That critical vulnerability might not be the first you should patch

Startup Rezilion suggests enterprises should change prioritization strategies

Enterprise security teams being overrun by the rising numbers of vulnerabilities uncovered each day could vastly reduce their patching workload by changing how they prioritize the flaws, according to recent research from vulnerability startup Rezilion.

Most enterprises look to the ratings given to flaws in the Common Vulnerability Scoring System (CVSS) framework, which range from 0 to 10 (with 10 being the highest) and are ranked as low and medium to high and critical, depending on the characteristics of the vulnerability.

Companies will start their remediation efforts with the vulnerabilities deemed "critical" and work their way down, said Yotam Perkal, director of vulnerability research with Rezilion.

The problem is that for many enterprises, most of the flaws don't pose a threat to them. In a study released this week, Rezilion found that about 85 percent of the vulnerabilities are not loaded into memory at these organizations, Perkal told The Register.

"If a vulnerability isn't loaded, then it's not really exploitable," he said. "If the code is not running, if you have a package that is installed on your machine but that package isn't being used by any application, then any vulnerability you have in this package is not really exploitable because you need to have something running, something loaded from memory so that it can be exploitable."

Rezilion, which was founded in 2018 and has raised $38 million in two funding rounds – including $30 million in September 2021 – sells an automated software attack surface management platform that helps organizations reduce and mitigate software flaws across cloud workloads, applications and Internet of Things (IoT) devices.

In the study, Rezilion researchers examined 20 popular container images on Docker Hub that they said collectively had been downloaded and deployed billions of times. Those images included MariaDB, WordPress, Memcached, MongoDB, Nginx and MySQL.

In addition, they looked at base operating system images from cloud providers Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform to determine how many vulnerabilities aren't applicable and which posed an actual risk.

According to Rezilion, there were more than 4,347 known vulnerabilities among the 21 container images analyzed, though testing found that on average, about 15 percent of the Common Vulnerabilities and Exposures (CVEs) were ever loaded into memory and posed a threat.

The researchers also found 6,167 known vulnerabilities in the 12 base OS images analyzed, of which 20 percent were loaded to memory.

Do you know what your org is running?

"It is clear from the analysis that 85 percent of all the discovered vulnerabilities in containers and hosts were never loaded to memory and therefore, were not exploitable," they wrote in the report. "If traditional vulnerability management approaches were used, one would spend upward of 85 percent of patching time and efforts on vulnerabilities that posed no actual risk to the environment."

Perkal said he knows what that looks like. He spent more than three years at PayPal as part of its vulnerability management team. He said the processes were mostly manual and the team didn't have time to patch everything. In addition, he added, patching isn't always a uniform or quick process. The type of vulnerability will often dictate how long mitigation will take – some can take months – and in some cases require system downtime, he said.

"Organizations have limited resources and limited capacity to deal with vulnerability management and patch management," Perkal said. "The number of vulnerabilities that are discovered and disclosed is constantly on the rise year by year. The amount of code that they've been reading is constantly rising and that is in direct relation to the amount vulnerabilities. As long as people write code, there will be vulnerabilities, and organizations just don't keep up."

It becomes an issue of math, he said.

"If you have 1,000 vulnerabilities, focus on the 200 that are actually loaded to memory," Perkal said. "Start with those, then if you have additional time and additional resources, deal with the rest, but at least start focusing on the ones that actually pose a threat, that actually matter."

The research from Rezilion, which has almost 70 employees, has attracted some critical pushback from others in the industry. Mike Parkin, senior technical engineer at Vulcan Cyber, told The Register that the startup's research is interesting but opined it might not accurately reflect the risk enterprises are dealing with.

"While it is certainly true that many vulnerabilities won't be found in any given environment, arbitrarily saying that you can ignore 85 percent of them is misleading," Parkin said. "It ignores the fact that mature organizations have a risk management process that helps them focus on the vulnerabilities that matter in their context. They may justifiably put a lower priority on the ones that are only rarely resident, and thus exploitable."

However best practice is to delete what they don't use and patch what they do, he added.

In addition, most organizations can't describe with any authority their entire server inventory, John Bambenek, principal threat researcher for Netenrich, told The Register. They can't say what parts of what software applications are loaded into memory.

