Review - CISA’s Exploited Vulnerabilities Catalog – 1-21-22

Last Friday, CISA sent out an email to registered individuals announcing that they had added four new vulnerabilities to their Known Exploited Vulnerabilities Catalog. This catalog supports the requirements of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, for Federal agencies to take remediation actions to protect federal computer systems against cyber-attacks.

The four new entries are:

CVE-2012-0391 – Apache Struts 2,

CVE-2021-35247 – SolarWinds Serv-U,

CVE-2006-1547 – Apache Struts 1, and

CVE-2018-8453 – Microsoft Win32k

Commentary

The idea of prioritizing vulnerabilities for mitigation based upon not the potential threat but on the occurrence of real-world exploitation makes a certain amount of sense. According to a study published by the Software Engineering Institute at Carnegie Mellon University (referenced by CISA on their BOD 21-01 page) it would seem that just about 4% of published vulnerabilities have exploits published within 365 days of the vulnerability being made public. That study did not look at exploits being used in real-world attacks, just exploits being published. Thus, it would probably be safe to assume that an even smaller percentage of vulnerabilities were actually exploited in the wild.

The only problem is that this methodology has is that it does not make mitigating the identified vulnerabilities a priority until exploitation has been seen and exploits typically occur well before the exploits are detected. Thus, it would almost seem inevitable that there would be some number of federal facilities that were affected before the listing occurred. CISA hopes to reduce this problem by their scanning of federal internet-facing IP addresses for known vulnerabilities and then notifying affected agencies of required remediation of those vulnerabilities under BOD 19-02.

What would be helpful though would be for CISA to include with their listing of vulnerabilities in the Catalog would be the publication of indicators of compromise for the exploit of the listed vulnerabilities. This would allow agencies (and the public that uses this tool) to check to see if they are already compromised by the identified exploits.

 

For more details about the Catalog, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cisas-exploited-vulnerabilities-catalog - subscription required.