- November 1, 2022
- Kevin Swartz
This week, Nucleus released our CISA KEV Enrichment Dashboard – a free tool put together by our security research team which enables people to quickly analyze known and exploitable vulnerabilities identified by CISA. By sorting, searching, and exporting the data from this Dashboard, you are able to quickly identify trends and insights about the CISA KEV vulnerabilities included, such as the vendors and products who appear on the list most often, or how often new vulnerabilities have appeared on the KEV list throughout its history.
To give you a better idea of some of the ways that you can pull insights and information from our Enrichment Dashboard, we put together this report of Top Observations from the CISA KEV Enrichment Dashboard, pulled from data as of October 11th, 2022. Enjoy!
The Top 5 Most Exploited Vendors on CISA KEV
The top five most common vendors that appear on the CISA KEV list, as of this writing, include Microsoft, Adobe, Cisco, Apple, and Google, making up more than 53% of all vendors.
Microsoft, Google, and Apple also make the top 5 vendor list for the total number of “Distinct” vulnerabilities in the NVD (National Vulnerability Database). On the NVD, Cisco has the 8th most “distinct” vulnerabilities, and Adobe 18. Oracle and Debian take their spot on the NVD.
This is not a large surprise, given that Microsoft produces the most common operating system, the most common office suite, and one of the most common web browsers. Adobe also produces Acrobat, Reader, Flash, and Cold Fusion. That is enough on its own to get someone onto a list like this. Cisco is tied with Adobe, but it makes sense when you look at the specific products, as it’s Cisco’s network products, by and large, that are getting onto this list.
This speaks to the urgent need to keep your network equipment up to date as it often has a more accessible attack surface.
Apple is also an operating system vendor, in addition to producing a popular web browser, but the overwhelming majority of their vulnerabilities on the CISA KEV list are in their operating systems, including their mobile operating systems. There is a popular conception that Apple devices are inherently secure, so it is very important to note that just buying Apple products is not enough to keep you secure. You also must keep them up to date.
Google rounds out the top five list largely due to vulnerabilities in Chrome, the most popular web browser. However, it’s worth nothing that CISA tracks Google and Android separately. If you lump these two together, Google ties with Apple.
The Top 5 Most Exploited Products on CISA KEV
The five most common products often featured on the CISA KEV list are Microsoft Windows, Adobe Flash Player, Microsoft Internet Explorer, Microsoft Office, and Google Chrome. This is vastly different than the top 5 products that makeup the highest total number of “Distinct” vulnerabilities in the NVD (National Vulnerability Database) which are Debian Linux, Android, Fedora, Ubuntu, and Mac OS X.
It is noteworthy that two of the products on the list are “end of life,” meaning that the software is outdated or no longer being supported by the manufacturer.
The default answer for Adobe Flash is no longer to keep it up to date, but rather to uninstall it entirely. Eradicating Internet Explorer can be slightly more difficult since some versions of Windows do not make uninstalling it an option, and since content specific to Internet Explorer is still relatively common on corporate intranets.
Even still, keeping Internet Explorer up to date and putting rules in your web proxy to keep Internet Explorer off the public Internet would be prudent.
Avoiding Microsoft Windows, Microsoft Office, and Google Chrome isn’t practical for most organizations, and it is important to note that the alternatives to Windows and Chrome, at the very least, are also on this list.
Comparing CVSS Score Distributions: CISA KEV vs. NVD
CISA KEV exposes some of the primary weaknesses in CVSS scoring. Many organizations use CVSS to decide and prioritize which vulnerabilities to patch, with most using a CVSS score of 7 or higher to determine which vulnerabilities to remediate.
However, 12% of vulnerabilities that are confirmed as exploited by CISA have a CVSS score below 7.0. This demonstrates that organizations that prioritize remediation solely based on CVSS are leaving themselves wide open to vulnerabilities that have been or are actively being exploited in the wild.