"There are still Log4j-vulnerable machines out there," Bambenek said. "A 'don't worry about patching' message insures that incident responders like myself won't be empowered by technology. However, we'll continue to be enriched by it."

Perkal said that enterprises not knowing everything that is in their IT environment is a problem, but one that Rezilion's platform addresses. It has vulnerability validation and remediation capabilities and this month added Dynamic SBOM (software bill of materials) to help organizations map their software and vulnerabilities and improve the visibility into their attack surface.

Enterprises' lack of knowledge of their environment "is a big problem. We saw that with Log4j," he said. "If you don't know what's there, you don't know that you need to patch it. There's a step before we talk about prioritization. It is knowing what you have. This is something that the Rezilion product does."

Andrew Hay, COO at security consultancy Lares Consulting, noted Rezilion's runtime analysis and Dynamic SBOM but added that "the simple fact that vulnerable software is installed, even if not running, still presents a risk."

"This vulnerable software could be launched by mistake and immediately be elevated to high risk," Hay told The Register. "The best way to reduce the attack surface area of a system is to remove software that isn't required by the system to perform its designated task."

However, the feedback that Rezilion is getting from partners – such as AWS, GitLab, Docker and Tenable – and customers has been positive, Perkal said.

"The reality is that people and organizations live in a constant risk-management scenario," he said. "They don't patch everything. They have open vulnerabilities that they don't have the manpower or the tooling to hold with SLA, so most customers that we're talking with are appreciative of the fact that they can better use their existing resources, tools and budgets to focus on vulnerabilities that are more relevant to them."®

Other stories you might like

  • How refactoring code in Safari's WebKit resurrected 'zombie' security bug
    Fixed in 2013, reinstated in 2016, exploited in the wild this year

    A security flaw in Apple's Safari web browser that was patched nine years ago was exploited in the wild again some months ago – a perfect example of a "zombie" vulnerability.

    That's a bug that's been patched, but for whatever reason can be abused all over again on up-to-date systems and devices – or a bug closely related to a patched one.

    In a write-up this month, Maddie Stone, a top researcher on Google's Project Zero team, shared details of a Safari vulnerability that folks realized in January this year was being exploited in the wild. This remote-code-execution flaw could be abused by a specially crafted website, for example, to run spyware on someone's device when viewed in their browser.

    Continue reading
  • AWS says it will cloudify your mainframe workloads
    Buyer beware, say analysts, technical debt will catch up with you eventually

    AWS is trying to help organizations migrate their mainframe-based workloads to the cloud and potentially transform them into modern cloud-native services.

    The Mainframe Modernization initiative was unveiled at the cloud giant's Re:Invent conference at the end of last year, where CEO Adam Selipsky claimed that "customers are trying to get off their mainframes as fast as they can."

    Whether this is based in reality or not, AWS concedes that such a migration will inevitably involve the customer going through a lengthy and complex process that requires multiple steps to discover, assess, test, and operate the new workload environments.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Elasticsearch server with no password or encryption leaks a million records
    POS and online ordering vendor StoreHub offered free Asian info takeaways

    Researchers at security product recommendation service Safety Detectives claim they’ve found almost a million customer records wide open on an Elasticsearch server run by Malaysian point-of-sale software vendor StoreHub.

    Safety Detectives’ report states it found a StoreHub sever that stored unencrypted data and was not password protected. The security company’s researchers were therefore able to waltz in and access 1.7 billion records describing the affairs of nearly a million people, in a trove totalling over a terabyte.

    StoreHub’s wares offer point of sale and online ordering, and the vendor therefore stores data about businesses that run its product and individual buyers’ activities.

    Continue reading
  • Halfords suffers a puncture in the customer details department
    I like driving in my car, hope my data's not gone far

    UK automobile service and parts seller Halfords has shared the details of its customers a little too freely, according to the findings of a security researcher.

    Like many, cyber security consultant Chris Hatton used Halfords to keep his car in tip-top condition, from tires through to the annual safety checks required for many UK cars.

    In January, Hatton replaced a tire on his car using a service from Halfords. It's a simple enough process – pick a tire online, select a date, then wait. A helpful confirmation email arrived with a link for order tracking. A curious soul, Hatton looked at what was happening behind the scenes when clicking the link and "noticed some API calls that seemed ripe for an IDOR" [Insecure Direct Object Reference].

    Continue reading

Biting the hand that feeds IT © 1998–2022