Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
trellixTrellixTRELLIX:5DC3568E14E5D09CE5BB57AB5B0906C1
HistorySep 23, 2022 - 12:00 a.m.

Ancient CVEs Can Cause You Problems

2022-09-2300:00:00
www.trellix.com
8
JSON

Ancient CVEs Can Cause You Problems

By Kent Landfield · September 23, 2022

The Common Vulnerability and Exposures (CVE) Program was founded in 1999 for the purpose of giving individual cyber vulnerabilities an identifier that could be used as an interoperable means for identifying a specific vulnerability. Today CVE is used in all aspects of vulnerability identification and reporting. There is an urban myth that if there is a CVE issued, there is a fix associated. Yes, I have heard that many times over the years. That, however, is NOT the case. CVE’s are simply there to provide a common identifier for a specific vulnerability. It is up to the software publisher responsible for the software to decide to develop a remediation or patch to fix the problem.

Today, too many organizations are relying on the Common Vulnerability Scoring System, developed at FIRST.org, to decide when it is time to patch. Often the decision is to defer fixing until later, only to be overcome by events or forgotten. CVSS is a 0 to 10 scoring of a specific vulnerability. Sadly, vulnerability management programs rely too heavily on the CVSS Base score, produced by vendors and the National Vulnerability Database, in determining the severity and impact of the vulnerability on their operational practices. Vulnerability Management teams often rely solely on the CVSS score assigned to a specific CVE to decide whether or not to fix the CVE in their environment. The CVSS severity thresholds are as follows.

  • 0 = None
  • 0.1-3.9 = Low
  • 4.0-6.9 = Medium
  • 7.0-8.9 = High
  • 9.0 - 10.0 = Critical

What we have seen over the years is organizational vulnerability management teams map these scores directly into the remediation processes they follow. Vulnerabilities with a Low CVSS score are often ignored completely, Medium are quite often deferred to another time, while a vulnerability with a 7.0 and above generates a hair-on-fire “patch now” event.

I challenge anyone to tell me the operational impact difference between a 6.8 and a 7.0…

It has been known for more than a decade that malicious actors reverse engineering patches published by product vendors, on the day they are released, in order to determine the exact vulnerability / attack vector the patch was closing. They then incorporate these into their attack toolsets to better automate their ability to penetrate accessible organizational systems. They do not care if it was a low, medium or high vulnerability, as long as it achieves their goals. The problem is they have numbers on their side. If every single company, organization, government, and individual system applied the patch the day it was issued then this would have made reverse engineering operations a waste of time. But that was never the case and continues not to be the case today. Patches just don’t get applied in a timely fashion. ADVANTAGE MALICIOUS ACTORS!

This issue has not been just a product’s end-customer operational consideration. Software publishers have also fallen into this CVSS mindset. In the past, both in open source and the commercial development, we have seen a lack of urgency for the developer to fix a low to medium vulnerability. All too often CVEs with CVSS scores not considered important enough to fix at the time, were deferred until a later date or never fixed at all in the source.

Recently Trellix’s Advanced Research Center (ARC) team discovered the directory traversal vulnerability (CVE-2007-4559) still exists in the Python tarfile module being actively distributed and used globally today. Note the -2007- element of the CVE ID stands for the year the CVE was issued. This is a 15-year-old vulnerability not considered important enough to fix at the time. It is now found extensively across the internet in frameworks used by AWS, Facebook, Google and Netflix, and just about any site running Python.

At this point, fixing this CVE, whose CVSS score is 6.8, is much more complex, expensive and time consuming. Again, I challenge anyone to tell me the operational impact difference between a 6.8 and a 7.0…/p>

If CVE-2007-4559 were only an exception….

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently ordered federal agencies to patch a set of vulnerabilities that were just added to the Known Exploited Vulnerabilities (KEV) catalog. Of the six vulnerabilities recently added to the KEV, four had CVEs assigned in 2013 and one in 2010.

The Binding Operational Directive 22-01-Reducing the Significant Risk of Know Exploited Vulnerabilities issued in November of 2021 requires agencies to remediate vulnerabilities identified and added to the KEV.

If you are one of the organizations that bases their patching decisions on CVSS scores, do yourself a favor, subscribe to the KEV updates and add fixing those listed in the KEV catalog a priority in your vulnerability management process. It will be a positive step in the right direction.

It is time we reexamine each of our vulnerability management programs to assure we are not letting impactful and known CVEs continue to exist in our networks long past the time that vendor fixes are available. We need to evolve our practices to incorporate capabilities such as KEV into our operational vulnerability analysis decision making.

We keep making it too easy for malicious actors to cause us harm. You can do something about your own risks regardless of whether you are a software publisher or an end-user. Make the bad actors have to work harder. If you do, they may just pass by your systems for easier targets to compromise elsewhere.

