A new vulnerability management user guide offers results from 2021 vulnerability management scans, and explains what factors influence the criticality of vulnerabilities, why it is necessary to quickly eliminate trending vulnerabilities, details mistakes companies often make in identifying threats, and offers steps for optimizing the process of prioritizing vulnerabilities.
Positive Technologies experts analyzed data obtained during 2021 pilot projects of its MaxPatrol VM, a next-generation vulnerability management system, in which they scanned more than 15,000 nodes in government, scientific, education, financial, and telecom companies.
The scans detected an average of 31,066 vulnerabilities during each pilot project, while critically dangerous vulnerabilities were detected in all project. On average, more than 800 vulnerabilities in company infrastructures are extremely dangerous and immediate actions are required for their elimination. Positive Technologies experts refer to them as trending vulnerabilities, as they are actively used in attacks or highly likely to be exploited in the near future.
Positive Technologies experts emphasize the need to prioritize vulnerabilities based on how greatly they increase the feasibility of unacceptable events for companies, since not all vulnerabilities, even those with critical or high risk, can negatively affect the most valuable assets of a company.
Yana Yurakova, Analyst at Positive Technologies, comments: «We believe there are two factors that must be taken into account when prioritizing the elimination of vulnerabilities: The significance and accessibility of the asset on which the vulnerability was discovered, and the degree of danger of the vulnerability itself—how probable it is that the attacker will exploit it. Security professionals often forget about the first factor and focus only on the second. However, we believe all factors must be taken into consideration.»
Table 1. Examples of trending vulnerabilities discovered during Positive Technologies MaxPatrol VM pilot projects
| Vulnerability type | Target | Vulnerability identifier | CVSS score |
|---|---|---|---|
| Remote code execution | Apache Log4j | CVE-2021-44228 | 10,0 |
| Remote code execution | Windows DNS server | CVE-2020-1350 | 10,0 |
| Privilege escalation (Zerologon) | Netlogon | CVE-2020-1472 | 10,0 |
| Remote code execution (BlueKeep) | RDP | CVE-2019-0708 | 9,8 |
| Remote code execution | Internet Information Services (IIS) | CVE-2021-31166 | 9,8 |
| Remote code execution | Apache Tomcat AJP | CVE-2020-1938 | 9,8 |
| Bypassing authentication | libc in OpenBSD 6.6 | CVE-2019-19521 | 9,8 |
| Remote code execution | MSHTML engine | CVE-2019-0541 | 8,8 |
| Remote code execution (Bad Neighbor) | Windows TCP/IP | CVE-2020-16898 | 8,8 |
| Remote code execution (PrintNightmare) | Windows Print Spooler Service | CVE-2021-34527 | 8,8 |
| Escalation of privileges | Windows Print Spooler Service | CVE-2021-1675 | 8,8 |
| Remote code execution (MS17-010) | SMBv1 | CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148 |
8,1 |
| Data spoofing | Windows CryptoAPI | CVE-2020-0601 | 8,1 |
| Remote code execution (ProxyLogon) | Microsoft Exchange Server | CVE-2021-26855, CVE-2021-27065 |
9,8 и 7,8 |
| Escalation of privileges | Windows Win32k | CVE-2021-1732 | 7,8 |
| Escalation of privileges | Windows Kernel | CVE-2020-17087 | 7,8 |
According to Positive Technologies experts, before identifying vulnerabilities, organizations should make sure that node scanning is performed correctly. The vulnerability management process must cover the entire IT infrastructure of the company. Check that all assets are identified and make sure that if new hosts appear or systems are disabled, the list of hosts to be scanned is updated to reflect those changes. Otherwise, an important asset, such as a 1C server or a domain controller, may not be scanned.
To do this, organizations should consistently implement the following steps:
- Identify which events may cause unacceptable damage to your company, determine key and target systems, and rank assets in terms of importance.
- Assess the consequences of vulnerability exploitation. Understand what attackers can do if they exploit a vulnerability.
- Rank the vulnerabilities by the availability of a public exploit or a PoC.
- Assess the availability of the system for attackers and determine which privileges criminals need to exploit the vulnerability.
- Determine the CVSS score of the vulnerability.
Positive Technologies believes this approach will help enterprises fix the most dangerous vulnerabilities on truly important assets first. Only when the most important systems are protected should organizations address vulnerabilities on less important assets, using the same approach.
Access the full vulnerability management user guide at https://www.ptsecurity.com/ww-en/analytics/vulnerability-management-instructions-for-use/ and learn more about MaxPatrol VM here: https://www.ptsecurity.com/ww-en/products/mp-vm/.
