[Following last month’s CVE Awareness Bulletin, I introduced more IDS vendors and documented the process of gathering and producing such information. As a result, the article should offer a more consistent outlook across the upcoming months even though the effort is almost exclusively manual.]
The CVE September Awareness Bulletin is an initiative that aims to provide further intelligence and analysis concerning the last vulnerabilities published by the National Institute of Standards and Technology (NIST), National Vulnerability Database (NVD) and the IDS vendors’ coverage for these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) is a public list of common names made available by MITRE Corporation for vulnerabilities and exposures that are publicly known.
This is the most popular list of vulnerabilities and is used as a reference across the whole security industry. It should not be considered absolute but due to the nature of its mission and the current sponsors – Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC) – it is widely adopted across the industry.
Based on this public information I decided to take a look at what has been released during the month of September. There were 464 vulnerabilities published where 100 were issued with a Common Vulnerability Scoring System (CVSS) score of 8 or higher – CVSS provides a standardized method for rating vulnerabilities using a scoring system based on their different properties from 1 to 10. From these security vulnerabilities, I compared the last signature updates available from products that have a significant share of the market i.e., Checkpoint, Tipping point, SourceFire, Juniper, Cisco and Palo Alto. The result is that Checkpoint has the best coverage with 20%. Tipping point and Sourcefire have 19%, Juniper 16%, Cisco 12% and the last Palo Alto with 10%.
The following graph illustrates the mapping between the CVEs published in September with a CVSS equal or higher than 8 by vulnerability type and the vendor coverage:
In addition to looking at all the vulnerabilities released, it is also essential to look into detail for specific coverage like Microsoft products vulnerabilities. On the 10th of September the Microsoft Security Bulletin (a.k.a Patch Tuesday) announced 47 vulnerabilities. From these 30 have a CVSS score equal or higher than 8. From these the vendor coverage is shown in the following table:
The vendors analyzed have provided signatures on the same date (10 of September) or few days later. The mentioned signatures and patches should be applied as soon as possible but you should also fully evaluate them (when possible) before applying it production systems.
In addition to that, following signature update deployment, you should always check which signatures have been enabled by default. Plus you should be evaluating what is the impact in your environment for the CVEs that don’t have coverage.
Bottom line, the vendors that were analyzed have a quick response but the coverage should be broader. September we saw 100 vulnerabilities with a CVSS higher than 8 but only 20% of them have coverage in the best case (Checkpoint). This means 80% of the published vulnerabilities don’t have coverage. Regarding the vendor response to the Microsoft Security Bulletin Summary for September 2013, the coverage is better and goes up to 40% in the best case (Checkpoint). Interesting to note that some of these vulnerabilities are related to software that don’t have significant share in the market. Worth to mention that 15 of these vulnerabilities (15%) are related to Adobe products and they are not covered. Even if the vendors would have 100% coverage they would not apply to all environments. Furthermore, the likelihood of these vulnerabilities to be successful exploited should also be considered since some of them could be very hard to pull off. So it’s key that you know your infrastructure, your assets and mainly where are your business crown jewels. Then you should be able to help them better protect your intellectual property and determine will be the impact if your intellectual property gets disclosed, altered or destroyed.