The Risk Posed By CVEs Doesn’t Stand Still (and Neither Should You)
Share with Your Network
On Saturday, Dec. 18, the Kenna Risk Score for a zero-day vulnerability in the Apache Log4j library leapt from its original (and already critical) score of 87 to the highest score Kenna assigns any CVE: a perfect 100. When CVE-2021-4428 was published in the National Vulnerability Database (NVD), it already was making headlines as a worrisome zero-day threat, thanks in part to the popularity of the java logging library (Log4j). Like an unwelcome holiday gift, CVE-2021-4428 came with all the bad accessories, including active exploits.
But over the next few days, a comprehensive examination of threat intel, in-the-wild activity, chatter, and the massive footprint of Log4j itself combined to determine that the risk posed by CVE-2021-4428 could hardly be more serious for enterprises running java. All this contributed to its Kenna Risk Score of 100, which puts this vuln in rare company. Of the more than 177,000 CVEs scored by Kenna, just 377 have earned a score this high. That’s just 0.21% of all scored vulns.
CVEs aren’t static
Fluctuations in the risk level of individual CVEs isn’t unusual at Kenna Security. Some vulnerabilities take a while for bad actors to exploit. These late bloomers may not present as high risk at first, but they come into their own over time as their likelihood of exploitation becomes clearer. Others, like the cascading Log4j vectors that are ruining the weekends of Security and IT professionals everywhere, are exploited in no time.
For evidence of how dynamic vulnerability risk really is, we need to look no further than our Vuln of the Month series, which features a specific CVE every Exploit Wednesday, or the day after Microsoft’s Patch Tuesday.
In the 11 months, we’ve been running this series, we’ve seen the Kenna Risk Scores of some CVEs rise and fall as the risk context surrounding them shifts. In fact, five (or 45%) saw their Kenna Risk Score either increase or decrease from the time of publication to today. Let’s look at three.
- Our October Vuln of the Month, CVE-2021-38647, is a Microsoft Azure vulnerability that had a Kenna Risk Score of 83 at the time of publication. But constant reassessment and analysis have resulted in moving that score upward, and today this CVE is a member of the exclusive 100 Club. That’s right–it’s moved from 83 to 100.
- CVE-2021-21972, our April Vuln of the Month, saw its Kenna Risk Score jump to 100 as well. At the time of publication, this remote code execution (RCE) vulnerability within a plugin of the vSphere HTML5 Client for vCenter Server had a score of 92, which made it the highest score featured in our Vuln of the Month blog series to date. But over time, our analysis showed the likelihood of exploitation of CVE-2021-21972 has increased. If you’re a customer running vSphere HTML5 Client for vCenter Server, that’s an even higher priority fix now than it was in April. Better jump on it!
- While it’s always critical to know what needs fixing now, it’s often just as valuable to know which vulns aren’t an immediate priority. (Focusing only on the 2%-5% of vulns that actually pose a risk to your organization will help keep you sane, keep IT talking to you, and keep your limited resources focused on remediating only what matters.) That’s the case with CVE-2021-24094, our March Vuln of the Month, which earned a Kenna Risk Score of 59 upon publication. This is a Windows vuln affecting all IPv6 deployments. Before you dismiss a score of 59 as low, it’s useful to know that only 3.23% of vulns score higher than 59. Still, as time progressed, CVE-2021-24094 emerged as somewhat less of a risk, and today its Kenna Risk Score stands at 37. Still worth fixing when you have the time, but it’s no longer the priority it once was.
If CVE risks fluctuate, what good are static scores?
Many, perhaps most, enterprises still rely on CVSS (or scanner solutions whose scoring regimens are based on CVSS) to score their vulnerabilities and help set their fix lists. They do this despite the fact that CVSS scores are largely static; scores are assigned upon publication in the NVD and that’s where they generally stay. It often takes a major bump in a CVE’s technical characteristics to move a CVSS score to any degree. And because CVSS lacks an assessment of real-world risk–the kind of context that drives fluctuations in relative risk–CVSS scores are only partially helpful anyway.
What is far more helpful is a dynamic score, like the Kenna Risk Score, that reflects the dynamic nature of CVEs. Because static and outdated scores can either send your team scrambling to fix a vulnerability that really isn’t a risk, or they could leave you vulnerable to attack because your static score isn’t reflecting new real-world threats. They’re both bad. And following bad advice is a terrible way to spend a weekend.
Read this blog to learn more about the difference between vulnerability scores and risk scores, and why you should care.