Over 80% of enterprise IT systems feature unpatched CVE vulnerabilities

News by Jay Jay

CVE vulnerabilities dating back to 1999 are just one of the things researchers found when they delved into organisations' patch management practices.

Organisations have a shocking number of unpatched vulnerabilities (Pic: Henrik Sorensen/Getty Images)

New research into the cyber-resilience of enterprise IT systems has found that over 80 percent of systems have at least one CVE vulnerability, over 70 percent feature more than one CVE vulnerability and as many as one in five enterprise IT systems feature over ten unpatched CVE vulnerabilities at any point of time.

Edgescan's 2019 Vulnerability Statistics Report found that many of these CVE vulnerabilities date back to 1999 and to the first decade of the 2000s, indicating that enterprises have been unable to either locate or patch known security vulnerabilities that have existed in their IT systems and applications for over a decade.

In fact, the CVE-1999-0017 vulnerability, which allows attackers to carry out ‘FTP bounce’ attacks to transfer sensitive files and data, was present in over 3,000 enterprise IT systems across Europe and in North America in 2018.

An enterprise can call itself PCI DSS compliant if security vulnerabilities in its IT systems do not have a base score of 4.0 or higher. However, Edgescan found that 68 percent of vulnerabilities found in IT systems in 2018 had a score of 4.0 or higher, and 57 percent of all network vulnerabilities and 22 percent of web application vulnerabilities also had scores of 4.0 or higher.

"These findings highlight a serious oversight from a cyber-security standpoint. In fact, we still see high rates of known and patchable vulnerabilities with working exploits in the wild, which demonstrates it’s becoming increasingly hard to patch production systems effectively on a consistent basis," noted Eoin Keary, CEO of edgescan.

According to Edgescan, it takes an average enterprise about 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. Similarly, high-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch, thereby taking the average window of exposure for critical web application vulnerabilities to 69 days.

While 81 percent of all vulnerabilities in enterprise IT systems are network vulnerabilities and only 19 percent are application vulnerabilities, over 19 percent of application vulnerabilities are either high risk or critical ones compared to just two percent of network vulnerabilities. At the same time, nearly 25 percent of all vulnerabilities in internal and non-public applications are either critical or high risk ones and another 22.5 percent of them are medium risk ones.

According to Edgescan researchers, this is due to the "snowflake effect" as every application is unique, developed in a standalone fashion and serves a unique purpose, as opposed to infrastructure which is commoditised and much more uniform.

This indicates that the lack of visibility of enterprises over web applications deployed in their networks coupled with the long time required to patch critical, high risk or medium risk vulnerabilities exposes organisations to cyber-attacks and malware injections carried out by attackers.

"The high-risk density score of 24.3 percent for internal-facing applications is worrisome given many studies cite the ‘insider threat’ as a significant issue. Malware and ransomware also target known vulnerabilities and can easily exploit internal systems, should they get the opportunity to do so," they added.

While 14.69 percent of web application vulnerabilities allowed attackers to carry out cross-site scripting (XSS) attacks due to a lack of or poor contextual output encoding, 12.36 percent allowed attackers to take advantage of misconfigured components and insecure defaults, 8.18 percent allowed injection attacks and 6.3 percent allowed attackers to force applications to interact with external services.

Edgescan also noted how the presence of multiple open ports at enterprises increased the overall attack surface, the possibility of a security breach and also resulted in well-known attacks such as WannaCry, NotPetya, Mirai, ADB Miner and PyRoMine amongst others.  

The researchers found a large number of exposed SMB ports, RDP ports, Telnet ports and FTP ports that which could be targeted by traditional hacking attacks and could lead to breaches and data loss. 

"Remediation of this type of issue simply requires a firewall change or services being shut down. This sounds simple but the challenge is attaining visibility in the first place. Continuous asset profiling helps detect open services and when coupled with an alerting mechanism to notify one of an exposure, it is an easier challenge to address. Simply put, visibility helps reduce a system’s attack surface, in a constantly changing environment," they added.

"While patching and its importance is widely understood by enterprises, it's not usually a simple task. Indeed, many times, getting a patch tested, approved and deployed can be a tricky task. Having an up to date and accurate asset inventory can help enterprises not only understand how big any exposure is, but also how exploitable it is," Javvad Malik, security advocate at AlienVault, told SC Media UK.

"Hardening systems can help because many attacks work based on default permissions or credentials, particularly for IoT devices. Additionally, companies should look to deploy detection and response capabilities so that any attempted exploitation of vulnerabilities can be quickly shut down," he added.

Commenting on Edgescan's findings on existing vulnerabilities in enterprises' IT networks and their web applications, Shlomie Liberow, technical programme manager at HackerOne, said that these figures indeed paint a bleak picture, but this often stems from weak visibility on all company owned assets. When an asset is not being tracked, the overall security maturity of the organisation matters less.

"A strong first step to increasing security is ensuring that all company infrastructure is accounted for. This allows for fast patching when a new vulnerability is released and retirement when software reaches its end of life," Liberow added.

Ilia Kolochenko, CEO of High-Tech Bridge, said that many companies simply have no resources to manage low-risk or isolated systems in a timely manner, as they consider their breach insignificant for business. Frequently, company management are not wrong as the exploitation of such flaws may, for example, require an attacker to have physical access to the system.

"Another frequent reason is that security teams may test the security patch prior to deploying it on business-critical systems. Sometimes automatic patch installation simply fails due to various incompatibilities or interdependencies. Ultimately, some systems are just disconnected from the network for a reason. All this makes outdated and even obsolete systems somewhat omnipresent in every large company and organisation," he added.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews