A third of 2018’s vulnerabilities have public exploits, 50% can be exploited remotely
Over 22,000 new vulnerabilities were disclosed during 2018, according to Risk Based Security’s 2018 Year End Vulnerability QuickView Report. While approximately 33% of published vulnerabilities received a CVSSv2 score of 7 or above, the number of vulnerabilities scoring 9 or above declined for the third year in a row.
The report confirms that CVE / National Vulnerability Database continues to face challenges staying up-to-date with the relentless pace of new disclosures. The research team at Risk Based Security (RBS) catalogued 6,780 more vulnerabilities than CVE/NVD. This is notable as it represents nearly 31% of all the published vulnerabilities in 2018.
“Companies can’t afford to miss almost a third of vulnerabilities each year. It is time to move from a ‘good enough’ mentality and toward the paradigm of ‘Better Data Matters’ that Risk Based Security and its VulnDB research is built upon. Missing 31% is unacceptable in today’s cyber landscape, especially when tools are available to prevent it,” said Brian Martin, VP of Vulnerability Intelligence, Risk Based Security.
Of the 6,780 vulnerabilities not published by the CVE/NVD, 45.5% have a CVSSv2 score between 7.0 – 10.0, and 13.6% scored between 9.0 – 10. This once again calls attention to the importance of having a comprehensive view into vulnerability activity. Martin added, “No organization can afford to ignore a single vulnerability ranked between a 7 and 10, let alone over 3,000 of them!” These vulnerabilities cover a wide variety of software including web browsers, enterprise tools, and third-party libraries that impact hundreds or thousands of software packages.
The most significant vulnerability attack type for 2018 is Input Manipulation. “68.7% of the disclosed vulnerabilities are due to insufficient or improper input validation,” expounds Martin, “While a lot of vulnerabilities fall under this umbrella, including cross-site scripting, SQL injection, shell command injection, and buffer overflows, it underlines that software developers still struggle to carefully validate untrusted input. Having a mature SDL that includes secure coding practices can iron out many such issues and significantly reduce the threat from attackers.”
The report also shows that 32.7% of 2018’s vulnerabilities have public exploits and 50.5% can be exploited remotely, meaning that few of the reported vulnerabilities require any type of physical proximity to a system or a device to be exploited. Another revealing finding, 27.1% of vulnerabilities had no known solution, which unfortunately is up 5% from 2017 based on current data. And for those following the hot topic of bug bounty programs, almost 8% of vulnerabilities were coordinated through bug bounty programs – a solid increase from the 5.8% last year.
Notably, SCADA vulnerabilities are on the rise. 3.5% of 2018 vulnerabilities were classified as SCADA vulnerabilities, double that of last year. The report notes that this will be an area to keep an eye on as more SCADA systems become internet accessible for convenience without full realization to safety risk and ramifications.