“Managing” vulnerabilities is an endless effort that is only truly noticed when it fails. More often than not, the constant debate over which vulnerabilities get prioritized for remediation is decided based on likelihood of exploit, followed by impact, and level of effort to fix. The typical result is that low- and medium-grade vulnerabilities get de-prioritized—in other words, not fixed—until there is no choice.
Vulnerabilities, no matter what they’re rated, do not exist in a vacuum. Consider Courtney's first law which states, “You cannot say anything interesting (i.e., significant) about the security of a system except in the context of a particular application and environment.”1 So, what is that context?
For argument’s sake, let’s call out the typical situations when vulnerabilities must be fixed. This will help illustrate to all concerned parties, within security and beyond, that lower grade vulnerabilities should be fixed before they are exploited. Contrary to popular belief, low- and medium-rated vulnerabilities can get your apps and identities pwned.
|Vulnerability type||Point at which it must be fixed|
|Operating system (upgrades and patches)||
|Add-on software (Java, Adobe) and browser patches and upgrades||
|Web application vulnerabilities (code fixes or a web application firewall (WAF))||
In some cases, a vulnerability that was once rated low priority is now an elevated threat. There is a common lifecycle of vulnerabilities in which they evolve in threat level from theoretical concept, to proof-of-concept script, to point-and-click exploit tool.
In addition to reasons that include actual threats to your systems, there are ancillary reasons why a low-priority patch might be forced out. Such non-threat ancillary reasons can include the following:
Active threat or not, an external push to patch something when the team isn’t ready is never ideal. People “under the gun” are prone to mistakes, and the scenario typically plays out with not enough time or capability to adequately test. Let’s face it, when forced to do out-of-band patching, everyone is frustrated, security team or not. These under-the-gun scenarios have a high likelihood of system outages or unintended application impacts that could negatively affect revenue. So why not avoid them? Although everything has a cost, no remediation effort is more expensive than fixing after a breach.
Vulnerabilities that are rated low can be combined with other attacks to increase their potential impact. F5 recently published two pieces about lower grade vulnerabilities that could, relatively trivially, escalate to a high, in which you would be dealing with a compromise situation. The F5 Labs article2 about “three lows making a high” is particularly interesting, given the result is compromised Microsoft Exchange credentials. An F5 security operations engineer—in the trenches mitigating web application exploits on a daily basis—recently wrote a piece on combining cross-site scripting (XSS)3 with a little social engineering (zero security operators are surprised about how easy that is), to ultimately get admin credentials to a web app. Yet, XSS is commonly classified as medium risk and is still one of the most prevalent web application vulnerabilities.4 Developers often argue that XSS is “a customer browser issue” and “not a high risk,” concluding that “we don’t have cycles to fix low-risk technical debt.”
Bottom line is, if you are serious about not being hacked, you must understand the potential impact of all vulnerabilities, regardless of severity classification. You never know when three lows will make a high. You don’t want to be doing incident response trying to figure out how you were compromised, going through CVEs to determine if some low-grade vulnerability provided privilege escalation to another, defending why you weren’t fully patched, or arguing your case for not fixing known vulnerabilities because they were considered low risk. We all know this is much easier said than done, but it’s still worth fighting the good fight.
Here are some actions you can take within your organization to enhance your vulnerability management program:
I hope this gives you more insight into looking deeper at your vulnerabilities—all your vulnerabilities. Here’s hoping you don’t have any more patching fire drills or breaches.
MODIFIED: Jul 25, 2017