88% of CISA KEV vulnerabilities have a CVSS rating of high or critical (CVSS score of 7.0 or higher). Whereas only 58% of all CVE’s published by NVD have a CVSS rating of high or critical. CISA KEV layers in a more targeted list of CVEs for vulnerability prioritization that CVSS validates as high risk.
Comparing EPSS Score Distributions: CISA KEV vs. NVD
While EPSS does offer vulnerability scoring, it is likely a better indicator of predicting future candidates to be included in the CISA KEV catalog, rather than a tool to prioritize vulnerabilities already in the CISA KEV list. In fact, the creators of EPSS recommend ignoring EPSS when other intelligence indicates a vulnerability has been exploited, likely because of this reason.
When looking at the Dashboard, 51% of CISA KEV vulnerabilities (429/839) have an EPSS score lower than .1, which signifies a < 10% probability of being exploited in the next 30 days, whereas 33% of CISA KEV vulnerabilities have an EPSS score higher than .5, or a 50% probability of being exploited in the next 30 days.
However, when looking at EPSS scoring distribution across NVD, only 1.4% of all vulnerabilities have a score of .5 or higher.
Therefore, we recommend using EPSS as a good predictive indicator of what vulnerabilities could be future candidates for landing on the CISA KEV list, and instead prioritizing confirmed exploitation intelligence such as CISA KEV and GreyNoise over predictive indicators like EPSS when looking at your vulnerability prioritization strategy.
GreyNoise Scan and Exploitation Traffic
Over a 90-day period, GreyNoise detected 145 unique CISA KEV Catalog vulnerabilities that had scanning and exploitation traffic in the wild. GreyNoise provides this insight by monitoring and analyzing scanning and exploitation traffic around the world via their global passive sensor network. Threat intelligence like this provides further validation in the value of using multiple threat feeds for discovering exploitation which should be used to prioritize vulnerability remediation.
- GreyNoise Traffic – This field shows the number of unique IP addresses actively scanning for this specific CVE in the past 90-days.
- GreyNoise Tag – This field links to the GreyNoise Tag Trends page for each CVE, providing a time-series look at active exploitation traffic (note – GreyNoise does not cover all the CVEs in CISA KEV)
GreyNoise has also performed additional analysis on CISA KEV exploitation earlier this year: https://www.greynoise.io/blog/evaluating-cisa-kev
The Distribution of CISA KEV CVEs by Year
Despite the fact that the CISA KEV list was first released in November 2021, it still has vulnerabilities listed that date all the way back two decades ago in 2002. This leads us to believe that there is a high probability that legacy software that is deemed “End of Life” is likely still present and actively being exploited today. Otherwise, what benefit would CISA have from adding these vulnerabilities to the list? In the future, it would be advantageous for CISA to provide the most recent case of vulnerability exploitation for each CVE, that way users could have a better idea if a vulnerability in the catalog was still actively being exploited.
End of life software is a challenge for organizations of any size. Microsoft offers paid support for them, which includes keeping updates available and producing updates that fix newly discovered vulnerabilities for their end of life products.
The extended support comes at a cost, and if you didn’t purchase extended support for Windows 7 when it went end of life, you don’t have the option to go back and purchase it now. But if you have a support agreement for end of life software, which Federal agencies generally do, make sure you are using that agreement and deploying those updates.
The paid support is expensive, but you probably have a pretty good idea whether you are going to turn off all of your Windows Server 2016 and Windows 10 systems upgraded to a newer version by the year 2026. If you don’t think you are going to make it, you need to be planning to purchase support for as many years as you need to finish migrating those systems. The time to be planning is now, not in 2024 or 2025.
If you have older systems that have already gone end of life and you don’t have paid support for them, you need to take an honest assessment of the risk those systems pose using the CISA KEV and other sources of vulnerability intelligence, and then weigh that risk against the business risk. The accepted industry standard for risk acceptance is to keep a risk register and review each item annually to ensure that the risk is still acceptable.
