[BreachExchange] Vulnerability Management In A Fujiwhara Effect

[Destry Winant]

https://www.riskbasedsecurity.com/2020/08/03/vulnerability-management-in-a-fujiwhara-effect/

The Vulnerability Fujiwhara Effect has run its course for the
immediate future, but IT teams and Vulnerability Managers may feel its
impact for months to come.

In the latest Fujiwhara, on July 14th, there were 406 newly disclosed
vulnerabilities, with Microsoft and Oracle comprising 83% of the
workload. Given that the average number of published new
vulnerabilities is around 66, organizations are no doubt still
collecting, analyzing, prioritizing and patching the many issues
brought to attention in July’s Fujiwhara Storm.

Let’s take a look at how the day played out (and where you should
focus your attention):

1:00 PM EDT: Microsoft and SigRed

Microsoft kicked things off by releasing 123 vulnerabilities, 62% of
which were rated high severity by CVSSv2. For organizations opting for
CVSSv3, that figure jumps to 72%.

Related: CVSSv3: Newer is Better, Right?

As with January’s Fujiwhara Effect, several of July’s vulnerabilities
have had high-profiles in the industry and social media.

MICROSOFT MULTIPLE PRODUCTS CONTACTS LINK VULNERABILITY (CVE-2020-1147)

This vulnerability has a public exploit and has been making a buzz on
social media, shared over 3,000 times within various IT security
communities. Despite being classified by NVD as 6.8 (CVSSv2), our
researchers have determined that CVE-2020-1147 may be more dangerous
than CVE may lead you to believe.

With a public exploit, as well as two potentially vulnerable (but
untested) endpoints, organizations may want to revisit this
vulnerability – especially if it was relegated to the backlog given
its initial “medium” rating.

MICROSOFT WINDOWS DNS VULNERABILITY (SIGRED)

CVE-2020-1350, dubbed SIGRed, has had the security community in a
state of frenzy. Shared well over 13,000 times on social media, this
vulnerability has low complexity in both access and attack, yet
extremely high impacts on confidentiality, integrity, and
availability.

According to The Hacker News, the vulnerability could allow an
“unauthenticated, remote attacker to gain domain administrator
privileges over targeted servers and seize complete control of an
organization’s IT infrastructure.”

To make matters worse, this vulnerability is considered to be
wormable. The potential for damage was so high that the US Department
of Homeland Security and The Cybersecurity and Infrastructure Security
Agency (CISA) mandated that government agencies update or reduce its
risk within 24 hours. Forbes’ Davey Winder also commented on SIGRed’s
potential:

“Being wormable puts this vulnerability right up there in terms of
criticality with WannaCry and NotPetya in that it has the potential to
propagate without user interaction, and propagate very rapidly
indeed.”

Davey Winder, Forbes

All of this was disclosed 16 minutes from the start of July’s
Fujiwhara Storm. By itself, SIGRed can tie up an organization’s entire
security management or IT team. However, there was a lot more still to
come.

4:20 PM EDT: Oracle Drops Nearly Twice as Many Vulnerabilities as Microsoft

As has become an unfortunate norm, Oracle released 213 vulnerabilities
at what was, for many, close to the end of the business day. With
nearly twice the number of vulnerabilities as Microsoft, this late
release forces many teams to triage late or to ignore it until the
next morning.

This trend has become a steady theme for the Vulnerability Fujiwhara
and for Patch Tuesdays as a whole: the inconsistency of timing causes
problems for organizations as hundreds of vulnerabilities “linger” in
the background due to the impossibility of remediating all of them at
once.

As we analyze and catalogue Vulnerability Fujiwhara and Patch Tuesday
vulnerabilities, we continue to see “stalling” periods of where
vendors will drop hundreds of disclosures in between hours of relative
silence. Doing so reinforces a mindset that “it wasn’t THAT bad,” yet
those actually involved in the process know that this is untrue.
Organizations that do not have a fully mature vulnerability management
program will have to resort to handling each vulnerability one by one,
especially if they do not have a vulnerability intelligence solution
that can help prioritize and remediate risk.

Related:Mature Your Vulnerability Management Program With Intelligence
[on-demand webinar]

7/15/2020: Vendors Continue to Disclose

The Vulnerability Fujiwhara Effect continued to linger into the
following day as Adobe, Cisco, and Apple published their vulnerability
disclosures, effectively extending the Fujiwhara into a 48-hour
period.

Interestingly, Adobe’s share was low compared to previous Fujiwhara
events and Patch Tuesdays due to the absence of Flash and Reader
vulnerabilities, which usually represent the bulk of their
disclosures. Cisco however made up for the lack of Adobe Flash the
next day by publishing a sizable amount of vulnerabilities, as did
Apple.

Why Do All of This Yourself?

While our research team was fully prepared to handle the Vulnerability
Fujiwhara Effect, it still meant 48 hours (with no down-time)
collecting and assessing vulnerabilities. In preparation for the event
we dispersed the workload between the entire team, ensuring that we
took advantage of their diverse locations across the world.
Researching and processing vulnerabilities is what we do, and we are
uniquely equipped to meet the challenge.

Most organizations cannot support a dedicated, in-house vulnerability
research team of this size. Even where an in-house team is an option,
the workload required for such an event, or even for daily reports, is
staggering and expensive. How long has it taken for your organization
to fully process the Vulnerability Fujiwhara? Are you still working
through those vulnerabilities? This prompts us to ask an important
question – is it worth it for organizations to perform their own
vulnerability research?

SAVE TIME AND MONEY WITH A VULNERABILITY INTELLIGENCE SOLUTION

Time spent collecting and assessing vulnerabilities takes away from
the time available to actually manage and remediate them. There are
too many vulnerabilities to manage in an effective way. To make
matters worse, vulnerability reporting has become tremendously
decentralized, and the ability to compile reliable and accurate
details also diminishes as there is no singular public source for
every disclosed vulnerability.

This challenge has led some organizations to make unnecessary
compromises in the data that they consume. Some believe that they must
sacrifice quality for timeliness, or vice-versa. However,
organizations can have both by employing a vulnerability intelligence
solution.

VulnDB can provide the following for IT teams and Vulnerability Managers:

- A singular source for all the vulnerabilities on products and
vendors you care about
- Standardized vulnerability reports that are pre-assessed for
validity and accuracy
- Added technical details that cannot be found in the original reports
- Extra metrics to help better prioritization including information
about severity, exploit availability, and report confidence
- And much more.

With VulnDB you can spend less time on vulnerability assessment, and
more time on vulnerability management. VulnDB is the most
comprehensive, detailed, and timely source of vulnerability
intelligence with over 233,000 entries, including over 76,000 that
cannot be found in CVE/NVD. Ensure that you are properly equipped, not
only for a future Vulnerability Fujiwhara, but also for the daily
vulnerability reports impacting your organization.