Top Scanners Fail to Flag DHS CISA-warned Known Exploited Vulnerabilities (KEV)

Updated on March 01, 2023

Did you know 58 actively exploited vulnerabilities in the CISA KEV catalog are not being detected by popular scanners?

Security teams rely on vulnerability scanners to scan their network, systems, and assets for vulnerabilities. When the same scanners fail to detect critical vulnerabilities, organizations are exposed to risks and threats that could have been prevented.

On November 3, 2021, a directive from the Department of Homeland Security CISA was published to reduce the significant risk of exploited vulnerabilities. Since then, CISA has maintained a list of known exploited vulnerabilities that’s being updated multiple times in a week, if not more. Considering that previously exploited vulnerabilities are a common vector for malevolent cyber actors, CISA emphasizes these vulnerabilities as the most serious threats and must be promptly remediated.

We looked into the catalog and found that 58 actively known exploited CVEs were missed by top scanners such as Nessus, Nexpose, and Qualys.

CISA Known Exploited Vulnerabilities

892

Known Exploited Vulnerabilities Undetected by Scanners

58

RCE/PE

8

Trending CVEs

27

Ransomware Association

4

APT Groups

2

On a positive note, we see many vulnerabilities having received their plugins with more recent updates. This is a step in the right direction and we look forward to scanners releasing plugins for the rest of the vulnerabilities as well.

Vulnerabilities Missed by Scanners

We examined the vulnerabilities missed by top scanners and found that organizations that depend on these scanners to have their back are at a huge disadvantage -Vulnerabilities missed by Scanners

  • From a total of 892 KEVs, 329 CVEs were missed by Nexpose, 115 CVEs by Nessus, and 95 by Qualys.
  • 58 vulnerabilities are being missed by all three scanners – a worrying aspect for organizations.
    • Eight of these vulnerabilities are RCE/PE bugs
    • Four of these vulnerabilities are tied to five ransomware strains.
    • Two of them are being used by APT Groups.
  • Severity scores of these vulnerabilities revealed that –
    • 27 are rated critical
    • 17 are rated high
    • 6 are rated medium
    • 2 CVEs are rated low severity
    • 6 CVEs do not have a severity rating
  • 52 of the vulnerabilities get a high rating in our Threat Intelligence Platform, indicating a higher probability of exploitation based on the intense interest in hacker channels.

The fact that scanners are not detecting these vulnerabilities should be a cause of concern for organizations and their security teams who need to rethink their scanning strategy.

DHS CISA KEVs Scanner Analysis

Nexpose

329

Nessus

115

Qualys

95

Trending in Google

According to google search interest, 27 CVEs (out of 58 KEVs missed by scanners) have been trending in the past 30 days. We also spotted hackers discussing the release of exploits briefly for some of the CVEs on the Metasploit forum.

Due to hackers’ keen interest in publishing exploits, malware targets, and attack types generates a lot of Google searches.

This also makes these 58 vulnerabilities dangerous for organizations as they are unaware of their exposure.

Old Vulnerabilities

25 vulnerabilities that the scanners are not detecting are old weaknesses discovered between 2007 to 2019.

Vulnerability scanners are designed to uncover vulnerabilities within a target by comparing them against a database of known vulnerabilities. Despite the multiple CISA warnings, these popular scanners continue to remain with outdated databases, exposing critical assets.

The case in question is this:  If all these DHS CISA-warned KEVs are known old vulnerabilities, then why do the scanners still skip them?

These false-negative scanner outcomes and the long disclosure timeline of the vulnerabilities work as an easy advantage for threat actors, who can then find exploits, eventually leading up to ransomware attacks against organizations.

Common Weaknesses Enumeration Analysis

Upon analyzing the code weaknesses, we found that 82% of the known exploited vulnerabilities missed by the scanners came under the MITRE’s 2021 CWE Top 40 Most Dangerous Software Weaknesses.

  • With 16% of CVEs, CWE-78 (Improper Neutralization of Special Elements in an OS Command) is the most exploited weakness among the KEVs overlooked by scanners. CWE-78 ranks fifth on the list of most dangerous software weaknesses.

  • The most dangerous software weakness, CWE-77, leading to Improper Neutralization of Special Elements used in a Command, accounted for 11% of the vulnerabilities missed by the scanners.

  • 15% of the KEVs with critical and high severity ratings do not have a specific CWE identifier assigned to them.

  • 77% of these KEVs skipped by the scanners are categorized under OWASP CWE Top 10:2021.

CWE Count of CVE
CWE-119 2
CWE-20 2
CWE-22 3
CWE-22|CWE-287 1
CWE-264 1
CWE-287 1
CWE-310 1
CWE-77 2
CWE-78 6
CWE-79 2
CWE-843 1
CWE-89 2
CWE-94 1

Table: CWE Analysis of CISA KEVs Missed by Top Scanners

Relying solely on legacy methods for detection and response tools or even on a simple vulnerability management program is not an adequate defense. Organizations that continue with outdated scanner systems are especially vulnerable to ransomware threats.  Therefore, we recommend scanner users employ a threat and risk-based strategy rather than depending only on the scanner’s results and severity ratings.

Affected Vendors

We then examined the affected vendors and their products vulnerable to these KEVs missed by scanners and found a total of 34 vendors affected by these CVEs. Further, we observed that 14% of CVEs impact D-link products.

Vendor Count of CVE
D-Link 11
IBM 4
Samsung 3
Tenda 3
Netgear 2
Realtek 2
TIBCO 2
Unraid 2
WatchGuard 2
Alcatel 1
Amcrest 1
Arm 1
Aviatrix 1
ChakraCore 1
Code Aurora 1
D-Link and TRENDnet 1
FatPipe 1
Hikvision 1
Kaseya 1
LG 1
Meta Platforms 1
Micro Focus 1
Mitel 31
MongoDB 1
Owl Labs 1
Schneider Electric 1
SIMalliance 1
Sumavision 1
TP-Link 1
TVT 1
Ubiquiti 1
Yealink 1
Zyxel 1
Intel 1

Table: CISA KEVs Missed by Top Scanners

Risk-Based Vulnerability Management: A Framework to Reduce Cyber threats!

A Pentester’s Viewpoint on Why Scanners Still Skip Known Bugs –

The flawed trend of vulnerability scanners relying on CVSS scores rather than a risk-based approach is changing now. Scanners have begun focussing on associations such as weaponization, malware, ransomware, and other trends. However, there are still issues that need to be addressed, such as CVE assignment latency. It’s high time for scanner owners to think about risk and threat-based approaches for cyberspace management.

The reliability of a vulnerability scanner is determined by the testing procedures it employs as well as the frequency with which its crawling algorithm is updated. With popular scanners such as Nessus, Nexpose, and Qualys missing critical vulnerabilities, users are blind to the fact that they are unknowingly vulnerable to cyber attacks leveraging concealed weaknesses.

It is essential that organizations be aware of their inventory not just in terms of hardware and software, but also in terms of infrastructure and third-party services. Likewise, organizations need to rely only on continuous vulnerability scanning solutions (VMaaS), Attack Surface Management (ASM), and security companies that offer vulnerability intelligence feed to gather information on vulnerability detection and remediation. CSW provides all three key solutions to its customers and has been helping them gain cyber resilience against increasing instances of cyber-attacks and evolving threats.

 

The countdown is on! The Scanners do not have your back, are you rethinking your scanning strategy?
If not, CSW’s security experts can help you build a continuous and risk-based vulnerability management strategy. Talk to us

Share This Post On