As New Years approaches, DevOcean Security Research team took a moment to sift through the digital debris of 2023's common vulnerabilities and exposures — those weak links in the cloud-to-code pipeline that plagued the year.
Which CVEs grabbed our attention and sent shockwaves through the cybersecurity realm, and what slipped past our radar unnoticed?
What lessons can we extract to fortify our defenses and most crucially, what insights we can glean to improve our vulnerability remediation processes in the coming year?
The Numbers Game
First things first, let's talk numbers. In 2023, we witnessed a whopping 26,447 vulnerabilities reported. That's 1500 more than the previous year! It seems like the world of cybersecurity is becoming a busier place each day. Since 2016, we've seen a steady climb in disclosed vulnerabilities, creating a daunting challenge for under-resourced, over-burdened, alert-fatigued security teams everywhere.
And here's a "fun" fact that'll make your security antennae twitch: over a third of the high-risk vulnerabilities could be exploited remotely. It's like digging a moat, filling it with sharks and then leaving the drawbridge down.
High-Risk Vulnerability Exploitation
Now, let's talk about high-risk vulnerabilities. According to a recent Qualys report, the most common MITRE ATT&CK techniques threat actors used to capitalize on high-risk vulnerabilities were exploitation of remote services, exploitation of public facing applications and exploitation of privilege escalation.
Adding another layer to this alarming scenario, the Mean Time to Exploit for 76% of high-risk vulnerabilities disclosed in 2023 was a mere 19 days. That's fast, but here's an even scarier revelation: 25% got exploited on the same day they made their publication debut. Talk about a zero-day party!
Breaches and Regrets
Here's a sobering reality check – 62% of breaches exploited vulnerabilities that were already known to the security teams. They knew the weak spots but were drowning in a sea of alerts, struggling to keep their heads above water. With even more vulnerabilities expected in 2024, now's the time to implement low-touch remediation processes into that not only automate manual tasks but also enable multiple issues to be solved with the same fix.
Action Time: Let's Do Better in 2024!
So, what's the takeaway? How can we do better in 2024? It's all about that end-game – remediation. Here are some actionable steps to tighten the screws on your vulnerability management:
- Low-Touch Remediation: Speed things up with automation. Get rid of those time-sucking manual tasks.
- Prioritize Like a Pro: Not all vulnerabilities are created equal. Understand the real risks and tackle them head-on.
- Mitigate and Patch: If you can't patch immediately, implement vendor-approved workarounds. It's better than leaving the door wide open.
- Repeat Offender Analysis: Identify the root cause of vulnerabilities that keep coming back to haunt you. Mitigate them once and for all.
The Rogue's Gallery:
- CVE-2023–4863: Heap-Based Buffer Overflow in WebP
- CVE-2023-5217: Heap-Based Buffer Overflow in libvpx
- CVE-2023-38545: Heap Buffer Overflow in cUrl and libcurl
- CVE-2023-38408: OpenSSH Remote Code Execution
- CVE-2023-27524: Authentication Bypass in Apache Superset
Most Exploited Vulnerabilities in the Wild
- CVE-2023-27350: PaperCut NG/MF
- CVE-2023-20887: VMware Aria Operations for Networks Command Injection
- CVE-2023-22952: SugarCRM Remote Code Execution
- CVE-2023-23397: Microsoft Outlook Elevation of Privilege
- CVE-2023-0669: Fortra GoAnywhere Managed File Transfer
Most Infamous Vulnerability: MOVEiT
Claiming the title for the most infamous vulnerability of 2023 is CVE-2023-32562, also known as the MOVEit transfer injection vulnerability. This notorious vulnerability gained its infamy due to its widespread impact and the number of high-profile companies that fell victim to it. Its unrestricted upload of file with dangerous type vulnerability in Avalanche versions 6.3.x and below allowed attackers to achieve remote code execution, leading to significant breaches.
Among the victims were several well-known companies, including BBC, Shell, UCLA, British Airways, and Siemens Energy. These breaches demonstrated the far-reaching implications of this vulnerability across a range of industries, from media and energy to education and aviation.
Conclusion: Let's Level Up in 2024
In the grand game of vulnerability and threat management, 2023 threw some curveballs. But armed with the knowledge of the past, we can build a more resilient "vulnerability-free" future. As we bid farewell to 2023, let's make a pact to do better in 2024.
Take action. Prioritize. Automate. Mitigate. Patch. Repeat.
We take the manual work out of cloud remediation so you can accomplish more.