Do you really need to fix that critical flaw?
Organizations needn’t rush to patch ‘critical’ security flaws listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, according to a report from Ox Security.
After examining more than 200 separate environments, it’s concluded that a ‘patch everything’ approach may be wasting valuable security resources. This, researchers said, is because in a cloud container environment many present no real-world exploitation risk at all..
Established in 2021, CISA’s KEV catalog has become an important resource for defenders – but shouldn’t be treated as a hard-and-fast to-do list, said Ox Security.
“While KEV is an excellent tool for focusing attention, it encompasses attacks across diverse platforms- from personal phones and webcams to cloud containers – without differentiating their contextual relevance,” the researchers said.
“Treating all KEV vulnerabilities with equal urgency, as is sometimes demanded by compliance regulations, and regardless of environmental context, creates unnecessary workload for already overwhelmed security teams and diverts resources from genuinely critical issues.”
Of 10 recent CVEs the firm examined, six were originally reported on Android and require Android-specific environments to reproduce, physical access for USB connections, or terminal access.
While two do apply to most operating systems built on the Linux kernel, successfully exploiting them would mean chaining them with additional vulnerabilities.
Another CVE was initially reported in Apple’s Safari browser, where cookie-management logic was flawed – an issue that doesn’t apply to cloud containerized environments.
Similarly, three were initially reported in libraries used by the Google Chrome browser – irrelevant for cloud containers, as most don’t use these libraries for content processing and rendering.
The firm advises organizations to take a pragmatic approach, evaluating the context before rushing to patch a vulnerability.
Before treating a KEV alert as critical, security teams should look at the original context in which the CVE was reported and check it against their own environment, it recommended.
They should search for proofs-of-concept and examples of the vulnerability having been exploited – if there aren’t any, the chances are low that an attacker would develop the exploit themselves.
Additionally, researchers said they should assess whether the vulnerability could allow access to sensitive information, in which case it should be prioritized.
“This additional contextual information would enable security teams to implement a more precise and efficient workflow when handling critical vulnerabilities in their environments, reducing alert fatigue and focusing resources where they matter most,” said the firm.
The report also calls for a bit more help from CISA and vulnerability monitoring organizations, which should, it said, include contextual information to help security teams quickly assess the relevance of each vulnerability to their specific environments.
MORE FROM ITPRO
Source link
