Known exploited vulnerabilities catalog - a useful resource
Vulnerabilities are being found and patched at unprecedented rates. As vendors are kept under pressure to speed up the release of patches, patch quality is in fact getting worse. The Zero Day Initiative (ZDI), points out that across the industry, 10% to 20% of vulnerabilities are being revisited and re-patched.
Installing patches is becoming ever riskier in terms of things breaking and causing downtime. Adding to the confusion is the fact vendors are not providing good information about the Common Vulnerability Scoring System (CVSS) risk to easily analyze whether to patch. The vendor might give a high CVSS risk score to a bug that wouldn’t be easily exploited.
CVSS is an industry-standard meant to help assess the severity of computer system security vulnerabilities. With 10 being the most severe, the higher the CVSS assigned to the patch, the faster we should be applying the patch. However, after evaluating the extenuating circumstances and additional risk factors, we may not need to be quite so concerned.
For example, take Microsoft’s vulnerability CVE-2022-34715 published in August, fixing the Windows Network File System remote code execution vulnerability: its CVSS score is rated as 9.8, which suggests immediate concern. Looking closer at the bug, it only impacts Server 2022 and then only if the NFS 4.0 role service is installed.
Or take this September's CVE-2022-37969 whose score is relatively less urgent, at 7.8 - and yet is being actively exploited by threat actors. Based on the score alone, you would be tempted not to patch immediately. And yet, precisely this one could be used presently inside your network to elevate privileges.
When deciding on patching, taking into account whether a vulnerability is already actively exploited in the wild is actually a good idea. The US-based Cybersecurity & Infrastructure Security Agency (CISA) maintains a good resource to immediately check if a CVE is being exploited: the Known Exploited Vulnerabilities Catalog. Be sure to cross-check it on next Patch Tuesday.
For ex., the vulnerability CVE-2019-0604 makes into the Catalog for good reason, whatever its CVSS: it was used this summer by Iranian state-sponsored actors to penetrate the networks of Albania's government organizations.