News

So Many CVEs, So Little Time: Zero In and ‘Zero Click’ into the Current Vulnerability Landscape

Read Time:7 Minute, 29 Second

Among the thousands of vulnerabilities disclosed so far in 2022, we highlight five and explain why they matter.

With over 6,000 vulnerabilities disclosed this year, cyber security teams have faced, as usual, a challenge to keep up, especially as a number of these software bugs have captured significant media attention. In this article, we’ll provide guidance and clarity on five vulnerabilities that gained the spotlight in the news to help you better understand why they had an impact and why they all should be on your radar screen. As you will read, these vulnerabilities share common traits, and a closer examination of them offers insights into the breadth and depth of the current vulnerability landscape. 

CVE

Description

VPR*

CVE-2022-1096

Google Javascript V8 Chrome Engine Vulnerability

9.5**

CVE-2022-0847

Dirty Pipe – Linux Kernel Vulnerability

9.8**

CVE-2022-26809

Zero-click – Microsoft RPC Vulnerability

9.6**

CVE-2022-22965

Spring4Shell – Spring Core Framework Vulnerability

9.8

CVE-2022-1388

F5 BIG-IP Vulnerability

9.7

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on June 8 and reflects VPR at that time.

** Tenable’s Vulnerability Priority Rating (VPR) scores were first made available for the CVE ahead of National Vulnerability Database (NVD) original details disclosure date.

Note: We refer in this blog post to “ahead of NVD” as the various actions that Tenable took before details for a given vulnerability were made available by NVD. Specifically:

Ahead of NVD coverage – Tenable released a plugin for the first time before NVD published any details for the CVE.
Ahead of NVD VPR – Tenable provided VPR scores before NVD scored the CVE and provided related CVSS v2/v3 scores.

Zero in: Vulnerability Prioritization

A VPR/CVSS v3 comparison is summarized in the table below for the considered vulnerabilities. 

CVE

NVD Disclosure Date

VPR

NVD CVSS v3 score

CVE-2022-1096

N/A

9.6

 (as of blog post publication date)

N/A

CVE-2022-0847

March 10, 2022

9.4 

(as of March 9, 2022)

7.8

CVE-2022-26809

April 15, 2022

9.2 

(as of April 14, 2022)

9.8

CVE-2022-22965

April 1, 2022

9.5 

(as of April 1, 2022)

9.8

CVE-2022-1388

May 5, 2022

9.2 

(as of May 6, 2022)

9.8

As you will read in more detail in the remainder of the blog post, Tenable provided VPR coverage ahead of NVD for most of the critical vulnerabilities highlighted to help prioritize Vulnerability Management discoveries.

CVE-2022-1096 | Google Chrome

Highlights: Ahead of NVD VPR / Ahead of NVD Coverage / Zero-day Vulnerability / Exploited in the Wild

On March 23, Google announced a zero-day vulnerability in the Google JavaScript V8 Chrome engine potentially impacting billions of users. Reserved with the CVE-2022-1096 identifier on the NVD, it is a type-confusion vulnerability affecting Chrome’s core. 

As Google reported, it has been confirmed that this security flaw has been exploited in the wild. Upon successful exploitation, the security flaw allows attackers to execute arbitrary code on the affected asset. 

Although the vulnerability was publicly disclosed by Google, its details haven’t yet been published in the NVD, whilst having a VPR score of 9.5 (as of the date of publication of this blog post). Tenable also provided Nessus plugin coverage ahead of NVD as of March 25.

Exploitation and how Tenable helps

As of today, there are no public proof-of-concept (PoC) exploits available, although the vulnerability has been exploited in the wild. Google released an emergency update with a security fix in Chrome 99.0.4844.84. A patch is also available for Chromium-based Microsoft Edge. Other Chromium-based browsers include Opera, Samsung Internet and Amazon Silk to mention some. Recommended action: update as per availability.

CVE-2022-0847 | Linux Kernel 

Highlights: Ahead of NVD VPR / Ahead of NVD Coverage 

Reported on February 20 and reserved in the NVD as CVE-2022-0847, this vulnerability also known as Dirty Pipe affects the Linux kernel 5.8, and allows attackers to overwrite data in arbitrary read-only files upon successful exploitation. 

Although it was disclosed in the NVD on March 10, Tenable provided ahead of NVD plugin coverage as of March 7. Also worth noting is that a VPR of 9.8 better reflects the need of consideration for prioritization of this vulnerability in contrast to using CVSS v2 and v3 scores as per NVD, which are 7.2 and 7.8 respectively.

