Dirty Little Secrets of Vulnerability Management

For whatever reason, most people don’t spend their evenings learning about vulnerability management and prioritization 🤷‍♂️. Lucky for you, I do!

This blog post will cover common misconceptions I constantly explain to security professionals, aspiring professionals, founders, my girlfriend, my mom, and anyone else who will listen.

Jokes aside, understanding these details is incredibly important to manage and prioritize vulnerabilities effectively. Let’s get into it.

Table of Contents

• NVD ≠ CVE Program

• CISA KEV Catalog: Missing Key Vulnerabilities?

• EPSS: Exploit Likelihood vs Exploitability

• Open Source is Doomed

• Until Next Time! 👋

NVD ≠ CVE Program

Let’s start with the basics. You must be familiar with Common Vulnerabilities and Exposures (CVEs).

Many think the National Institute of Standards and Technology (NIST) oversees the CVE program; this is incorrect. NIST maintains the National Vulnerability Database (NVD), which ingests and enriches vulnerabilities from the CVE program. Currently, MITRE is the CVE Program’s Secretariat.

Secretariat: “An organization authorized by the CVE Program to develop, host, and maintain the Program’s infrastructure and to provide administrative and logistical support for the CVE Board, CVE Working Groups, and other parts of the Program.”

Learn more about the CVE Program structure here.

At the time of this writing, there are 383 CVE Program partners to whom people can report vulnerabilities. Becoming a partner or CVE Numbering Authority doesn’t require much, and once you’re approved, there isn’t much expected of you. Jerry Gamblin reported that almost 100 CNAs did not report a single CVE in 2023.

CISA KEV Catalog: Missing Key Vulnerabilities?

If you want to truly understand CISA’s Known Exploited Vulnerabilities (KEV) Catalog, you can learn about it directly from the source! CISA’s Tod Beardsley and Elizabeth Cardona explained it (accurately 🙏) at this year’s VulnCon. Video recording here

Directly from their website: “CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.”

Okay, cool, it’s “authoritative,” whatever that means. But the critical thing to note is that it isn’t complete. This bothers me because they should do a better job at making this known.

I won’t explain exactly how the program operates, but some common misconceptions:

1. Vulnerabilities added to the KEV Catalog do not always mean the vulnerability is actively exploited. It could have been exploited in the past.

2. If a vulnerability has publicly available exploit code or has only been abused during academic or penetration testing activities, it will not be added to the KEV. Known real-world exploitation is required for a vulnerability to be added.

3. CISA evaluates whether the active exploitation is meaningful to the federal enterprise. It must hit a “pretty cool” target or be meaningful to the US Government. Humans review this on a case-by-case basis.

4. Clear remediation actions must be available for the exploited vulnerability to be added to the KEV Catalog. If the remediation poses as much risk or more risk than remaining vulnerable, CISA will not publish the vulnerability.

Remember that over 250,000 total CVEs and only 1,100 have been entered into the KEV Catalog.

If you’re vulnerable to something in the KEV, prioritize it. Still, I would instead use something like VulnCheck’s KEV, which considers publicly available exploit codes and academic research. It’s free to use and contains ~2,000 vulnerabilities with 8,500+ cited references and 3,500+ POC references - which CISA’s KEV Catalog does not include.

EPSS: Exploit Likelihood vs Exploitability

Next up is the Exploit Prediction Scoring System (EPSS). There’s often confusion about what EPSS measures.

Most people think it evaluates the likelihood of a vulnerability being exploitable, but in reality, it predicts the probability of a vulnerability being exploited in the wild (if it is exploitable!). This distinction is crucial.

EPSS uses a variety of data sources, including historical exploitation data, to estimate the probability that a vulnerability will be exploited within the next 30 days. A dynamic scoring system updates regularly to reflect new information and trends. This means that a high EPSS score indicates a higher likelihood of real-world exploitation (if it is exploitable!).

Especially in a world dominated by SAST tools spewing false positives, a high EPSS score should not mean ignoring triage and going straight into incident response mode.

Finally, EPSS considers commonly targeted references in its scoring system. For instance, a security advisory mentioning a high-profile target like Microsoft will likely have a higher EPSS score due to the increased likelihood of exploitation. This focus on well-known targets can skew the prioritization, leaving lesser-known but equally critical OSS vulnerabilities under-prioritized.

Open Source is Doomed

Lastly, let’s discuss open-source software (OSS) and why using legacy vulnerability management frameworks will not work long-term, especially in the context of open-source software dependencies (software packages used by developers).

One critical issue is that there’s no requirement to publish a CVE. Instead, open-source maintainers frequently publish security advisories on alternative platforms like the GitHub Advisory Database. This means many OSS vulnerabilities go untracked by traditional databases like NVD.

In November 2023, Aqua’s Yakir Kadkoda and Ilay Goldman published 50 Shades of Vulnerabilities: Uncovering Flaws in Open-Source Vulnerability Disclosures, which evaluated the vulnerability disclosure process for tens of thousands of open-source projects and found flaws in the process.

Until Next Time! 👋 

Hey, you made it to the bottom – thanks for sticking around!

Questions, ideas, or want to chat? Slide into my inbox! 💌

Don’t hesitate to forward if someone could benefit from this.

See you next Monday!
-Kyle

P.S. CramHacks now has a Supporter tier! You can upgrade here to support CramHacks and its free weekly content 😃.