CISA’s Known Exploited Vulnerabilities Catalog: Breakdown of 95 Newly Released Vulnerabilities
March 4, 2022 • RBS
Update: CISA added additional vulnerabilities to the KEV Catalog on July 12, 2022
When the U.S. Cybersecurity & Infrastructure Security Agency (CISA) first announced Binding Operational Directive 22-01 (BOD 22-01), we made it our goal to fully explain what it was, why it was important, and more importantly – how organizations could prioritize 100 vulnerabilities in just two weeks. Since that article, we’ve been closely paying attention whenever CISA adds new entries. Usually, CISA adds a few vulnerabilities here and there but historically, they have never exceeded 15. But today CISA has made a tremendous addition to the Known Exploited Vulnerabilities Catalog – adding 95 vulnerabilities that must be remediated in two weeks!
What is the Known Exploited Vulnerabilities Catalog?
The Known Exploited Vulnerabilities Catalog is a list of vulnerabilities that CISA has identified as being exploited, or that have been used by threat actors. As a part of Binding Operational Directive 22-01, it instructs Federal Civilian Executive Branch Agencies (FCEB) that they must remediate these issues within the specified timeframe, in order to protect federal infrastructure and reduce cyber attacks. While the BOD 22-01 is intended for FCEB, some private organizations have adopted the list as a guide on helping triage vulnerability remediation.
What are Known Exploited Vulnerabilities?
Known Exploited Vulnerabilities (KEV) are issues that CISA has specifically stated that are currently being used in the wild. There is some confusion when it comes to KEVs, as some still equate a vulnerability’s impact with a CVSS severity score. However, CVSS does not account for exploitability. Additionally, there are cases where CISA may have exclusive knowledge of a particular vulnerability being exploited in the wild that has not been publicly reported.
Making the KEV Catalog Actionable
Although Federal agencies are beholden to KEV Catalog timelines, remediating its vulnerabilities can have major benefits for organizations in the private sector. But for agencies and enterprises intending to use the KEV Catalog as a guide for their Vulnerability Management Program, the strict remediation timelines might pose a challenge. What is the best way to make BOD 22-01 actionable and how should security teams tackle it?
Understanding BOD 22-01’s Latest Vulnerabilities
First, it is important to understand the vulnerabilities potentially affecting your systems. Examining CISA’s latest entries, added March 3rd, we can observe the following:
How Far Back Do They Go?
The oldest included entry is CVE-2002-0367, a Microsoft Windows vulnerability. It is interesting to note that despite its age, it is currently being reanalyzed; meaning the current entry is likely out of date. As we can see, it does not have a CVSSv3 score, so NVD has not revisited the vulnerability yet.
Another thing that organizations should be aware of is that 12 vulnerabilities are from 2002 to 2011. The main reason being that these issues played a part in past malware campaigns.
Full Breakdown by Year of Disclosure
Which Vendors Are Affected?
Of the newly released 95 vulnerabilities, 92 of them affect major vendors such as Cisco, Microsoft, Oracle, and Adobe:
Examining the Metadata
Almost every vulnerability in CISA’s latest batch affects major vendors like Cisco, Microsoft, Adobe, and Oracle. But in a list of 95, organizations need to make sure that they are utilizing their time and resources effectively. That’s where vulnerability metadata comes into play. When security teams have more context it becomes a lot easier to focus on the issues that pose the most risk.
Ties to the Ukraine-Russia Conflict
Before this BOD update, only three Remote Denial-of-Service (DoS) vulnerabilities had been included. In this latest batch, 21 of the 95 vulnerabilities are Remote DoS. Why is this significant? Well, it screams the developing Ukraine and Russia conflict given that Ukrainian websites and some banks experienced relentless DDoS attacks in recent days. Google has even stepped in offering their ‘Product Shield’ to help government websites being attacked through these means.
In a joint article with Flashpoint, we also highlighted that Russian Advanced Persistent Threat (APT) groups and some high-profile ransomware groups with strong ties to Russia historically have used Arbitrary Code Execution (ACE) vulnerabilities more than Remote Code Execution (RCE) issues. With that in mind, what is the spread for this latest release?
- 22 vulnerabilities are ACE, requiring user interaction (e.g. phishing)
- Only 6 vulnerabilities are RCE
- 13 are Local Privilege Escalation (LPE)
How to Prioritize These 95 Vulnerabilities
In our initial BOD 22-01 article, we gave step-by-step details on best practices that security teams could adopt to prioritize effectively. Overall, that advice has not changed. Here is how organizations can make the Known Exploited Vulnerabilities Catalog actionable:
- Use comprehensive vulnerability intelligence
In order to remediate in a timely fashion, enterprises need comprehensive and actionable vulnerability intelligence. Unfortunately for CVE/NVD users, MITRE and NIST are not proactive when it comes to vulnerability aggregation. Meaning that until vendors and researchers submit issues, many NVD entries will lack critical metadata and may be unactionable. This can be already seen with several BOD 22-01 vulnerabilities where they are either in RESERVED status, or are undergoing re-analysis. With a proactive vulnerability intelligence source, organizations will have the details needed to properly triage and prioritize issues.
- Address likely attack vectors first
Start with the vulnerabilities that threat actors are likely to use against you. While this may be difficult, given the political events occurring at this time, government agencies and contracting vendors will likely need to pay attention to the 21 Remote DoS issues first. If your organization is concerned about the possibility of being collateral damage in the ongoing Ukraine and Russia conflict, this is where you may want to start triaging.
- Then prioritize based issues with publicly-known exploits
Timeliness is crucial and while BOD 22-01 lists all the vulnerabilities that should be addressed, it does not tell organizations which ones have documented public exploits versus being privately exploited. Like we mentioned before, CVE/NVD is not proactive in their research, so if details of an exploit were not reported the information will not be included in the entry. If you have truly comprehensive vulnerability intelligence, you will have that data if it’s known. And if you have those details, you can start to contextualize vulnerabilities to deployed assets.
- Create an Asset Inventory
If you haven’t started to already, this may be a good time to formally create an asset inventory. Doing this will enable more efficient vulnerability management in the future and will greatly reduce your dependency on scanning.
- Check the Software Bill of Materials (SBOM)
While creating an asset inventory, developing SBOMs for your software will also be greatly beneficial. With SBOMs, organizations can know what and how Open Sourced Software (OSS) are intertwined with their own products. This will help determine if those products are susceptible to vulnerability third-party libraries.
- Strike issues with no solution
Eliminate any issues on the list that do not have a documented solution. But before doing that, you might want to make sure you’re using comprehensive vulnerability intelligence. If there isn’t a documented solution, your time will be better spent triaging and then remediating the issues that do.
Make Better Prioritization Decisions
Hopefully this breakdown of the latest KEV Catalog vulnerabilities provides context that will make remediation of these issues less of a daunting task. There are a lot of steps that need to happen before remediation can occur and two weeks to patch 95 vulnerabilities is a big ask.
Having access to a comprehensive, actionable, and timely source of vulnerability intelligence is vital when remediating issues in a short time frame. If you don’t have the metadata you need it will be hard to understand the issues you are being told to fix. With the Risk Based Security Platform, security teams can get all known details for over 282,000 vulnerabilities, including all KEVs.