Cybersecurity

How can organizations protect themselves from ‘vintage vulnerabilities’?

"There is already a patch in existence…All you have to do is patch. So that should be the easy part” said one Rezilion researcher.
article cover

Pm Images/Getty Images

· 3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

A common vulnerability and exposure, or CVE, is often described by its severity. The most dangerous CVEs are “critical.” The less urgent fixes: “low.”

A recent report identified a raft of devices vulnerable to an older set of flaws—a classic collection that might impress the most hipster of hackers: “vintage.” Researchers from the vulnerability-management platform provider Rezilion revealed that over 4.5 million internet-facing devices are open to over 400 CVEs discovered between 2010 to 2020.

The discovery reflects a need for organizations to know their assets, prioritize patches, and find technologies that help with both, according to analysts and industry professionals who spoke with IT Brew.

What’s in the report?

  • “All of the vulnerabilities analyzed in this research have been around for years, they all have patches released, and they are all known to be exploited in the wild,” read the conclusion of the paper, titled “Vintage Vulnerabilities Are Still in Style.”
  • The findings focused specifically on flaws from the CISA “known exploited vulnerabilities” list.
  • The scanning tools only looked for internet-facing, publicly accessible servers.

What’s the big deal?

  • Vulnerabilities lead to attacks. Take one golden oldie found in the report: CVE-2018-13379. Rezilion’s report found over 538,000 internet-facing applications unpatched for this flaw. Cybercriminals, from Cring ransomware operators to TunnelVision threat-actors exploited 13379 in Fortinet VPNs to deploy ransomware. Reminder: The average ransomware payment is around $800k.
  • “We’re not talking about zero-days,” said Rezilion researcher Yotam Perkal. “There is already a patch in existence…All you have to do is patch. So, that should be the easy part.”

Two classic patch practices:

  • Know what you have. An emerging class of products, known as external attack surface management tools, continually scan for internet-facing assets like web servers and applications. “They’re going to tell you if there are new assets that are discovered, and they’re often pulling in vulnerability data as well,” said Erik Nost, senior analyst at Forrester. EASM vendors include BitSight, CyCognito, Palo Alto Networks’ Cortex Xpanse, and Randori. A variety of vulnerability-scanning tools are available as well, including free ones like OpenVAS.
  • Prioritize. Severity doesn’t necessarily translate directly to risk, and context must be considered during patch deployment. Internet-exposed assets, however, may require swift response, according to Fred Langston, executive VP of professional services at the cybersecurity firm Critical Insight. “I would say you need to absolutely prioritize those because the fuse is lit, and it’s a matter of time before the bad guy finds those,” Langston said.

That 4.5 million externally facing internet-connected devices is a small number, especially when you consider the number of devices on internal networks, said Perkal.

“There are probably a lot more of those servers that are running on internal networks, which might not be easily accessible,” Perkal told IT Brew. “If they’re running those obsolete versions of software, they’re still vulnerable.”—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.