[Following previous month’s CVE Awareness Bulletin below the November release]
The CVE November Awareness Bulletin is an initiative that aims to provide further intelligence and analysis concerning the last vulnerabilities published by the National Institute of Standards and Technology (NIST), National Vulnerability Database (NVD) and the IDS vendors’ coverage for these vulnerabilities.
Common Vulnerabilities and Exposures (CVE) is a public list of common names made available by MITRE Corporation for vulnerabilities and exposures that are publicly known.
This is the most popular list of vulnerabilities and is used as a reference across the whole security industry. It should not be considered absolute but due to the nature of its mission and the current sponsors – Department of Homeland Security (DHS), National Cybersecurity and Communications Integration Center (NCCIC) – it is widely adopted across the industry.
Based on this public information I decided to take a look at what has been released during the month of November. There were 389 vulnerabilities published where 56 were issued with a Common Vulnerability Scoring System (CVSS) score of 8 or higher – CVSS provides a standardized method for rating vulnerabilities using a scoring system based on their different properties from 1 to 10. From these security vulnerabilities, I compared the last signature updates available from products that have a significant share of the market i.e., Checkpoint, Tipping point, SourceFire, Juniper, Cisco and Palo Alto. The result is that SourceFire has the best coverage with 23%. TippingPoint, Checkpoint and Juniper rank second with 16%. Cisco ranked third with 12% followed by Palo Alto with 0%
The following graph illustrates the mapping between the CVEs published in November with a CVSS equal or higher than 8 by vulnerability type and the vendor coverage:
In addition to looking at all the vulnerabilities released, it is also essential to look into detail for specific coverage like Microsoft products vulnerabilities. On the 12th of November the Microsoft Security Bulletin (a.k.a Patch Tuesday) announced 25 vulnerabilities. From these 12 have a CVSS score equal or higher than 8. From these the vendor coverage is shown in the following table:
The vendors analyzed have provided signatures on the same date (12 of November) or few days later. The mentioned signatures and patches should be applied as soon as possible but you should also fully evaluate them (when possible) before applying it production systems.
In addition to that, following signature update deployment, you should always check which signatures have been enabled by default. Plus you should be evaluating what is the impact in your environment for the CVEs that don’t have coverage.
Bottom line, the vendors that were analyzed have a quick response but the coverage should be broader. September we saw 56 vulnerabilities with a CVSS higher than 8 but only 23% of them have coverage in the best case (SourceFire). This means 77% of the published vulnerabilities don’t have coverage. Regarding the vendor response to the Microsoft Security Bulletin Summary for November 2013, the coverage is better and goes up to 100% in the best case (SourceFire). Interesting to note that some of these vulnerabilities are related to software that don’t have significant share in the market. Even if the vendors would have 100% coverage they would not apply to all environments. Furthermore, the likelihood of these vulnerabilities to be successful exploited should also be considered since some of them could be very hard to pull off. So it’s key that you know your infrastructure, your assets and mainly where are your business crown jewels. Then you should be able to help them better protect your intellectual property and determine will be the impact if your intellectual property gets disclosed, altered or destroyed.