Many organizations lag in patching high-severity vulnerabilities, according to a new study that reveals more than 50% of servers scanned have a weak security posture weeks and months after a security update is released.
To create the "2021 Trustwave SpiderLabs Telemetry Report," researchers used Shodan, publicly available exploit information, and non-intrusive analysis of vulnerable targets accessible on the Internet. They found many servers weren't patched in a timely manner, ran unsupported software, and used older protocols and remote access tools on servers accessible on the Web.
About 18,352 new security flaws were reported in 2020, a 6% jump from 2019 and 184.66% increase from 2016, researchers note in the report. This year, about 13,000 vulnerabilities have been reported as of September 1 — slightly more than the 12,360 reported at this time in 2020. Of these, 20% were classified as high severity.
Karl Sigler, senior security research manager at Trustwave SpiderLabs, points to a few reasons why the number of disclosed vulnerabilities is trending upward. For starters, he says, more researchers are probing tools and services, testing their defenses to find the security gaps. But a proliferation of new technologies are also being adopted, all of which have flaws.
"There is a huge shift in how technology is being used," he says. "There's a lot more public-facing services, especially for work-from-home because of the pandemic and a lot of other factors … I think organizations are becoming more globally disparate, there is more work-from-home, and expansion of the employee base, which will expose a lot of services as well."
Enterprise environments are growing, too. Organizations are getting larger, and the systems and services they use and offer to employees and customers are becoming more complex.
"It's not just a front-end and a back-end database — there are all kinds of various systems involved and often other organizations: third-party services, managed services, things like that," Sigler adds.
All of this complexity makes environments more difficult to secure, especially as the number of disclosed vulnerabilities continues to rise. Researchers put the spotlight on a handful of high-severity flaws that still affect thousands of servers, months after their patches were released.
These include Microsoft Exchange Server vulnerabilities ProxyShell and ProxyToken, which could allow an unauthenticated attacker to execute arbitrary code on Exchange Servers on port 443. A facet analysis on Shodan reveals 35,943 servers remain vulnerable to the flaws that make up ProxyShell (CVE-2021-34473, CVE-2021-31207, and CVE-2021-34523). The United States has more than 10,500 Exchange Servers vulnerable to ProxyShell, researchers note.
There are also the ProxyLogon flaws (CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065), the subject of a March 2 advisory from Microsoft, which said at the time multiple zero-day exploits were being used to target on-premises versions of Microsoft Exchange Server by a group called Hafnium. Roughly six months later, research shows there are still 13,000 publicly accessible vulnerable ProxyLogon Exchange Server targets based on Shodan telemetry.
Researchers also put the spotlight on VMware vCenter vulnerabilities CVE-2021-21985 and CVE-2021-21986, which it seems organizations have prioritized for patching. The percentage of vulnerable hosts fell from 80.88% in May 2021 to 48.95% in August, a sign patching is ongoing. Similarly, the QNAP NAS command injection vulnerability CVE-2021-28800 is being patched, albeit slowly. The percentage of vulnerable hosts has decreased by about 1% every week.
Read the report for a full list of high-severity flaws highlighted.
Why Organizations Don't Patch Quickly
Sigler says he isn't surprised by the finding that 50% of servers have weak security posture. Patching is tough, he notes, especially in increasingly complex environments where assets can be easily missed. Organizations often lack proper enumeration of their network resources and assets, and there's a lack of ongoing vulnerability testing for those assets.
To illustrate, he explains how many businesses where Trustwave does network scanning will first provide a hard-coded list of the IP addresses they think they have. When the team steps in and does proper enumeration and inventory, "we find maybe double the amount of assets they thought they had," Sigler says. Those missing assets are where patches go missing as well.
"They're not overlooking vulnerabilities; they're not knowing about the situation and letting it go untended — they generally don't know about the situation at all," he adds.
Server sprawl is a big part of how systems are missed, as are virtual systems. Sometimes people pop up small instances in a virtual environment for testing and neglect to take them down, he points out. All these various pieces create "holes in the net" where things will inevitably fall through.
These reasons contribute to why some systems, like VMware vCenter, are patched more, but others, such as Microsoft Exchange Server, still have thousands of instances vulnerable to high-severity flaws. Another reason, he speculates, is that some systems, such as the VMware installations, are relatively new. Even though VMware has been around for a while, a lot of firms are now looking into spinning up their own cloud services to create the flexibility they provide.
Many admins of these systems are people working with newer installations, and they're keeping a closer eye on when they need to be patched. The same organization might have a Microsoft Exchange Server that has been around for 10 years and is more likely overlooked.
"I think that really plays into it — the attention organizations are giving these services," Sigler says. "The Exchange mail server is a sort of 'set it and forget it,' and it's getting forgotten. But cloud services and virtual services get a lot more attention internally." This isn't just because they need more attention, he notes, but because there's a greater focus on them now.
Researchers also noticed a high number of systems with end-of-life and end-of-general support software on the Internet. This means no automatic patches, and maybe no manual patches, available to them. Oftentimes they indicate organizations set them up and forgot about them, either because staff was let go or for other reasons. Many of these systems remain exposed to new and old vulnerabilities, likely making them "the lowest hanging fruit in this report," Sigler says.