Ed Bellis of Kenna Security describes the top cyber security vulnerabilities of the decade ending in 2020.
Today’s enterprise security teams have tens of thousands to many millions of vulnerabilities to remediate. However it’s impossible to tackle them all. Organisations need to understand and recognise their company’s risk posture relative to the pool of vulnerability and threat data that exists. Security and IT teams don’t have the time to battle all the vulnerabilities, but it’s about choosing the right fires to put out - those that pose the highest risk to the business.
By using risk-based vulnerability management, security teams can accurately pinpoint the actions that will be most effective, so IT teams can apply patches on the riskiest vulnerabilities first, bringing down the organisation’s overall risk posture.
Many IT and security teams use the Common Vulnerability Scoring System (CVSS) to judge whether or not certain vulnerabilities need fixing. However, considering the number of vulnerabilities that exist, it is not feasible to fix and patch all of them that the CVSS framework labels as ‘critical’ or ‘high’. At Kenna Security, we use data science to calculate the real risk posed by any given Common Vulnerabilities and Exposures (CVE) by assigning scores ranging from 1 (no risk) to 100 (highest risk). According to our findings, 171 vulnerabilities have earned a score of 100 over the last ten years – representing the worst of the worst. For some context, that’s about 18% of all of the vulnerabilities during that timeframe.
As we look to close out 2020, here’s a look back at some of the most notable vulnerabilities of the past decade:
Even though 2010 is just outside of the window for the decade, it’s crucial to mention one vulnerability from this year that brought cyberwarfare to the mainstream, CVE-2010-2772 aka Stuxnet. This is a great example of a vulnerability that poses very little risk on its own due to the relative rarity of the devices impacted and difficulty to exploit them. However, pairing this vulnerability with nation-state motivations and a highly targeted mission, it’s severely dangerous.
2011: Remote code execution
2012: IE browser zero days
VUPEN, a French cyber security firm that’s now ceased operations, had some fun demonstrating browser 0-days including an Internet Explorer RCE (CVE-2012-1876); taking home some trophies during Pwn2Own at CanSecWest 2012.
All-in-all, Microsoft had 10 vulnerabilities that we rated 100/100, all of them enabling RCE.
2013: Office zero days
Microsoft warned its users about an Office 0-Day (CVE-2013-3906) that enables RCE via a TIFF image embedded in an office document. This vulnerability was being exploited in the wild so users needed to be cautious until the patch was available in the following week’s patch Tuesday.
2014: Sandworm malware
Shellshock aka Bashdoor (CVE-2014-6271) hit the scene. With Dune being released in 2021, it’s only fitting to call out the emergence of the Sandworm (CVE-2014-4114) malware associated with Russian cyber-espionage campaigns.
Heartbleed (CVE-2014-0160) is an honourable mention as another celebrity vulnerability, but it didn’t quite make the grade with a Kenna severity score of 96.8.
2015: Adobe Flash
Adobe Flash took top place with half of all 100 scored vulnerabilities in 2015. It’s not much of a surprise that browsers and phones began blocking Flash by default and Adobe announced end-of-life for the product in 2017.
Another notable mention is the Juniper backdoor (CVE-2015-7755) in Netscreen firewalls that could lead to “complete compromise of the affected device.”
2016: Denial of Service
CVE-2016-10372 was a ZyXEL modem RCE vulnerability that put tens of thousands of Eir (Ireland’s largest ISP) internet users at risk.
CVE-2016-2776 the ISC (Internet Systems Consortium) discovered a Denial of Service (DoS) from a maliciously crafted DNS request.
2017: Petya ransomware
Petya ransomware started spreading globally exploiting a Microsoft SMB protocol vulnerability CVE-2017-0144 to infect host machines.
The infamous Equifax Apache Struts vulnerability (CVE-2017-5638) made headlines and five other Apache Vulnerabilities were scored 100/100 in 2017 (CVE-2017-12617, CVE-2017-12635, CVE-2017-12636, CVE-2017-9791, CVE-2017-9805).
2018: Open source tools
While Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) made headlines in January 2018, the massive industry response and relative difficulty of executing exploits didn’t pop them up to the top of the risk scoreboard for the year.
Instead, the riskiest vulnerabilities involved RCE’s in popular and widely used open-source tools including Drupal (CVE-2018-7600, CVE-2018-7602), Jenkins (CVE-2018-1000861), Jquery (CVE-2018-9206), and an authentication bypass in libssh (CVE-2018-10933).
2019: Remote desktop port
Who can forget Microsoft’s latest and greatest RDP (remote desktop port) vulnerability BlueKeep (CVE-2019-0708)? BlueKeep was 1 of only 6 vulnerabilities that we rated 100/100 in 2019 and for good reason. We noted that this would likely have an exploit (elevating the risk score to 96) and should be prioritised for remediation. The first attacks in the wild registered two months after the CVE was published.
2020: Only 8 new vulnerabilities
While 2020 has been a nightmare in most respects, the year has only brought us 8 new vulnerabilities that have made the riskiest of the list. That is relatively light considering that the average year sees 17 new 100-scored vulnerabilities.
2020 follows in 2019’s footsteps with a Microsoft Exchange RCE (CVE-2020-0688) since it was revealed in February’s Patch Tuesday. This one is unique as it is based on a static cryptographic key in a default application that is also exposed to the internet.
The list of extremely critical vulnerabilities covers a mix of vendors, products, and attack vectors. However, the common features between them highlight the strength of risk-based vulnerability management. Attackers tend to tread a well-known path. While some CVEs may be more lethal than others, the hackers that develop them can be somewhat predictable.
Attackers tend to love CVEs that allow remote code execution. Similarly, vulnerabilities impacting certain operating systems and vendors are more likely to be weaponised e.g. Microsoft. While these vulnerabilities represent the worst of the bunch, they fit the overall pattern. This is how companies can stay ahead of the curve. By identifying vulnerabilities that are likely to be exploited, and then correlating that with their business context, security teams can effectively reduce overall risk for their organisations.
Ed Bellis is CTO and co-founder of Kenna Security
Main image courtesy of iStockPhoto.com