CISA’s Exploited Vulnerabilities Catalog – 1-21-22
Last Friday, CISA sent out an email to registered individuals announcing that they had added four new vulnerabilities to their Known Exploited Vulnerabilities Catalog. This catalog supports the requirements of Binding Operational Directive 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities, for Federal agencies to take remediation actions to protect federal computer systems against cyber-attacks.
The four new entries are:
CVE-2012-0391 – Apache Struts 2,
CVE-2021-35247 – SolarWinds Serv-U,
CVE-2006-1547 – Apache Struts 1, and
CVE-2018-8453 – Microsoft Win32k
The Table
The Catalog is set up in a tabular format with the latest entries on top. The first entry in the table dates back to March 3rd, 2021 and there are currently 344 entries. The web-site table consists of 9 columns:
CVE,
Vendor/Project,
Product,
Vulnerability name,
Date added,
Short description,
Action,
Due date, and
Notes
The first six columns need no real explanation. The ‘Action’ and ‘Due Date’ columns refer to the requirements of BOD 22-01 and thus apply only to Federal agencies. The last column allows CISA to provide links to related documents; it is not used frequently (I counted 13 ‘notes’ for 344 entries).
The Table can be downloaded in either a CSV or Jason format for use in your ‘favorite’ program. This is important because there are no provisions on the web site for searching.
BOD 22-01
The Directive web site explains how CISA expects Federal Agencies to use the information in the Catalog. CISA is making the web site public because they obviously think that Federal agencies are not the only ones that need to take actions with respect to these listed vulnerabilities. Individuals or organizations can sign up for the notification emails that are sent when CISA periodically updates the Catalog.
List selection has nothing to do with the CVSS for the vulnerability or its CVE description. There are three criteria that CISA uses to add vulnerabilities to the list:
Has an assigned Common Vulnerabilities and Exposures (CVE) ID.
There is reliable evidence that the vulnerability has been actively exploited in the wild.
There is a clear remediation action for the vulnerability, such as a vendor provided update.
The Catalog and 3rd Party Vulnerabilities
While CISA uses CVE assignments as a criteria for selecting vulnerabilities for listing in the Catalog, it seems that CISA does not share the information about a vulnerability’s selection with the NIST folks that maintain the National Vulnerability Database. Okay, that is almost certainly not true since CISA sends the announcement of new additions to the Catalog to every federal agency, which has got to include NIST.
When I first noticed that the listing of the CVE’s was not included in the NVD listing for the CVE I immediately questioned how folks would be able to identify that they were potentially affected when 3rd party vulnerabilities were identified on the list. But this is apparently not an issue, since I do not see any of the source software that typically shows up as third-party vulnerabilities. It would make sense for CISA to avoid adding such vulnerabilities to the Catalog since it would be difficult to identify all of the affected software that would require mitigation.
Commentary
The idea of prioritizing vulnerabilities for mitigation based upon not the potential threat but on the occurrence of real-world exploitation makes a certain amount of sense. According to a study published by the Software Engineering Institute at Carnegie Mellon University (referenced by CISA on their BOD 22-01 page) it would seem that just about 4% of published vulnerabilities have exploits published within 365 days of the vulnerability being made public. That study did not look at exploits being used in real-world attacks, just exploits being published. Thus, it would probably be safe to assume that an even smaller percentage of vulnerabilities were actually exploited in the wild.
The only problem is that this methodology has is that it does not make mitigating the identified vulnerabilities a priority until exploitation has been seen and exploits typically occur well before the exploits are detected. Thus, it would almost seem inevitable that there would be some number of federal facilities that were affected before the listing occurred. CISA hopes to reduce this problem by their scanning of federal internet-facing IP addresses for known vulnerabilities and then notifying affected agencies of required remediation of those vulnerabilities under BOD 19-02.
What would be helpful though would be for CISA to include with their listing of vulnerabilities in the Catalog would be the publication of indicators of compromise for the exploit of the listed vulnerabilities. This would allow agencies (and the public that uses this tool) to check to see if they are already compromised by the identified exploits.