Vulnerability Management In A Fujiwhara Effect
August 3, 2020 • RBS
In the latest Fujiwhara, on July 14th, there were 406 newly disclosed vulnerabilities, with Microsoft and Oracle comprising 83% of the workload. Given that the average number of published new vulnerabilities is around 66, organizations are no doubt still collecting, analyzing, prioritizing and patching the many issues brought to attention in July’s Fujiwhara Storm.
Let’s take a look at how the day played out (and where you should focus your attention):
1:00 PM EDT: Microsoft and SigRed
Microsoft kicked things off by releasing 123 vulnerabilities, 62% of which were rated high severity by CVSSv2. For organizations opting for CVSSv3, that figure jumps to 72%.
Related: CVSSv3: Newer is Better, Right?
As with January’s Fujiwhara Effect, several of July’s vulnerabilities have had high-profiles in the industry and social media.
Microsoft Multiple Products Contacts Link Vulnerability (CVE-2020-1147)
This vulnerability has a public exploit and has been making a buzz on social media, shared over 3,000 times within various IT security communities. Despite being classified by NVD as 6.8 (CVSSv2), our researchers have determined that CVE-2020-1147 may be more dangerous than CVE may lead you to believe.
With a public exploit, as well as two potentially vulnerable (but untested) endpoints, organizations may want to revisit this vulnerability – especially if it was relegated to the backlog given its initial “medium” rating.
Microsoft Windows DNS Vulnerability (SigRed)
CVE-2020-1350, dubbed SIGRed, has had the security community in a state of frenzy. Shared well over 13,000 times on social media, this vulnerability has low complexity in both access and attack, yet extremely high impacts on confidentiality, integrity, and availability.
According to The Hacker News, the vulnerability could allow an “unauthenticated, remote attacker to gain domain administrator privileges over targeted servers and seize complete control of an organization’s IT infrastructure.”
To make matters worse, this vulnerability is considered to be wormable. The potential for damage was so high that the US Department of Homeland Security and The Cybersecurity and Infrastructure Security Agency (CISA) mandated that government agencies update or reduce its risk within 24 hours. Forbes’ Davey Winder also commented on SIGRed’s potential:
“Being wormable puts this vulnerability right up there in terms of criticality with WannaCry and NotPetya in that it has the potential to propagate without user interaction, and propagate very rapidly indeed.”Davey Winder, Forbes
All of this was disclosed 16 minutes from the start of July’s Fujiwhara Storm. By itself, SIGRed can tie up an organization’s entire security management or IT team. However, there was a lot more still to come.
4:20 PM EDT: Oracle Drops Nearly Twice as Many Vulnerabilities as Microsoft
As has become an unfortunate norm, Oracle released 213 vulnerabilities at what was, for many, close to the end of the business day. With nearly twice the number of vulnerabilities as Microsoft, this late release forces many teams to triage late or to ignore it until the next morning.
This trend has become a steady theme for the Vulnerability Fujiwhara and for Patch Tuesdays as a whole: the inconsistency of timing causes problems for organizations as hundreds of vulnerabilities “linger” in the background due to the impossibility of remediating all of them at once.
As we analyze and catalogue Vulnerability Fujiwhara and Patch Tuesday vulnerabilities, we continue to see “stalling” periods of where vendors will drop hundreds of disclosures in between hours of relative silence. Doing so reinforces a mindset that “it wasn’t THAT bad,” yet those actually involved in the process know that this is untrue. Organizations that do not have a fully mature vulnerability management program will have to resort to handling each vulnerability one by one, especially if they do not have a vulnerability intelligence solution that can help prioritize and remediate risk.
7/15/2020: Vendors Continue to Disclose
The Vulnerability Fujiwhara Effect continued to linger into the following day as Adobe, Cisco, and Apple published their vulnerability disclosures, effectively extending the Fujiwhara into a 48-hour period.
Interestingly, Adobe’s share was low compared to previous Fujiwhara events and Patch Tuesdays due to the absence of Flash and Reader vulnerabilities, which usually represent the bulk of their disclosures. Cisco however made up for the lack of Adobe Flash the next day by publishing a sizable amount of vulnerabilities, as did Apple.
Why Do All of This Yourself?
While our research team was fully prepared to handle the Vulnerability Fujiwhara Effect, it still meant 48 hours (with no down-time) collecting and assessing vulnerabilities. In preparation for the event we dispersed the workload between the entire team, ensuring that we took advantage of their diverse locations across the world. Researching and processing vulnerabilities is what we do, and we are uniquely equipped to meet the challenge.
Most organizations cannot support a dedicated, in-house vulnerability research team of this size. Even where an in-house team is an option, the workload required for such an event, or even for daily reports, is staggering and expensive. How long has it taken for your organization to fully process the Vulnerability Fujiwhara? Are you still working through those vulnerabilities? This prompts us to ask an important question – is it worth it for organizations to perform their own vulnerability research?
Save Time and Money With a Vulnerability Intelligence Solution
Time spent collecting and assessing vulnerabilities takes away from the time available to actually manage and remediate them. There are too many vulnerabilities to manage in an effective way. To make matters worse, vulnerability reporting has become tremendously decentralized, and the ability to compile reliable and accurate details also diminishes as there is no singular public source for every disclosed vulnerability.
This challenge has led some organizations to make unnecessary compromises in the data that they consume. Some believe that they must sacrifice quality for timeliness, or vice-versa. However, organizations can have both by employing a vulnerability intelligence solution.
- A singular source for all the vulnerabilities on products and vendors you care about
- Standardized vulnerability reports that are pre-assessed for validity and accuracy
- Added technical details that cannot be found in the original reports
- Extra metrics to help better prioritization including information about severity, exploit availability, and report confidence
- And much more.
With VulnDB you can spend less time on vulnerability assessment, and more time on vulnerability management. VulnDB is the most comprehensive, detailed, and timely source of vulnerability intelligence with over 233,000 entries, including over 76,000 that cannot be found in CVE/NVD. Ensure that you are properly equipped, not only for a future Vulnerability Fujiwhara, but also for the daily vulnerability reports impacting your organization.
If you’re curious to see how your organization would benefit from the most comprehensive vulnerability intelligence solution, we are offering trial access to our flagship VulnDB product.