However you flip the number of recorded vulnerabilities in a given year, the number is at once humbling and noteworthy. We know that both actions – remediating all vulnerabilities and prioritizing a high-severity security flaw in a little-used, low-value system over a medium-severity security hole in a mission-critical system – leave your company’s most important assets exposed. While scanners and management tools are important, traditional methods of scoring or rating vulnerabilities are ineffective.
Bottom line: Vulnerability remediation has to remain the most important part of protecting and securing your organization.
2018 has seen a number of very serious and public vulnerabilities, some of which had far-reaching and devastating consequences. Here are a few of the most serious ones.
Meltdown and Spectre
These two vulnerabilities, disclosed at approximately the same time, use side-channel attacks to steal data stored in memory. Meltdown enables an attacker to access data stored in the Operating System’s memory and the memory of running programs, and Spectre tricks software into revealing its secrets.
With the vulnerabilities existing in almost every modern computer chip, patches against Meltdown were created for Linux, Windows, and OSX; and work is underway to secure hardware against Spectre. Some patches were developed, but systems might slow down by up to 30% as a result. This has discouraged many from implementing those patches.
Extremely vulnerable from a technical perspective, they have not yet been exploited ‘in the wild.’ Still, Meltdown and Spectre are noteworthy as a precedent to vulnerabilities found in hardware, spurring the wave of searching for other vulnerabilities in hardware components. This brings about an entirely new dimension of the notion of risk in public vulnerabilities.
Linux Kernel Vulnerability
Published in the National Vulnerability Database in September 2018, this vulnerability affects Linux kernel versions 3.16 to 4.18.8 and enables an attacker to gain root privileges. The vulnerability is present in Linux kernels that have not been configured to increase security. However, within two days of reporting it, a patch was developed for most flavors of Linux (aside from Debian, Ubuntu, and Android).
According to Jann Horn, the security researcher who found this vulnerability, there is “…a window of exposure between the time an upstream fix is published and the time the fix actually becomes available to users – and this time window is sufficiently large that a kernel exploit could be written by an attacker in the meantime.”
OpenSSH has a serious vulnerability affecting every single version going back twenty years. The bug enables attackers to guess usernames registered on an OpenSSH server and then use brute-force and dictionary attacks to guess the user’s password. The impact of this vulnerability is massive.
An August 2018 article in Bleeping Computer magazine asserts that “Because of OpenSSH’s huge install base, the bug is ideal for both attacks on high-value targets, but also in mass-exploitation scenarios.” Patches were developed and distributed for various Linux distributions, and the vulnerability can be mitigated if you use an alternative to OpenSSH for logging into remote devices, or by disabling OpenSSH’s public key authentication.
Microsoft Zero Day: Local Privilege Escalation
This is a serious vulnerability in the Microsoft Windows operating system, affecting Windows 7 through Windows 10. An attacker can exploit Windows when it improperly handles Advanced Local Procedure Calls (ALPC). Doing so enables an attacker to gain local privileges in the target computer and perform all actions with full user rights.
What is particularly concerning is that this vulnerability was almost immediately exploited when Proof of Concept code for this attack was published in a GitHub repository. A patch was developed quite quickly, although hackers wasted no time. According to Sensors Tech Forum, the total number of systems affected was small, but the reach of the attack was global “The list of infected countries includes Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States and Ukraine.”
Apache Struts is an open source framework for developing web applications. In August 2018, a security researcher disclosed a vulnerability in Apache Struts 2 that enables an attacker to run malicious code on target servers. An article in Dark Reading claims that this vulnerability is even more severe than the Apache Struts exploit attackers used to compromise Equifax earlier in the year: “[The vulnerability] operates at a far deeper level within the code, which in turn requires a deeper understanding of not only the Struts code itself but the various libraries used by Struts.”
Patches against this remote code execution hack were developed, but exploits are already in the wild. Because Apache Struts requires manual updating, failing to apply the patch will leave the system exposed. The concern is that it could be Equifax all over again.
A very popular jQuery plugin for uploading files to websites contains a serious vulnerability that enables an attacker to upload and execute code on a website. Identified in October 2018, the jQuery bug affects all versions of the jQuery File Upload tool. Not only is this tool used all over the Internet, but there are 7,828 forks of this tool, meaning it is virtually impossible to get the fix out to every instance.
An article in The Register explains that “The flaw stems from a change to the Apache web server, from version 2.3.9 and onwards, that disabled support for .htaccess security configuration files, which left projects like jQuery File Upload open to exploitation.” This is an unfortunate example of changes made to the underlying infrastructure that have unintended and serious security consequences.
With our cyber risk hats, the question that we continually ask ourselves is what’s the true impact of this vulnerability on my digital assets. To lower cyber risk with better vulnerability management, our priority has to continue to be to ensure optimal scan coverage while continually assessing and maintaining a constantly-updated software inventory, – all while understanding which assets are most critical; we must continue to look beyond traditional approaches like patch management as 2018 comes to a close.