_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. _

_ This document and the information contained herein describes computer security research for educational purposes only and the convenience of Trellix customers. Trellix conducts research in accordance with its Vulnerability Reasonable Disclosure Policy. Any attempt to recreate part or all of the activities described is solely at the user’s risk, and neither Trellix nor its affiliates will bear any responsibility or liability. _

Related

trellix 13
redhat 38
openvas 14
oraclelinux 10
fedora 3
osv 10
cbl_mariner 4
almalinux 10
nessus 49
veracode 1
rocky 1
cve 1
photon 2
ubuntucve 1
prion 1
thn 1
ibm 2
gentoo 1
hp 1
trellix
trellix
Tarfile: Exploiting the World With a 15-Year-Old Vulnerability
2022-09-21 00:00:00
Trellix Advanced Research Center patches 61,000 vulnerable open-source projects
2023-01-23 00:00:00
Trellix Advanced Research Center patches 61,000 vulnerable open-source projects
2023-01-23 00:00:00
redhat
redhat
(RHSA-2023:6659) Moderate: python3.9 security update
2023-11-07 06:11:01
(RHSA-2024:0374) Moderate: python-pip security update
2024-01-23 17:07:01
(RHSA-2023:6914) Moderate: python3.11-pip security update
2023-11-14 08:40:05
openvas
openvas
Fedora: Security Advisory for python3.6 (FEDORA-2024-ebb3c95344)
2024-03-25 00:00:00
Fedora: Security Advisory for python3.6 (FEDORA-2024-46374d2703)
2024-03-25 00:00:00
openSUSE: Security Advisory for python39 (SUSE-SU-2023:2641-1)
2024-03-04 00:00:00
oraclelinux
oraclelinux
python3.11-pip security update
2023-11-17 00:00:00
python-pip security update
2023-11-11 00:00:00
python3 security update
2023-11-17 00:00:00
fedora
fedora
[SECURITY] Fedora 39 Update: python3.6-3.6.15-27.fc39
2024-03-16 01:17:39
[SECURITY] Fedora 38 Update: python3.6-3.6.15-27.fc38
2024-03-16 01:51:50
[SECURITY] Fedora 40 Update: python3.6-3.6.15-27.fc40
2024-03-23 00:49:48
osv
osv
Moderate: python3.11-pip security update
2023-11-07 00:00:00
Moderate: python3.11-pip security update
2023-11-14 00:00:00
Moderate: python3.9 security update
2023-11-07 00:00:00
cbl_mariner
cbl_mariner
CVE-2007-4559 affecting package python2 for versions less than 2.7.18-8
2022-04-09 06:51:57
CVE-2007-4559 affecting package python2 2.7.18-14
2020-11-30 19:30:47
CVE-2007-4559 affecting package python3 3.7.16-1
2024-05-08 09:06:41
almalinux
almalinux
Moderate: python3.11-pip security update
2023-11-14 00:00:00
Moderate: python3.11-pip security update
2023-11-07 00:00:00
Moderate: python3.9 security update
2023-11-07 00:00:00
nessus
nessus
RHEL 9 : python3.11-pip (RHSA-2023:6324)
2023-11-07 00:00:00
RHEL 9 : python3.9 (RHSA-2023:6659)
2023-11-07 00:00:00
RHEL 8 : python-pip (RHSA-2024:0374)
2024-01-25 00:00:00
veracode
veracode
Directory Traversal
2023-10-19 07:55:07
rocky
rocky
sos bug fix and enhancement update
2023-10-05 21:33:16
cve
cve
CVE-2007-4559
2007-08-28 01:17:00
photon
photon
Important Photon OS Security Update - PHSA-2023-5.0-0139
2023-11-09 00:00:00
Important Photon OS Security Update - PHSA-2023-4.0-0457
2023-08-25 00:00:00
ubuntucve
ubuntucve
CVE-2007-4559
2007-08-28 00:00:00
prion
prion
Directory traversal
2007-08-28 01:17:00
thn
thn
15-Year-Old Unpatched Python Vulnerability Potentially Affects Over 350,000 Projects
2022-09-22 09:17:00
ibm
ibm
Security Bulletin: IBM Operational Decision Manager for March 2024 - Multiple CVEs addressed
2024-04-09 16:32:58
Security Bulletin: Multiple security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for March 2024.
2024-03-28 22:31:33
gentoo
gentoo
Samba: Multiple Vulnerabilities
2023-09-17 00:00:00
hp
hp
HP ThinPro 8.1 SP 2 Security Updates
2024-04-12 00:00:00
JSON
Related for TRELLIX:5DC3568E14E5D09CE5BB57AB5B0906C1
trellix13redhat38openvas14oraclelinux10fedora3osv10cbl_mariner4almalinux10nessus49veracode1rocky1cve1photon2ubuntucve1prion1thn1ibm2gentoo1hp1