A mid-year report on vulnerabilities found so far in 2019 from Risk Based Security should make security professionals take notice: There are some serious risks out there.
In the first half of 2019, there have been about 4,000 fewer entries in the common vulnerabilities and exploits (CVE) database, but that’s no reason to start resting easy: 34% of the 11,092 reported vulnerabilities remain unpatched.
SEE: 10 dangerous app vulnerabilities to watch out for (free PDF) (TechRepublic)
Leading the pack with 24.1% of all vulnerabilities between them are five companies: Software in the Public Interest (Debian and related platforms), SUSE, Oracle, IBM, and Microsoft.
Given the popularity of platforms from those organizations, it’s reasonable to assume your organization is affected by at least one of the more than 11,000 vulnerabilities reported in 2019, and possibly by some that remain unpatched.
What kinds of vulnerabilities are trending in 2019?
There are a variety of types of vulnerabilities included in the report, but the most popular (accounting for 53% of reports in 2019) are remote ones. Remote vulnerabilities are any that happen over a network and are perpetrated by an attacker without prior access to a system.
The most common way this is done is via input manipulation, a la an SQL injection attack. An attacker using input manipulation can submit malicious scripts through an input field (e.g., email registration, account signup, site search, etc.) which results in a website’s database dumping all sorts of sensitive information to the attacker.
Input manipulation accounted for 66% of reported vulnerability cases so far in 2019, which continues a trend that Risk Based Security said has been the case for years. SQL injection attacks, one of the oldest and most common forms of input manipulation, have been an issue since the dawn of the internet, and their popularity shows that they’ll probably continue to be such.
Along with remote vulnerabilities, context-dependent, local, and mobile exploits make the list, but in small percentages compared to remote ones.
In short, the most likely way your systems are going to be hit is with a remote attack attempting to exploit input manipulation vulnerabilities.
What can be done to fight the most common exploits of 2019?
“While it may seem an easy problem to tackle, summed up with ‘we’ll just sanitize input!’, it is often more complicated in practice,” the report said.
Sanitizing input is a great way to avoid input manipulation attacks, but it can be hard to go back and check old code to find vulnerabilities, as “many organizations still do not have a rigorous procedure for testing their source code for such issues despite many having an otherwise mature process,” the report adds.
Another glaring aspect of the report that makes solving these vulnerabilities difficult is the sheer number that are still unresolved: Around 3,771 of the 11,092 vulnerabilities in 2019 fit that criteria.
Brian Martin, vice president of vulnerability intelligence at Risk Based Security, suggested organizations purchase a vulnerability scanning tool that is capable of looking at both an entire IP space and all the devices on it. “If an organization is using vulnerability scanning, they may simply not know about all of their assets,” Martin said in the report, so be sure the tools you have are designed for the type of organization you run.
Along with adopting an aggressive scanning policy organizations should be sure to keep systems updated and patched: 66% of vulnerabilities reported in 2019 can be resolved in one of those two ways.
You can read the full report on Risk Based Security’s website.