Low-complexity CVEs a growing concern

Easy-to-exploit common vulnerabilities and exposures, or CVEs, appear to be on the increase as a proportion of the total volume of disclosed bugs, heightening concern for cyber security teams, according to a report.

Managed detection, response and pen-testing specialist Redscan analysed over 18,000 CVEs that were filed away in the US National Institute of Standards and Technology’s (NIST’s) National Vulnerability Database (NVD) over the course of 2020.

The report, NIST security vulnerability trends in 2020: An analysis, revealed that not only were more CVEs lodged in 2020 than in any other year to date – 18,103 or an average of 50 every day – 10,342 (57%) of them were classified as being of critical or high severity. The report said 63% of them were of low complexity, and 68% of them required no user interaction to exploit.

Redscan said this trend should be of concern to defenders, highlighting the need for organisations to zero in on their patch-management efforts, and adopt more advanced approaches to vulnerability management.

“When analysing the potential risk that vulnerabilities pose, organisations must consider more than just their severity score. Many CVEs are never or rarely exploited in the real world because they are too complex or require attackers to have access to high level privileges,” said Redscan threat intelligence head George Glass.

“Underestimating what appear to be low risk vulnerabilities can leave organisations open to ‘chaining’, in which attackers move from one vulnerability to another to gradually gain access at increasingly critical stages,” he said.

According to Glass, complexity is one of the more important aspects to consider when assessing the risk vulnerabilities pose, and the timeframes for in-the-wild exploitation. Low-complexity CVEs, he explained, lend themselves to quick, mass exploitation because attackers do not need to consider extenuating factors or attack path issues.

Things become even more problematic once exploit code filters into the public domain and low-skilled malicious actors pick it up.

Additionally, the prevalence of low-complexity vulnerabilities gives more highly skilled cyber criminals leeway to save up their high-complexity zero-days for future, targeted attacks, rather than burning them right away.

This said, on the positive side, Redscan observed a decrease in CVEs that need no elevated privileges to exploit, down from 71% of the total in 2016, to 58% last year. There was also a spike in physical and adjacent vulnerabilities, which can be read as a positive development overall, as it likely reflects more rigorous testing of internet of things sensors and other smart devices.

“Analysis of the NIST NVD presents a mixed outlook for security teams,” said Glass. “Vulnerabilities are on the rise, including some of the most dangerous variants. However, we’re seeing more positive signs, including a drop in the percentage of vulnerabilities which require no user privileges to exploit.”

Redscan said the trend outlook for 2021 looked roughly similar, with malicious actors increasingly hitting organisations viewed as soft targets, such as those that fail to patch edge networking kit. The number of vulnerabilities disclosed will also continue to increase.

The firm shared some pointers on how to adopt a more multi-layered approach to vulnerability management, advising security teams to conduct internal and external vulnerability assessments on a monthly basis; to take advantage of open source threat intelligence; to invest in penetration testing; to closely monitor networks and endpoints; to conduct tabletop threat-modelling exercises to figure out potential attack paths; and to formalise and test incident response procedures.