Exploitation and how Tenable helps

A PoC exploit for this vulnerability has been released and a patch is available for this vulnerability. 

CVE-2022-26809 | Microsoft

Highlights: Ahead of NVD VPR / Ahead of NVD Coverage / Zero-Click 

With more than a million potentially impacted machines, this vulnerability is likely eliciting bad WannaCry memories among many security teams. 

On April 12, Microsoft announced a remote code execution (RCE) vulnerability affecting Microsoft RPC. Reserved as CVE-2022-26809 in the NVD, this vulnerability, known as “Zero Click,” allows an unauthenticated, remote attacker to perform a remote code execution by sending “a specially crafted RPC call to an RPC host”. Zero Click attacks can compromise a device without the owner’s actions such as opening links or downloading apparently legitimate files. Such attacks are sophisticated and completely bypass user interaction. 

The vulnerability was added to the NVD on April 15. Tenable provided ahead of NVD plugin coverage on April 12. 

Exploitation and how Tenable helps

On April 20, Microsoft provided guidance for mitigation. A patch is available for this vulnerability. Worth noting that on the day of releasing this article, this vulnerability has not been exploited and no PoC exploit has been made available yet. For more information on this vulnerability and Tenable product coverage, check out our Microsoft Patch Tuesday alert from Tenable Research.

CVE-2022-22965 | Spring Core Framework

Highlights: Ahead of NVD Coverage / Zero-day Vulnerability

Discovered on March 30, this vulnerability is better known as Spring4Shell. Reserved as CVE-2022-22965 in the NVD, it is an RCE vulnerability affecting the Spring Core Framework

It was disclosed in the NVD on April 1st. Tenable provided ahead of NVD plugin coverage as of March 31. 

Exploitation and how Tenable helps

Exploit for this vulnerability is known and there’s a patch available. For more information on this vulnerability and Tenable product coverage, read our Cyber Exposure Alert from the Tenable Security Response Team. 

CVE-2022-1388 | F5 BIG-IP

Highlights: CISA-Known Exploit / Exploited in the Wild

Announced on May 4 and reserved as CVE-2022-1388 in the NVD, this authentication bypass vulnerability affects the REST component of BIG-IP’s iControl API. This vulnerability allows undisclosed requests to possibly bypass iControl REST authentication.

Exploitation and how Tenable helps

A PoC has been released for this vulnerability and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited vulnerabilities. A list of Tenable plugins to identify this vulnerability can be found here. A patch is available. For more information on this vulnerability and Tenable support, read our Cyber Exposure Alert from the Tenable Security Response Team. 

Conclusion

This article provided awareness of some critical vulnerabilities that security teams should have pinned on their maps, as they pursue proper and proactive cyber hygiene in their IT environments. 

These five vulnerabilities are admittedly only the tip of the overall vulnerabilities iceberg, but they represent the variety of challenges and complexities in the current vulnerability landscape. They are examples of critical vulnerabilities that a proactive security team must be aware of and prepared for so that they can protect their organizations from attacks. 

Indeed, the highlighted vulnerabilities do not have the same impact across the board and the nature, concerns and remediation complexity of each of them varies wildly, from the insider threat concern behind Dirty Pipe to critical bug fixes where a patch can be easily applied. Other cases, such as the Linux kernel vulnerability, might require significant downtime. These are all elements that we suggest you factor into your remediation approach. 

It is worth mentioning how Tenable provided VPR scores and plugin coverage ahead of NVD coverage for most of the highlighted vulnerabilities. To shed some light on the area: the process of defining vulnerabilities in the NVD can be a lengthy one due to its by-design formalization rules. At Tenable, we aim to offer a proactive approach to vulnerability management and fast-response detection and we advise that you do too. 

Learn More

Download Tenable’s 2021 Threat Landscape Retrospective
Attend the webinar: Tenable Research 2021 Recap and Defender’s Guidance for 2022
Read the blogs: 

https://www.tenable.com/blog/the-2021-threat-landscape-retrospective-targeting-the-vulnerabilities-that-matter-most
https://www.tenable.com/blog/behind-the-scenes-how-we-picked-2021s-top-vulnerabilities-and-what-we-left-out

Follow our Cyber Exposure Alerts

 

Read More