Shouldn't you address that significant vulnerability before it worsens?
Organizations may not need to expedite patching 'critical' security vulnerabilities listed in the CISA's Known Exploited Vulnerabilities (KEV) catalog, according to a report from Ox Security.
Having examined over 200 different environments, it's determined that adopting a 'patch everything' approach could potentially waste valuable security resources. This is because there are many vulnerabilities that present no real-world exploitation risk, particularly in a cloud container environment.
Established in 2021, CISA's KEV catalog has become an essential resource for defenders; however, it should not serve as a hard-and-fast to-do list, said Ox Security. The researchers argued that the catalog encompasses attacks across diverse platforms, such as personal devices and webcams, without differentiating their contextual relevance.
Treating all KEV vulnerabilities as equally urgent, as sometimes demanded by compliance regulations, and regardless of environmental context, creates unnecessary workload for already overwhelmed security teams and diverts resources from genuinely critical issues, the report suggests.
Among ten recent CVEs the firm investigated, six were initially reported on Android devices and require Android-specific environments to reproduce, physical access for USB connections, or terminal access. While two apply to most operating systems built on the Linux kernel, successful exploitation would necessitate chaining them with additional vulnerabilities.
Another CVE was initially reported in Apple's Safari browser, where cookie-management logic was flawed - an issue that doesn't apply to cloud containerized environments. Similarly, three were initially reported in libraries used by the Google Chrome browser, which are irrelevant for cloud containers since most do not utilize these libraries for content processing and rendering.
In advising organizations, Ox Security encourages a pragmatic approach, evaluating the context before rushing to patch a vulnerability. Before treating a KEV alert as critical, security teams should scrutinize the original context in which the CVE was reported and compare it to their own environment. Furthermore, they should search for proofs-of-concept and instances of the vulnerability being exploited, as the lack thereof lowers the likelihood that an attacker will develop the exploit themselves.
Additionally, researchers suggest assessing whether the vulnerability could grant access to sensitive information, in which case it should be prioritized.
"This additional contextual information would enable security teams to implement a more precise and efficient workflow when handling critical vulnerabilities in their environments, reducing alert fatigue and focusing resources where they matter most," the firm said.
Furthermore, Ox Security calls for more assistance from CISA and vulnerability monitoring organizations. These entities should, according to the report, provide contextual information to aid security teams in quick assessments of a vulnerability's relevance to their specific environments.
There has also been a recent development regarding a vulnerability database launched by the European Union, and insights from MITRE on lessons learned for security and vulnerability management provide additional insights for businesses. However, the Ox Security report highlights the dangers of neglecting vulnerability patching in favor of focusing on other aspects of cybersecurity.
In light of the Ox Security report, it's important for organizations to evaluate the context before hasty patching of cybersecurity vulnerabilities, as some may not pose a significant risk in data-and-cloud-computing environments. The report emphasizes that compliance regulations should not treat all vulnerabilities listed in the CISA's Known Exploited Vulnerabilities (KEV) catalog as equally urgent, as this could lead to misallocation of technology resources and neglect of genuinely critical issues.
