Timely patching remains pain point as high-profile bugs linger

Dive Brief:

Out of the roughly 13,000 reported vulnerabilities in 2021 so far, 20% are considered high severity, according to research from Trustwave SpiderLabs released Wednesday. Last year broke records with the number reported vulnerabilities exceeding 18,300.
With cloud-based technologies, bad actors rush to perform internet scans for every vulnerability exploit release. SpiderLabs observed that more than half of servers had weak security postures, even though security updates were available.
Researchers collected telemetry using Shodan, a search tool for internet-connected devices, to find internet-facing available targets. Some of the top high-profile vulnerabilities on services include Microsoft Exchange Server, Apache Tomcat, QNAP NAS and VMware vCenter, which showed minimal improvements in the number of vulnerable instances after weeks. The instances were based on application exploitability.

Dive Insight:

Patching remains a difficult task for companies, even those with the necessary security resources. With business continuity already challenged by COVID-19, patches interfering with business productivity became more of a challenge for security teams to perform.

"Patching may require critical systems to be taken offline for a period of time, which requires scheduling and coordination," said Karl Sigler, senior security research manager at Trustwave SpiderLabs.

Even when security is operating smoothly, patches also need a period of testing before deployment. Patches are scheduled, communication among teams is clear, and real-time inventory on internet-facing devices is available. But "if you add in resource and budget issues, lack of proper documentation, server sprawl … you can see why a lot of organizations simply don't or can't patch in a timely fashion," he said.

With more cloud-based technologies supporting workloads, Sigler expects to see more vulnerabilities in these environments. It's not a far-off assumption — research from Palo Alto Networks Unit 42 found bad actors leaping from cloud misconfigurations to software development.

Beyond the timeliness of patching is the issue of end of life technology, where solutions are so outdated, vendors no longer support maintenance updates. More than one-third of Apache Tomcat installs run version 8.5.x, which is the lowest-supported version. Still, about 41% of instances found on Shodan were versions under 8.5, or end of life versions.

"It's bad enough that organizations are not applying patches, but to ignore upgrades to the point that your software is no longer receiving patches is an entirely new level of irresponsibility," Sigler said.

While the pandemic ushered in greater threats in the remote work landscape, it in turn put the spotlight on cybersecurity. It's possible that the increase in reported vulnerabilities was a byproduct of more astute security. "Work from home affects security in several ways, and I think as a result, we've had more time for vulnerability research," Sigler said.

As recent as this month, threat actors are exploiting ProxyShell from the Microsoft Exchange hack. Researchers found vulnerable instances of ProxyShell only decreased by 0.26% between Aug. 16 and Aug. 31, 2021.

Three ProxyShell vulnerabilities — CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 — were disclosed and patches were made available this year. But as of Aug. 31, Shodan showed about 45,000 instances vulnerable to ProxyShell exploitation.

Of those instances, 1,954 are RDP-enabled, 448 have SMBv1 enabled on the internet, and 182 have both, SpiderLabs found. Sophisticated threat groups, like Conti ransomware affiliates, are now capitalizing on available ProxyShell targets.

"Any software that is critical to operations, like a mail server, and is also massively popular, like Microsoft, will be under the security microscope. This isn't the first round of Microsoft Exchange zero-day vulnerabilities, nor will it be the last," Sigler said.