Unaddressed High-Risk Vulnerabilities Revealed in the 2023 OSSRA Report

The recently released 2023 “Open Source Security and Risk Analysis” (OSSRA) report has sent shockwaves through the cybersecurity community, exposing a troubling trend in organizations’ approach to patching vulnerabilities. The report’s findings paint a stark reality, highlighting that 48% of codebases surveyed harbored high-risk vulnerabilities.

As organizations rely heavily on open-source material, with a whopping 96% of commercial code containing such components, addressing unpatched vulnerabilities becomes increasingly imperative. In this deep-dive exploration, we delve into the heart of the problem, providing crucial insights on evaluating your risk and fortifying your digital defenses against potential exploits.

High-Risk Vulnerabilities to Understand the Impact and Urgency

When it comes to software vulnerabilities, understanding their risk levels is crucial in maintaining a secure digital environment. These vulnerabilities are classified based on the potential consequences of exploitation, wherein the Common Vulnerability Scoring System (CVSS) plays a pivotal role.

With a scale ranging from 0 to 10, the CVSS assesses the severity and characteristics of vulnerabilities, helping organizations gauge their potential impact.

Different risk levels exist if CVSS rankings, each indicating varying degrees of potential harm. Starting from the lower end, we have Low-risk vulnerabilities (0.1 to 3.9), which carry minimal potential for harm and are unlikely to result in significant damage when exploited.

Moving up the scale, we encounter Medium-risk vulnerabilities (4.0 to 6.9), which may not present an immediate threat but possess the capacity to cause harm. Attackers targeting such vulnerabilities might seek unauthorized access or compromise sensitive information.

Why do High-risk vulnerabilities Require more Care?

Yes, the High-risk vulnerabilities (7.0 to 8.9) demand our utmost attention. These vulnerabilities harbor substantial potential for harm, possibly inflicting severe consequences such as significant data loss or downtime.

Timely intervention and mitigation efforts are strongly advised when dealing with high-risk vulnerabilities to prevent disastrous outcomes.

At the pinnacle of the scale, we find Critical-risk vulnerabilities (9.0 to 10.0). Attackers often exploit these vulnerabilities, leading to unauthorized access, data breaches, system compromise, or disruption.

Notably, the fundamental distinction between critical and high-risk vulnerabilities lies in exploiting a critical-risk vulnerability that usually compromises servers or infrastructure devices at the root level.

Understanding the gravity of high-risk vulnerabilities and their potential repercussions empowers organizations to prioritize mitigation strategies. By promptly addressing these vulnerabilities, organizations can fortify their defenses and safeguard against potential breaches, ensuring the integrity and security of their digital assets.

Prominent High-Risk Open Source Lessons from the Past

Throughout the history of opensource software, specific vulnerabilities have emerged as significant threats, exposing the potential risks associated with these widely-used components. Let’s explore some notable examples that shed light on the critical nature of these vulnerabilities.

Heartbleed (CVE-2014-0160)

One notorious instance is Heartbleed (CVE-2014-0160), a critical flaw discovered in the OpenSSL cryptographic software library. Unveiled in April 2014, this vulnerability exploited a weakness in the TLS heartbeat extension. It enables attackers to extract sensitive information like passwords, usernames, and private keys. A fixed version of OpenSSL was promptly released to address the issue. But, the damage had already been done.

Shellshock (CVE-2014-6271)

Shellshock (CVE-2014-6271) remained undetected for 30 years. It is used in UNIX-based systems within the popular Bash shell command-line interface. Exploiting this vulnerability allowed attackers to execute commands on vulnerable systems.

Apache Struts Remote Code Execution (CVE-2017-5638)

In web applications, the Apache Struts Remote Code Execution (CVE-2017-5638) vulnerability left a significant impact. This flaw affected the widely-used Apache Struts framework. It allows remote attackers to execute arbitrary code through specially crafted requests. The repercussions of this vulnerability were felt when Equifax fell victim to a devastating data breach. Between May and July 2017, it compromised the private records of millions of individuals.

Drupalgeddon (CVE-2018-7600)

Drupalgeddon (CVE-2018-7600), a critical vulnerability in the Drupal content management system, demonstrated the importance of timely patching. Exploiting this flaw enabled attackers to execute arbitrary code without authentication. This potentially leads to unauthorized access, data breaches, or compromise on Drupal-based websites. Despite a patch being issued soon after its discovery, attackers continued to exploit this vulnerability for nearly two years.

While open source projects generally have active security communities and reporting mechanisms for vulnerabilities. Developers and end-users must remain informed about known vulnerabilities and diligently apply necessary patches and updates. Unlike commercial code, open source operates on a “pull” model, requiring individuals to download and install the latest components versions proactively.

Failure to Address High-Risk Vulnerabilities: Insights from the 2023 OSSRA Report

The recently published 2023 OSSRA report has highlighted a disturbing trend in organizational cybersecurity practices – a concerning lack of action when fixing high-risk vulnerabilities. This year’s report, taking a retrospective look over five years, aimed to identify notable trends, many of which have been unexpectedly eye-opening.

Notably, since 2019, the retail and eCommerce sector has witnessed an alarming surge in high-risk vulnerabilities, skyrocketing by an astonishing 557%.

Similarly, the aerospace, aviation, automotive, transportation, and logistics sectors experienced a significant 232% increase in vulnerabilities of the exact nature. These figures underscore the growing urgency for organizations operating within these industries to address their security gaps promptly.

The Internet of Things (IoT) sector, which has witnessed explosive growth, is a prime example of the benefits and challenges of open source software.

Since 2019, every codebase in the IoT sector has contained some form of open source material, with its prevalence increasing by 35% during this period. A staggering 89% of the total code used in IoT applications is open source.

