The security community misses the mark from time to time when it comes to vulnerability prioritization and impact. In the last week of June and the first week of July, security practitioners identified vulnerabilities in two critical networking devices with CVSS scores of 10. Typically, these vulnerabilities cause a lot of chatter and information sharing on digital platforms such as social media, dark web and code sharing websites. Using this information as enrichment points with security or IT team’s vulnerability prioritization patching process can be beneficial. Separating the hype from chatter versus actual exploitation in the wild can help reduce the stress on a security team as well as help prioritize how rapidly they need to patch.
Comparing Vulnerability Prioritization for CVE-2020-5902 and CVE-2020-2021
In this post, we will compare and contrast two vulnerabilities, CVE-2020-5902 and CVE-2020-2021, and their overall popularity on social media and digital platforms, using social media as a pivot point to investigate other data sources. We will also compare the timing of the release of the vulnerabilities, which potentially had an impact on patch cycles and chatter, as well as give our assessment on which of the two should have been patched or mitigated first.
CVE-2020-5902, a vulnerability in BIG-IP F5 Networks TMUI, was announced on 7/1/2020, leading to an increase of social media mentions throughout the discovery of POC’s, in the wild exploits, and patches.
Shortly after the initial announcement, the tweets revolved around the following timeline of notable events:
07/01/2020 – F5 Networks disclosed vulnerability in K52145254
07/03/2020 – Security teams started seeing active exploitation attempts
07/05/2020 – RCE POC disclosed on Twitter
07/05/2020 – Exploit added to Metasploit
07/06/2020 – Metasploit exploitation being seen in the wild
07/07/2020 – Researchers confirm bypass of initial F5 mitigation
With every major event, we saw more and more tweets discussing this vulnerability, from proof of concept disclosures, to the addition to Metasploit as an official module, closing with the realization that threat actors use the Metasploit module and bypass the mitigations suggested by F5.
By monitoring Github for the vulnerability, dozens of repos were created analyzing the vulnerability, along with screencasts and PoC code to exploit the vulnerability.
The first repo with valid PoC code was released the same day on Github as the Metasploit module.
On a Russian-based dark web hacking and cybercrime forum, there were multiple threads and even nmap NSE scripts shared for this vulnerability.
ZeroFox Alpha Team’s assessment is that, although the initial unique count of social chatter was low, the vulnerability got more attention as soon as researchers started contributing data around their honeypots, in the wild exploits, as well as their own PoCs. The vulnerability was also disclosed mid-week on a holiday week for the US, potentially impacting its popularity while also competing with coverage from the previous week’s PAN-OS vulnerability.
CVE-2020-2021 (PAN-OS: Authentication Bypass in SAML Authentication) had a larger initial spike in tweets when the vulnerability was announced. Within two days, however, there was a drop off in interest, perhaps due to the F5 bug. Monitoring this social media activity can help security teams with vulnerability prioritization, and this drop off in interest may suggest that this vulnerability should not be as highly prioritized.
Monitoring Github for the vulnerability identifier yielded much fewer results than CVE-2020-5902. In fact, the only repository that returns contains a description of it being a PoC, but it is only a rickroll:
As of 9 July 2020, there has been no PoC observed in any of these digital platforms or reports of exploits in the wild. There has not been a significant dark web-based chatter about the vulnerability, specifically related to actors asking for PoCs or publishing them.
Unlike its F5 counterpart, the vulnerability in CVE-2020-2021, although trivial, doesn’t have the same return on investment post-infection as an unauthenticated LFI or RCE. This could be due to the fact that the weaponization of CVE-2020-2021 requires a post-infection workflow to obtain shell access, whereas the current vulnerability is a login bypass to an admin screen in PAN-OS. The unfortunate-yet-fortunate release of the F5 vulnerability two days later could have also removed interest in this vulnerability.
Vulnerability Prioritization & Digital Platforms
When prioritizing vulnerabilities, you should consider a variety of factors, and digital platforms can help do the work for you and provide that data in most cases. Overall, based on Alpha Team assessment it is clear that the F5 vulnerability had a bigger impact and reach. While initial interest was low with this vulnerability, it gained traction as soon as PoCs were made and exploits were seen in the wild.
When considering a vulnerability intelligence strategy, it’s important to have a strategy in place to keep a pulse on the security community (cybercriminals and researchers alike) to help inform your patch decisions. Just because two vulnerabilities are CVSS-10 does not mean they are equal, but rather points to limitations in the CVSS scoring model when it comes to vulnerability prioritization.
Suggestions for Merging Digital Risk Protection and Vulnerability Prioritization
Some questions security and IT teams can ask when handling vulnerability prioritization include:
- How many vulnerable devices are exposed on the open web?
- Has a PoC been released by researchers, or has it been released by actors on the dark web?
- Are researchers talking about exploits in the wild on social media?
- Are cybercrime actors or forums talking about weaponizing the vulnerability, or are they selling the weaponization?
- Are there official PoCs from Metasploit, or are there entries for the PoC on code sharing websites or exploit-db?
- What verticals are being targeted by this exploit?
- What are the IOC’s related to this vulnerability and the people who are exploiting it?
- Are there new methods of exploitation that we need to patch or mitigate?
Don’t go at it alone – learn more about how ZeroFox’s suite of threat intelligence tools, including vulnerability intelligence, can give your team the actionable intelligence necessary to not only identify vulnerabilities but address them quickly.