0days Do not Wait for CVEs
June 3, 2021
Post by Robert Hansen
What if I were to tell you that an attack surface map can be more effective at finding critical vulnerabilities in some cases than a traditional network vulnerability scan? Crazy to think about, I know. To understand why it is crucial, you must first understand that CVEs do not matter as much as vulns do. 0days and vulns, in general, are a superset of CVEs but not the other way around. There are a couple of reasons:
- CVEs often lag behind 0days because the exploits are known before anyone can properly categorize these new vulns. That is not always true, but it happens frequently.
- CVEs are often a categorization of issues, not the issue itself. Think Clickjacking – not every clickjacking vulnerability on every site has a CVE associated with it, yet it is pretty easy to find them with even a cursory glance. Have developers not attempted to report exploits in websites or web-front ends to IoT devices? Of course, they have, but not every vuln gets a CVE. Why? I am not sure – but I promise you not every vuln that has been disclosed on every mailing list has been added, despite being publicly known.
So what? It has huge implications for vuln scanners and how companies deal with 0days. There is a new 0day that just popped up in XYZ Printer, and you want to find where you are vulnerable. There are different possibilities:
1) It has a CVE and a signature, as the exploit is made public.
2) It does not have a CVE yet, but it will soon. A signature may be available or may not.
3) It does not have a CVE and will not for whatever reason. A signature may be available or may not.
In the first example, where it is already made public, and there is a signature for it, you are in relatively good shape if whatever scanner you are using is fast enough to scan all your websites for said issue. That will require an up-to-date asset inventory to begin, or you will potentially miss assets with the vuln in question, but at least you have a path.
In the second and third example, where you do not have a CVE, but you know what the issue is and you know what the signature is OR at least you know what the underlying vulnerable technology is, you have at least some information to use. But relying on CVEs or a traditional vuln scanner will either be slow or never work, depending on the situation. You will have to take matters into your own hands. How do you do that when no vulnerability scanners know how to find the vulnerability in question?
Therefore, Bit Discovery does not hide the information it gathers about service banners, CPE data, HTTP headers, HTML data, and so on. These data sets can be queried in real-time to quickly identify dangerous technologies without necessarily knowing what the vuln is in them. For instance, in the vulnerability mentioned above in XYZ Printer, there may be no easy signature for the vulnerability. However, identifying the printer may be possible by finding anything listing on printing ports, some unique string in the banner data, or some HTML string unique to that printer model.
Why is the printer online on the public Internet in the first place? If you can remove said service/hardware from the public Internet, that might solve your problem immediately. Or maybe you can quickly put it behind a WAF or add a firewall ACL to hide it so that only the employees who need it can access it from their IPs, etc. That kind of mitigating control can quickly reduce risks without necessarily knowing how to find the actual vulnerability in question.
Without having a CVE or vulnerability signature to work from, you can quickly take proactive measures and reduce the risk well ahead of where an external vulnerability scanning software may be able to help you. That is very important when assessing the overall value of having an up-to-date attack surface map. It is not just about finding your assets; it is also about giving you the ability to look deep within your attack surface map and identify risky assets at a moment’s notice. That is an enormous value add without an additional hidden cost since the data is already in the attack surface map, in Bit Discovery’s case, and already designed to be queried.
In this way, an up-to-date attack surface map that can be actively queried against the details of the asset metadata is an incredibly powerful first line of defense against 0days. When time is critical, you cannot wait days or weeks to get the information you need.