Over the last five years, there has been a 183% increase in the number of disclosed vulnerabilities, according to new research by Tenable.
The “2020 Threat Landscape Retrospective,” released Thursday, provided an overview of key vulnerabilities disclosed or exploited throughout 2020, as well as trends that impacted the year including breaches and ransomware attacks. The report was compiled by three members of Tenable’s security response team — Scott Caveza, research engineering manager, Satnam Narang, staff research engineer, and Rody Quinlan, research engineer — and includes data and disclosures through December 31, 2020.
The researchers discovered concerning data regarding CVEs, both in sheer numbers and a lack of patching. In total, 18,358 new CVEs were assigned in 2020. According to the report, from 2015 to 2020, the number of reported CVEs increased at an annual percentage growth rate of 36.6%.
“The 18,358 CVEs reported in 2020 represent a 6% increase over the 17,305 reported in 2019 and a 183% increase over the 6,487 disclosed in 2015,” the report said. “The fact that for the last three years, we have seen over 16,000 CVEs reported annually reflects a new normal for vulnerability disclosure.”
Unpatched vulnerabilities are a far bigger problem than zero-days, according to the report. “This low-hanging fruit is favored by nation-state actors and run-of-the-mill cybercriminals alike. While zero-day vulnerabilities are often leveraged as part of targeted attacks, unpatched vulnerabilities are targeted en masse, posing a much greater threat,” the researchers wrote in the report.
Narang told SearchSecurity that threat actors find value in taking existing proof-of-concept (PoC) codes for disclosed vulnerabilities and folding them into their attacks, rather than trying to discover and develop zero-day vulnerabilities.
“That is one reason the government alerts talk about how zero-days are great and valuable for attackers, but the cost associated with developing a zero-day and spending the time and energy to develop it yourself, or purchasing one, is prohibitive when you have all these unpatched systems out there with public PoCs. It’s like a no-brainer,” he said.
The availability of a public PoC is an important factor when it comes to the decision to patch and the urgency, although many security teams rely solely on the common vulnerability scoring system (CVSS). The system is scored one to 10, with 10 being the most critical. CVEs are assigned a CVSS score, as well as a name and logo. However, according to the report, some severe though nameless vulnerabilities get overshadowed by the high-profile ones.
“‘Headline’ vulnerabilities tend to be the ones that attract the most attention from the media and business leaders, putting pressure on security professionals to respond even if the threat to the business is low,” the report said. “Our review of high-profile vulnerabilities in 2020 reveals that not every critical vulnerability had a name and logo given to it. Conversely, not every vulnerability with a name and logo should be seen as critical.”
While the CVSS helps in certain cases, providing context and an easy way to reference vulnerabilities, said Narang, it’s also important to look past the logo and name and get into the details.
“Any time you see a CVSS 10, that’s a pretty sure-fire way to know, ‘I need to drop what I’m doing and take care of this as soon as possible,'” he said. “But not every headline or noteworthy vulnerability is going to require the same amount of attention. One example we point to is the ‘Boothole‘. That was a vulnerability that got a logo and a name, and it affects Linux and Windows devices, bypasses secure boot. It’s an interesting vulnerability, but in the grand scheme of things, it’s probably not the most severe thing you need to panic and worry about.”
Meanwhile, there are critical vulnerabilities that received less attention. For example, Narang pointed to Oracle Web Logic vulnerabilities that often get published quarterly as part of Oracle’s critical patch update. “Those ones do get exploited in the wild, sometimes as zero-days, sometimes after researchers have published PoC. Those don’t have names, but those are actually pretty severe, too.”
The ‘new normal’
With vulnerability disclosures increasing at a rapid rate as the report shows, Tenable researchers call it the “new normal.” The high number of new vulnerabilities may be a result of more researchers, bug hunters and companies spending money on bug bounties.
“I think that’s a major factor,” Narang said. “I think the value of bug bounty programs and incentivizing researchers to find and disclose vulnerabilities plays a big part, and you just have more people in the game, basically looking for bugs at the end of day.”
The increase in vulnerabilities wasn’t the only concerning trend in Tenable’s research. As of Oct. 30, the report identified 730 public breach events and 22 billion exposed records for the year. Additionally, it determined that over 35% of zero-day vulnerabilities are browser-based and uncovered 18 ransomware groups operating leak sites.
“Ransomware remains the biggest threat to organizations today,” the researchers wrote in the report. “For ransomware, extortion is the key: ransomware remains the most disruptive global cyberthreat.”
Unpatched vulnerabilities and data breaches were both exacerbated by ransomware attacks.
Unpatched vulnerabilities leave sensitive data and systems exposed, “representing lucrative opportunities for ransomware actors.” The report found that over 35% of breaches are linked to ransomware attacks, “resulting in an often-tremendous financial cost.”
2019 vulnerabilities still looming
While 2020 was full of attacks, breaches and incidents, stemming from increased remote work and the SolarWinds hack on top of the usual risks, it’s vulnerabilities from 2019 that still concern Tenable — specifically, VPN vulnerabilities.
“If you look at our top five for 2020, three of them are from 2019, so it’s kind of significant to say, of all the 18,000 vulnerabilities in 2020, Tenable is saying these three vulnerabilities from 2019 are the ones you need to focus on, it’s because they are still a problem,” Narang said.
Those three include CVE-2018-13379: Fortinet FortiOS SSL VPN Web Portal Information, CVE-2019-11510: Arbitrary File Disclosure in Pulse Connect Secure and CVE-2019-19781: Citrix Application Delivery Controller (ADC) and Gateway. Patches were issued for these flaws in 2019.
“They’re being leveraged by not only your average very determined nation-state actors, as evidenced in the government alerts. I think kind of stressing and emphasizing how important it is to patch these vulnerabilities in particular, because it’s a gateway into your network is a huge, huge lift for all of us.”
As for overall vulnerability disclosures, the situation doesn’t seem to be improving in the first month of 2021. In a blog post Tuesday, Tenable researchers noted that in the first Patch Tuesday of 2021, Microsoft addressed 83 CVEs, 10 of which are rated critical.
“This is a 69% increase in the number of CVEs patched compared to January 2020,” the blog post said.