Examining Remediation Behavior for CVE-2020-0601
When Microsoft releases patches on Patch Tuesday, there’s commonly a lot of work for security teams to understand the impact of the new software patches, and ultimately, for high-risk vulnerabilities, they must make decisions about whether to accelerate a patch. Sometimes, though, there’s a lot of buzz around a given vulnerability, and that was certainly the case with the announcement of an NSA-sourced vulnerability in the ECC algorithm on Windows (CVE-2020-0601). The NSA, Microsoft and many experts encouraged users to patch right away.
The vulnerability itself is explained in detail elsewhere, but effectively it allows attackers to spoof the validity of certificate chains, for example, to trick Windows into thinking that an executable has been code-signed by a proper certification authority. We began to see exploits released within 24 hours. This vulnerability is currently rated a 71.3345 in the Kenna Platform.
In order to examine if security teams were on track to remediate this vulnerability ahead of the “normal” schedule, we pulled vulnerability status across a random selection of hundreds of Kenna customers and plotted the remediation status by day since the vulnerability was announced.
The vulnerability was announced on Jan 14, and we began to see it appear on the platform on the 15th, the same day the first exploit was released. The rate of ingestion is similar to other vulnerabilities of the same batch, so while it’s possible scanning was accelerated, we didn’t compare to other Patch Tuesdays. There’s always some amount of time required to scan for the vulnerability, so an increase in counts over the first ten days is pretty normal.
So what’s normal for remediation? The best data we have compiled comes from the Prioritization to Prediction Report Volume 3, which shows us that the normal rate of remediation is:
- 14 days to get 25% closed
- 37 days to get to 50% closed
- 134 days to get to 75% closed
Below, in an image from the report, you can see that this rate is the fastest amongst the major vendors.
So, with this in mind, how did remediation teams do with Curveball? Incredibly well, in fact. In the plot below, eighteen days in, on Feb 1, you can see the vulnerability clearly reaches a split of 50/50 open vs. closed. That’s more than double the normal rate. This is a fantastic achievement for remediation teams!
So how was this accomplished? Was the vulnerability cherry picked from the bunch, or did remediation teams apply an entire set of patches at once via Windows Update? Stay tuned as we do more analysis of Patch Tuesday behavior in future blog posts!
If you’re at RSAC this week, and want to learn more about Kenna’s ongoing research into vulnerability management patterns and behaviors, come see our Co-Founder and CTO Ed Bellis present on Wednesday, Feb 26, 3:10pm at Moscone South.