RBS Survey: One-Third of Vulnerabilities Rated High or Critical This Year

There were more than 16,000 vulnerabilities disclosed during the first three quarters of this year and more than a third of them were rated high or critical—7.0 or higher in the Common Vulnerability Scoring System (CVSS).

For the first time in recent history the number decreased year over year. The first three quarters of 2018 saw 7 percent fewer published flaws compared to the same period last year, according to a report released this week by vulnerability intelligence firm Risk Based Security (RBS).

However, the company warns that fluctuations in vulnerability numbers are not unusual and they might be cancelled out by the end of the year as additional disclosure sources are analyzed and new data comes into play.

RBS recorded a total of 16,172 flaws in its VulnDB, 4,823 of which didn’t have Common Vulnerabilities and Exposures (CVE) IDs. This means that those flaws are missing from the U.S. government’s National Vulnerability Database (NVD), which is intertwined with CVE.

Only around half of the vulnerability disclosures through Q3 2018 were coordinated with the affected vendors and almost 44 percent of the flaws have public exploits available or sufficient technical details to exploit them. One in 10 have a working exploit that was not published by the researchers who found them.

Almost 60 percent of the reported flaw can impact the integrity of the affected products and 18 percent the confidentiality of their data. These allow for attacks such as code execution, data manipulation and SQL injection.

Around half of all vulnerabilities can be exploited remotely and 46 percent are located in web-based components. Two-thirds of the reported flaws can be exploited through maliciously crafted input.

“While a lot of vulnerabilities fall under this umbrella, including cross-site scripting, SQL injection, shell command injection, and buffer overflows, it’s clear that vendors still struggle to carefully validate untrusted input from users,” RBS said in its report. “Having a mature Software Development Lifecycle (SDL) and some form of auditing can help iron out many of these issues and significantly reduce the threat from attackers.”

To make things worse, 1 in 4 reported vulnerabilities have no patch or other known solutions, which shows that only keeping software up to date is not sufficient to protect assets from attacks. In addition to patching, vulnerability management strategies should always include other forms of risk mitigation.

That said, companies should be aware that security products can also introduce vulnerabilities. More than 3 percent of flaws disclosed in 2018 impacted security software.

Limiting network access to critical assets is also important and can be a good mitigation strategy. Accounting for almost 4 percent of the flaws this year, SCADA applications which are used to control industrial equipment, is a good example of software that shouldn’t be directly exposed to the internet or general-purpose network segments.

Many applications, especially web-based ones, support plug-ins, so keeping track of vulnerabilities in those third-party packages is just as important as keeping track of issues in the main software program. WordPress and content management systems in general are common example of this, but tools such as Jenkins and others also come with a variety of plug-ins.

As an example of the scope of the problem, between 2012 and 2018 only 162 vulnerabilities were reported and patched in WordPress, but 5,230 flaws were patched in its third-party plug-ins.

The vulnerability coverage shortcomings of the CVE/NVD database have been known and criticized in the security community for many years. Even though it’s considered the de facto standard in vulnerability tracking, the gap between NVD and other vulnerability databases continues to increase.

The missing vulnerabilities are not low-risk ones that can be neglected, either. According to RBS, of the 4,823 flaws that are missing from the NVD database this year, 46 percent are rated high and critical.

“Organizations relying on CVE or sources solely obtaining data from CVE are missing a significant number of vulnerabilities,” RBS said in its report. “In today’s hostile computing environment, with non-stop attacks from around the world, organizations using sub-par vulnerability intelligence are needlessly taking on significant risk.”

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin