Fix now: High risk vulnerabilities at large, June 2020
On May 12, 2020 CERT released an alert entitled top 10 routinely exploited vulnerabilities identified by U.S Government, which can be found here: https://www.us-cert.gov/ncas/alerts/aa20-133a
But how dangerous are these CVEs? We put them through our predictive risk based vulnerability prioritization tool Farsight to provide more context into the risk. Let us dig into the top 10 routinely exploited vulnerabilities between 2016 and 2019 in details.
|CVE||Description||CVSS Score||Farsight Rating||Last seen (Farsight)|
|CVE-2017-11882||Microsoft Office Memory Corruption Vulnerability||7.8||38.46||2020-05-15|
|CVE-2017-0199||Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API.||7.8||38.46||2020-05-13|
|CVE-2017-5638||Jakarta Multipart parser in Apache Struts 2||10.0||38.46||2020-05-12|
|CVE-2012-0158||MSCOMCTL.OCX RCE Vulnerability||9.3(V2)||38.46||2020-05-12|
|CVE-2019-0604||Microsoft SharePoint Remote Code Execution Vulnerability||9.8||38.46||2020-05-12|
|CVE-2017-0143||Windows SMB Remote Code Execution Vulnerability||8.3||38.46||2020-05-12|
|CVE-2018-4878||Use-after-free vulnerability in Adobe Flash Player||9.8||38.46||2020-05-12|
|CVE-2017-8759||.NET Framework Remote Code Execution Vulnerability.||7.8||38.46||2020-04-15|
|CVE-2015-1641||Microsoft Office Memory Corruption Vulnerability||9.3(V2)||38.46||2020-05-16|
|CVE-2018-7600||DRUPAL RCE vulnerability||9.8||38.46||2020-05-12|
|(2020) CVE-2019-11510||Pulse Secure arbitrary file reading vulnerability||10.0||38.46||2020-05-16|
|(2020) CVE-2019-19781||Directory traversal in Citrix ADC||9.8||38.46||2020-05-12|
The last two, are honorary mentions in addition to the top 10 as a focus by threat actors since the Covid-19 lockdowns began around the globe. Note: we covered the Pulse CVE back in April.
What does Farsight’s Threat Intelligence tell us?
Firstly as you would expect, all of these vulnerabilities have the highest risk rating – 38.46, this is due to the fact that in most cases there are documented successful exploits in the wild for these vulnerabilities. After all, a successful attack somewhere moves it from a ‘likely to be exploited’ to a ‘has been exploited’.
Next is the Farsight last seen date. This information is currently not available in Outscan, however we can access this information from the raw data. What does it tell us?
At the time of writing only one (CVE-2017-8759) has not seen any attention in May from threat actors, and indeed, most of the vulnerabilities saw an increase in attention in the days after the CERT top 10 announcement had been made. This provides an interesting insight in the lifecycle of a vulnerability, as older vulnerabilities that have been used in exploits previously get renewed media interest, Threat Actors will often take another look to see how these can be used in the current threat landscape. Customers should continue to focus on the real risk of the vulnerability, in all these cases, Farsight rates these as the highest possible risk in terms of exploit likelihood, irrespective of the age of the vulnerability or the activity levels seen by the threat actors.
With such a high risk rating these vulnerabilities should be remediated immediately should they appear in your environments. But if you have to choose, the ones that have not seen any activity or interest in 2020 could be remediated after the majority that are currently being used and discussed.
The good news is our predictive risk-based management solution Farsight agrees with CERT on the risks posed by these vulnerabilities. Though as mentioned this should be expected due to the nature of these vulnerabilities - having been exploited in the wild. It’s always good to see validation on the risks from external 3rd party sources, and it's also interesting to see that some of these vulnerabilities, even though they are 8 year-old, are still being discussed and used by threat actors against organizations and targets on the internet, confirming once again the need for organizations to maintain cyber hygiene thorough continuous vulnerability assessment.
As always make sure you are remediating these high risk vulnerabilities as soon as you are able to. Subscribe to our email to ensure you get the latest update.