A third of all vulnerabilities in 2019 had a CVSS v2 score of 7.0 and above
Risk Based Security’s VulnDB team aggregated 22,316 newly-disclosed vulnerabilities during 2019, finding that 37.26% had available exploit code or a Proof of Concept and that 33.43% of all vulnerabilities in 2019 had a CVSS v2 score of 7.0 and above.
2019 Year End Vulnerability QuickView Report
Risk Based Security also identified a total of 302 vulnerabilities impacting Electronic Voting Machines (EVMs), 289 of which have no known solution.
“As with any device that relies on code, there are vulnerabilities that can affect the system’s integrity and you don’t want anyone tampering with them. Only 13 EVM vulnerabilities have a known solution. To make matters worse, of those, only one has a CVE ID assigned and can be found cataloged in the U.S. National Vulnerability Database,” said Brian Martin, VP of Vulnerability Intelligence at Risk Based Security.
“EVMs with vulnerabilities have been used in past elections, and will no doubt be used again in our next elections. It doesn’t matter what politics or beliefs you subscribe to; the essence of democracy is a free, fair and secure election that captures the will of the people. The lack of visibility on this issue should be of deep concern to every American,” Martin added.
Patch Tuesday
The full research is highlighted in the just released 2019 Year End Vulnerability QuickView Report. Additional key findings comment on the increasing amount of vulnerability disclosures being released on the same day due to Patch Tuesday. With 2019 reaching an all-time high of 327 vulnerabilities being disclosed in a single day, Risk Based Security maintains that the practice, despite its initial good intentions is turning into a “nightmare” for many organizations.
“Patch Tuesday was created by Microsoft and it rolled out patches in a more scheduled and consistent manner. However, as the years have passed, more and more vendors are not only co-opting the concept of Patch Tuesday, but the day itself,” Mr. Martin concludes. “What started with Microsoft has turned into a storm of vendor disclosures from major vendors like Adobe, SAP, Siemens, and Schneider Electric. More companies are starting to release on Patch Tuesday as well as at other times. Those vendors include Google, Apple, Mozilla, Intel, Cisco, F5, and Juniper. All of those potential releases are in addition to the typical disclosures seen on any average day.”