Vulnerabilities tied to open source components have been increasing over the few years and especially in the last few months. Whether it’s Log4j, PwnKit, Snap, WordFence, or many others, chances are you’ve seen or heard of these vulnerabilities and the risks associated with them. This blog dives into some details on both the scale of this issue, as well as steps you can take to remediate them.
First, let’s talk about scale. Within software development teams the vast majority (roughly 90%) use software libraries within their development process. In a study last year, Veracode showed that almost all libraries contain at least one cyber vulnerability. While not all software libraries are open source, it’s fair to say that many are and that open source may provide more opportunities for vulnerabilities to be distributed. Therefore it’s no surprise that vulnerabilities are being distributed at scale through use of open source components.
CISA produces a list of the current vulnerabilities known to be exploited – a key resource for where to focus in order to reduce your attack surface. Currently 22% of those vulnerabilities are present in open source software and rising. Viakoo estimates that just 4 months ago, 15% of known exploited vulnerabilities were from open source.
Another aspect of scale is the physical devices and what type of software they use. Within the device landscape, ones that use closed source systems (Apple iOS, for example) might be viewed as much safer from a cyber security perspective, yet these are a small fraction of the devices out there. IoT devices (including OT, ICS, and SCADA devices) represent over 60% of the devices out there (over 10 billion IoT devices), with most of them relying on open source components. 72% of IoT devices use Linux, for example, and the remaining 28% will often use open source as part of the real time operating system (RTOS) or device firmware.
In addition to scale, severity is another area of concern. As shown in the chart below, within the widely used Apache Server open source software (used by 25% of the busiest websites in the world) vulnerabilities have increased in number and in severity. In the period from 2012 to 2016, only 11% of vulnerabilities were classified as “important” (none were critical or high severity). Then from 2017-2021, 30% were classified as important, high, or critical severity.
So clearly there’s a trend that cyber criminals believe the low-hanging fruit for them is not to develop the vulnerabilities that might take place in one system, but as best as possible, they want vulnerabilities that can extend into many systems simultaneously. Here’s why. In a proprietary environment, remediating a high severity vulnerability requires typically one patch from that single vendor to resolve it. The timing of when that patch is available is based on that one vendor. And typically that vendor has a patching mechanism (everybody does in some form). In that situation the end user has only one console to deal with, one system to learn. And in some cases, increasingly, that firmware can be pushed by the vendor directly to the device. And so it makes for a shorter time to resolve issues and a much more manageable process within an organization to reduce the risk of that vulnerability being exploited against you.
Open source is quite different and provides a much greater scale of risk and time to remediate it. Open source vulnerabilities are present in multiple devices, requiring multiple patches that come from multiple vendors. And then you don’t even know if some vendors will provide those patches. With many IOT devices another barrier to remediation is that the service life of the devices is longer than the life of the organization that provided it. Think about the recent Log4j vulnerability – hundreds of vendors have had to create, test, and distribute patches for thousands of devices; some are still working on it.
Coming back to the title of this blog, when you see in the press a “wave” of open source vulnerabilities you should be prepared for a tsunami of remediation. With many of the devices we’re talking about mitigation (such as port blocking or other network access control) is not effective – especially with IoT devices that are mission-critical to the organizations running them.
Here are three practical steps to prepare for the tsunami of remediation:
- Know your device inventory: NIST, CIS, and other security frameworks all start with having a detailed asset inventory in order to manage remediation. Viakoo partners with leading discovery solutions and provides application-directed discovery to ensure all vulnerable devices are visible.
- Prioritize: every cyber security team is under-resourced, so keeping focus on the vulnerabilities most likely to be exploited can make the process more manageable. CISA’s catalog of known exploited vulnerabilities are a great starting point, as are the severity scores for vulnerabilities.
- Remediate at Scale: Time to remediation is critical to reducing risk to the organization. Using automation is needed, especially since IoT devices can be spread far and wide making manual methods ineffective (think about the IP cameras hanging outside a building). In addition, use a solution that can span across multiple networks and geographies – to reduce risk you need to think globally and act locally. And to ensure you meet internal and external compliance requirements, make sure your remediation solution also provides detailed reports on actions taken.
Especially when present in IoT systems, open source vulnerabilities are one of the most difficult and troubling trends in the overall cyber threat landscape. The good news is that automated solutions for discovery and remediation can make the scale of the problem achievable, and the tools and guidance available (such as the CISA catalog) are making the focus sharper on exactly what you need to remediate first. As a company that lives and breathes IoT vulnerability remediation we’d love to continue this dialogue with you directly – sign up for a personalized demo and together we can reduce the threat to your organization of open source vulnerabilities.
Want to go into more detail? Check out our recent webinar on open source cyber vulnerabilties: https://www.viakoo.com/webinars-on-demand/