nation-state actors.

In the spring, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding well-known, unpatched VPN vulnerabilities. Malicious actors can still rely on dated flaws for their "operational tradecraft as long as they remain effective," CISA said.

While the NSA outlined the actors' preferences for zero-days and prominently named vulnerabilities, "it is the unpatched, legacy vulnerabilities that remain the biggest threat to most organizations," said Narang.

Legacy vulnerabilities, including the directory traversal vulnerabilities, are because of "gaps in the secure software development life cycle," said Narang. "This could range from corners being cut to make an application work, or if they were genuinely missed during a code review," or inadequate pentesting against the application before publication.

Remote desktop protocol (RDP) vulnerabilities were given a resurgence last year. Companies rushed to remote work often left security measures as a second thought. RDP was already favored by cybercriminals, including the SamSam ransomware gang, said Narang. "However, RDP has and will always remain one of the key security challenges for organizations, irrespective of the shift towards remote work."

Still, companies are missing patches for widely-adopted tools. Tenable said not to ignore "nameless" vulnerabilities, or ones yet to be given a class or identification. Based on proof of concept code, exploitation status, and potential impact, Tenable outlined 2020 vulnerabilities of note, including Microsoft Curveball/CryptoAP, Ghostcat, CallStranger, SAP RECON, and Ripple20.

It is fairly uncommon for CVEs to "right into exploitation in the wild," according to research from Kenna Security and Cyentia Institute. Instead, 47% of vulnerabilities begin with patch releases.

A risk management approach to vulnerability hunting "takes into account not just the [Common Vulnerability Scoring System] score of a given flaw but also whether there is publicly available exploit code that is being used in the wild," said Narang.