16 May 2020

On Tuesday, CISA published the alert (AA20-133A) on the „Top 10 Routinely Exploited Vulnerabilities“(1). A day later, Zeljka Zorz raised the absolutely legitimate question „Have you patched these top 10 routinely exploited vulnerabilities?“(2) on HELPNETSECURITY.

A query against the NIST NVD and the Exploit-DB shows a gloomy picture:

For the red highlighted vulnerabilities the exploit was available at the day of publication in the NVD. For the green highlighted vulnerabilities the exploit was published shortly after the vulnerability. So, the question should be:

How fast did you patch these top 10 routinely exploited vulnerabilities?

These are telling examples and they are not isolated:

The data from 2013 – 2019 for critical vulnerabilities show:

• 41% of exploits were published before or at the same day the CVE was published, and
• 43% of Exploits were published in the range between 10 days before and 10 days after the CVE.

Time is crucial in cyber space operations. In high risk domains, critical vulnerabilities should be patched at least 24 hours after the patch is available. If a vendor cannot provide a patch in time mitigting measures should be applied, in the worst case, systems must be removed from the internet.

Remind the Equifax case (CVE-2017-5638) from 2017.

Have a good weekend.

---

References

1. CISA. Top 10 Routinely Exploited Vulnerabilities [Internet]. National Cyber Awareness System. 2020 [zitiert 16. Mai 2020]. Verfügbar unter: https://www.us-cert.gov/ncas/alerts/aa20-133a

2. Zorz Z. Have you patched these top 10 routinely exploited vulnerabilities? [Internet]. Help Net Security. 2020 [zitiert 14. Mai 2020]. Verfügbar unter: https://www.helpnetsecurity.com/2020/05/13/routinely-exploited-vulnerabilities/