Identifying, classifying, prioritizing, mitigating, and patching vulnerabilities is crucial to any security and IT operations (SecOps) practice. Learn more about vulnerability exploitation trends and indicators on the SOCRadar platform.
Fortinet recently announced that a critical authentication bypass vulnerability (CVE-2022-40684) was actively exploited in the wild. It affects FortiNAC, FortiOS, and FortiProxy.
What is CVE?
A publicly accessible dictionary of software vulnerabilities called CVE aids in detecting and mitigating application hazards for businesses. Fortinet explains the goal of CVE is to offer identification for each susceptibility, a point of reference to locate and discuss it, and a method to track, rank, and address security concerns.
The non-profit MITRE oversees federally sponsored research and development facilities serving U.S. government agencies and maintains the CVE database, including the Department of Homeland Security. Various sponsors support the program, including many cybersecurity vendors and industry organizations.
A CVE identifier is a unique number that a vendor, researcher, or other entity can reserve to mark a specific vulnerability. Each identifier includes information like manufactured products, affected product versions, exposure type, root cause, and at least one public reference to additional details about the vulnerability.
Each CVE entry also lists a CVSS score, which is used to help prioritize vulnerabilities when planning and prioritizing a company’s vulnerability management program. This rating is based on a vulnerability’s impact, exploitability, and availability. The resulting score is intended to provide a common language for vulnerability classification, enabling enterprises and security researchers to compare the risks of various vulnerabilities quickly. This approach has proven to be a valuable tool in helping organizations to more effectively identify and prioritize vulnerabilities and implement preventative measures to thwart attacks.
What is exposure?
A vulnerability’s exposure is the likelihood that threat actors will exploit it. The more exposure a vulnerability has, the more serious it is and should be addressed immediately.
Threat actors can exploit vulnerabilities in any software consultant system and will often take advantage of them to gain unauthorized access to corporate networks, spread malware and steal sensitive data. For example, attackers used flaw CVE-2022-41328 to tamper with the firmware on Fortinet firewall devices. Mandiant reported that threat groups attributed to Chinese APT attacked Fortinet products and exploited this vulnerability to download and write files, install persistent backdoors on FortiGate firewalls, and log management and analytics solutions, including FortiAnalyzer and FortiManager.
Fortinet has patched many of the CVEs affecting its products and continues to update these patches regularly. However, these updates are often released after attackers have discovered the flaws and actively exploit them in the wild.
A CVE’s severity is determined by its impact on organizations, whether it allows direct access to systems and networks or creates a path for spreading malware. For example, an authentication bypass vulnerability such as CVE-2022-40684 is considered critical by MITRE and has been exploited multiple times in the wild. It has also been found in exploit kits for sale on dark web forums and in tools sold by cybercriminals to their victims.
What is the goal of CVE?
CVE aims to reduce the threat of cyber attacks by providing a shared catalog of software and firmware vulnerabilities. It can help security professionals quickly and accurately identify and prioritize mitigation efforts. It can also help them create a standard approach for sharing vulnerable information amongst their colleagues and customers.
A vulnerability is given a unique CVE ID identifier that uniquely identifies it across different information sources. Each CVE ID has a format of “CVE-YYYY-NNNN,” where the CVE is a fixed prefix, YYYY is the year it was assigned, and NNNN is a numeric value between 1 and 4.
In addition to providing standardized identifiers for vulnerabilities, CVE helps raise awareness about cybersecurity risks by publishing them in a public repository. By making known vulnerabilities accessible to the cybersecurity community, CVE is helping reduce the likelihood of large-scale cyber attacks that could affect most organizations.
Vulnerabilities that aren’t patched can be exploited by attackers to gain access to systems and steal sensitive data, including credentials and personal information, which can then be sold on the dark web for monetary rewards. For example, attackers have been leveraging CVE-2022-42475, an authentication bypass vulnerability in Fortinet SSL VPNs, to steal information from users’ devices. Fortinet has addressed the issue with a fix in FortiOS, the OS/firmware that powers Fortigate firewalls and other devices.
What is the impact of CVE?
CVE is an essential cybersecurity tool that provides transparency into the software vulnerabilities that attackers are targeting. Combined with industry-standard metrics like CVSS, CVE provides businesses with the information they need to improve their vulnerability management processes.
As cybercriminals constantly look for flaws, organizations must practice sound vulnerability management. Organizations can stave off potentially devastating attacks by regularly identifying, classifying, prioritizing, and mitigating vulnerabilities. Vulnerabilities are the starting point for most cyberattacks and can lead to breaches that compromise critical data, customer credentials, and business operations.
While some may be concerned that publicly disclosing vulnerabilities can make them easier to exploit, it is widely accepted that the benefits of sharing information on vulnerable systems outweigh the risks. For example, Fortinet recently disclosed a CVE-2022-42475 vulnerability (CVSS score of 9.8) that was previously exploited by threat actors and linked to the Chinese APT group by Mandiant.
The CVE Program is a global, not-for-profit organization operated by the MITRE Corporation and sponsored by the U.S. Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. The program is governed by a Board of Directors, including Tod Beardsley of Rapid7. Fortinet Product Security Incident Response Team (PSIRT) members are a crucial part of the program and help to manage the receipt, investigation, and public reporting of vulnerability issues.
