Nearly half of the vulnerabilities tracked in 1Q did not receive CVE designations.
Nearly half of the vulnerabilities tracked in 1Q did not receive CVE designations.

We are on track for another record-breaking year in the pace of vulnerability disclosures, said a new report from Risk Based Security.

The threat intelligence firm's VulnDB QuickView report [requires registration], a study of the first quarter of 2017, found that the number of vulnerabilities being reported are rising at an "unrelenting" pace.

In fact, the study determined that the number increased nearly 30 percent over the same time last year. Perhaps even more troublesome, nearly half of the vulnerabilities tracked did not receive Common Vulnerabilities and Exposures (CVE) designations, and so were not registered in the National Vulnerability Database (NVD), the U.S. government's repository of standards-based vulnerability management data, or comparable databases.

The study also discovered that more than a third of the vulnerabilities were already exploited or contained enough details that a public exploit was readily available. Half of the flaws, the report said, were remotely exploitable.

And, these risks could be lessened – if only security administrators kept their systems patched – as nearly three-quarters of the vulnerabilities have a documented solution, such as workarounds, a patch or a fixed version, the study revealed.

The consequences are dire for enterprises as a result of this increase, the report determined, as more budget is required to keep current with news on the security vulnerabilities impacting their infrastructure. As well, costs rise as more vulnerabilities leads to proper prioritization, triage and remediation, the study found.

“It is clear that relying solely on CVE/NVD or similar sources is not a viable solution as about half of the vulnerabilities will be missed," Carsten Eiram, chief research officer for Risk Based Security, said in a statement. “Doing so constitutes a significant threat when considering that half of the reported vulnerabilities are remotely exploitable and about a third have exploits available.”

While the good news was that three-quarters of the reported vulnerabilities had been addressed with documented solutions, the remaining one quarter still have not been addressed with a solution. 

"That means organizations relying solely on patch management for vulnerability remediation are failing to address weaknesses in their infrastructure and applications," the report stated. After all, if there is no patch, there is nothing for a patch manager to do.

“The lack of vulnerability coverage from freely available or U.S. funded government projects forces companies to make a decision: Run the risk of using incomplete vulnerability information, spend significant resources tracking vulnerabilities internally or seek a vulnerability intelligence feed from a reliable service,” Eiram explained.

When asked how Risk Based Security measures the incidence of vulnerabilities, Brian Martin, VP of vulnerability intelligence at Risk Based Security, told SC Media on Friday that his company monitors more than 2,000 sources that are potential points of disclosure for vulnerability information. 

"Each disclosure is examined by the VulnDB team to ensure it meets criteria for inclusion in the database (e.g., it is a valid vulnerability that crosses privilege boundaries). We track vulnerabilities based on the initial disclosure date to ensure accurate per-year totals. If a vulnerability is mentioned today, we might dig up a prior reference to it in a changelog, bug tracker, or commit. In that case, we'd use the older date as the time of disclosure; just because it started receiving attention today doesn't necessarily mean it was disclosed today."

Organizations have grown their IT resources over the years but many have excluded hundreds or even thousands of products and vendors, Martin told SC. "As each vendor provides patches, an organization has to understand their network footprint, have an asset inventory, and a good grasp on the risk of each vulnerability being patched."

Due to the volume of patches, along with what Martin calls an "incredible" number of systems, it becomes a best effort triage situation. "If a vendor downplays a given vulnerability or doesn't provide enough technical detail, an administrator may opt to patch other issues first," he informed SC.

For some specialty systems – such as SCADA, IoT and medical devices – these may be based on extremely old operating systems that no longer receive patches, or may be systems that if rebooted could cause serious harm, Martin explained. "For a patient hooked up to critical medical devices providing care, there really is no option to patch that device until it isn't being used; and that relies on a patch being available, which often isn't the case even if the device is quite new."

Given the fast-paced atmosphere of a hospital, Martin said, just keeping up with the locations of these devices is difficult, so the thought of keeping them updated is a nightmare."

In addition, he pointed to the struggle with third-party libraries that, he said, are often a core component of them. "For example, OpenSSL is a single library that provides secure communications between a web browser and server, but that library might be found in a wide variety of products, including appliances. Since many vendors use the libraries but do not disclose the versions, it becomes extremely difficult to properly understand the risk to your network."

And, when asked why IT security admins don't they keep their systems and applications updated, Martin responded that in some cases it may be an issue of resources – too many systems and not enough administrators. "Many organizations require any patch or upgrade to be thoroughly tested before deploying it to the production network to avoid outages or unexpected failures. Add to that many other potential one-off situations where politics may come into play, security staff turnover, or a patch being available but not properly installing on a system causing them to work with the vendor to figure it out."

This year, RBS is aggregating an average of just under 60 vulnerabilities a day, with swings up to more than 260 in a single day, Martin said. "This considerable volume certainly adds to the complexity of an organization's patching efforts."