Advancement of Open Source in the IoT Industry

The adoption of open source in the IoT industry is driven by its ability to enable rapid software development, a vital requirement in a highly competitive and fast-paced environment.

The agility it provides ensures that organizations can keep up with the breakneck speed demanded by software development. However, this reliance on open source has inherent risks, particularly in introducing vulnerabilities into IoT systems.

Alarming statistics indicate that high-risk vulnerabilities in the IoT sector have surged by 130% since 2019.

Moreover, this year’s findings from the OSSRA report reveal that 53% of audited applications within the IoT domain contained high-risk vulnerabilities, emphasizing the criticality of addressing these weaknesses. The ubiquity of IoT devices, deeply ingrained in various aspects of our lives, amplifies the potential impact of such vulnerabilities.

From automated lighting systems that reveal our presence at home to cameras capturing intimate glimpses of our private spaces, smart locks securing our front doors, and baby monitors safeguarding our children, the breadth of personal information and security implications at stake is immense.

Proactive measures must be taken to safeguard individuals and organizations from the potential repercussions of high-risk vulnerabilities.

The findings of the 2023 OSSRA report serve as a clarion call for organizations to prioritize vulnerability management and ensure timely and effective remediation efforts.

Only by addressing these vulnerabilities head-on can we fortify the security of our interconnected world and protect the privacy and well-being of individuals relying on IoT devices.

Effective Prioritization of Vulnerability Patching: A Strategic Approach

Dispelling the notion that developers can address every vulnerability is essential. The reality is that a comprehensive resolution is attainable with clear management team prioritization. Ensure effective patching by aligning patch priorities with the business importance of the asset, the asset’s criticality, and the risk of exploitation.

Recognizing that patch policies differ between commercial software and open source components is essential. While commercial vendors can proactively deliver updates and security information, open source patches originate from the root project or the distribution channel where the component was initially obtained.

Only a fraction of open source vulnerabilities, such as those affecting widely-used frameworks like Apache Struts or OpenSSL, will likely be extensively exploited.

With this understanding, organizations should prioritize their mitigation efforts by considering factors such as the Common Vulnerability Scoring System (CVSS) scores, Common Weakness Enumeration (CWE) information, and the availability of exploits.

This prioritization should not only be limited to the initial disclosure of a vulnerability but should also span the entire lifecycle of the open source component.

How do you Identify the Scores for Vulnerabilities?

The National Vulnerability Database (NVD) provides base scores for vulnerabilities, aiding in calculating severity and serving as a factor for prioritizing remediation.

Software composition analysis (SCA) solutions, like Black Duck, offer temporal scores in addition to CVSS base scores, exploitability scores, and impact scores. Temporal scores consider dynamic metrics influenced by external events.

Furthermore, remediation levels (availability of an official fix) and report confidence (confirmation of the report) help refine the overall CVSS score to determine an appropriate level of risk.

The Common Weakness Enumeration (CWE) lists software or hardware weakness types with security implications. By understanding the specific weakness leading to a vulnerability, developers gain clarity on the issue at hand, allowing for a better severity assessment.

For instance, a development team may prioritize addressing a SQL injection differently from a buffer overflow or denial of service.

The presence of an exploit raises the risk score and assists remediation teams in prioritizing the most critical vulnerabilities. Additionally, understanding the availability of solutions or workarounds is crucial in the overall risk assessment.

If faced with two medium-risk vulnerabilities without available exploits, the decision of which one to address first may come down to the presence of a viable solution or workaround.

By adopting a strategic approach to vulnerability patching, organizations can ensure that their limited resources are directed toward addressing the most critical risks.

Prioritization based on comprehensive factors, such as CVSS scores, CWE information, exploit availability, and solution/workaround existence, enables effective risk mitigation and enhances overall cybersecurity posture.

Initiating Vulnerability Mitigation: A Step-by-Step Approach

To effectively tackle open source vulnerabilities, it is crucial to take the first step: conducting a thorough inventory of your open source components. A comprehensive Software Bill of Materials (SBOM) plays a vital role in this process as it allows you to identify the open source software being utilized and assess the potential impacts of associated vulnerabilities.

Manually creating and maintaining a detailed software inventory can be daunting. Experts widely acknowledge the challenges of achieving a useful SBOM. Using Software Composition Analysis (SCA) tools can alleviate these concerns. SCA solutions offer detailed listings of all open source components, including licenses, versions, and patches.

In addition to creating an SBOM, it is crucial to remain vigilant and monitor changes in external threats and vulnerability disclosures. Public sources like the National Vulnerability Database (NVD) are valuable repositories for information on publicly disclosed vulnerabilities in open source software.

However, it is essential to remember that there may be delays in data reporting, scoring, and actionable information within the Common Vulnerabilities and Exposures (CVE) entries. Furthermore, the format of NVD records can make it challenging to determine which versions of a particular open source component are affected by a given vulnerability.

Changes to Incorporate and Prevent the Vulnerabilities:

Organizations should consider effectively leveraging tools and resources beyond the NVD to address these challenges. Software composition analysis solutions often provide additional capabilities that offer real-time monitoring of vulnerability information, proactive alerts, and accurate assessments of affected open source versions.

By harnessing these resources, organizations can stay abreast of the ever-evolving threat landscape and ensure timely mitigation of vulnerabilities.

With these proactive steps to inventory open source components and monitor vulnerability disclosures, organizations can significantly enhance their ability to identify and address potential risks.

Implementing an automated approach, such as leveraging SCA tools and diverse vulnerability information sources, enables efficient vulnerability management and reinforces the security posture of software applications.