CISA KEV Vulnerability Additions Over Time
When CISA launched the initial list of vulnerabilities back in November 2021, they started with a list of 250+ vulnerabilities. Since then, trends show that new additions to the list continue at a frequency of about once a week. However, the volume of new vulnerabilities that are added during each addition has dropped, showing a downward trend in new known exploited vulnerabilities. Most weekly KEV additions are now in the single digits when it comes to unique CVEs added, which makes it much easier for remediation teams who are required to comply with the CISA BOD 22-01 remediation due dates.
One question worth pondering: Could the spikes of larger additions to the catalog be coming from the incorporation of an intelligence partner or from an existing threat intelligence feed?
CISA KEV Due Dates
We frequently get the question, “What does the CISA KEV Due Date column mean?”
The CISA BOD 22-01 directive requires federal agencies to remediate known exploitable vulnerabilities within a specific timeframe determined by CISA, starting from the date in time which the vulnerability was added to the CISA KEV catalog. This date is published on the CISA KEV catalog as the “Due Date. ”
Many of the due dates are surprisingly aggressive and it’s great to see the urgency the US government is putting on remediating known exploitable vulnerabilities.
One oddity that you can observe when sorting by the CISA KEV due dates is that several of the CVEs that pre-date the list creation date result in negative days being given to remediate. (They are hidden in the small percentage slices in the pie chart on the right.)
These appear to have been populated on the initial release date of the CISA KEV catalog, which leads us to believe that this list was being developed and used within CISA for years before being publicly released, demonstrating they likely eat their own dog food before releasing directives like this.
CISA KEV Additions By Day
Each time CISA KEV releases a new batch of additions to their catalog, our Nucleus security research team provides a Breakdown report of observations for the new additions to the catalog.
From when we first started this practice, we decided to track which days of the week new vulnerabilities were added to the CISA KEV list.
The good news for our researchers (and your vulnerability management team) is that, based on historical additions, new additions have only been added during weekdays.
Being realistic, this likely means the team managing this list probably works only on weekdays… and we appreciate that.
End of Life Products
The number of end-of-life products featured on the CISA KEV list is somewhat disturbing. We’ve already noted Adobe Flash and Microsoft Internet Explorer, but the oldest vulnerability on this list is a Microsoft vulnerability from 2002, a vulnerability in Windows NT4 and Windows 2000 that predates the release of Windows XP and Windows Server 2003.
A key piece of vulnerability management is lifecycle management. As a general rule, Microsoft supports its products for about 10 years after their release. If you have not made plans for migrating off Windows 10, Windows Server 2016, Microsoft Office 2016, or any other Microsoft product from that generation, the time to start is now. It is much easier and more cost-effective to phase products out over the course of five years than it is to replace all of them 12 months before their EOL date.
Of course, there will always be exceptions. When you are producing the risk acceptance for systems that will not be migrated to newer versions, the presence of any unpatched vulnerabilities on those systems needs to be part of the consideration as to whether this is an acceptable risk. It’s one thing when an end of life system that has all the publicly available patches on it persists in a network a decade after its EOL date. It is quite another when an unpatched system persists past its EOL date and the window of opportunity to update closes.
Consumer Products
We found it surprising that 31 of the vulnerabilities on this list are in consumer devices and not the kind of equipment you are likely to find in a government or commercial environments. Many of them are inexpensive consumer routers, but we also found at least one network-attached storage product, as well as Pi-Hole – a popular open-source project to turn a Raspberry Pi into an ad blocker for your entire home network.
There is certainly a common perception that threat actors are not interested in the data of private citizens and therefore have no reason to hack into home networks. The presence of these vulnerabilities on the CISA KEV list strongly suggests the opposite. If nothing else, home networks provide a convenient place for threat actors to gain persistence and use to hide their actual origins.