Introduction

Application security provider OX has highlighted the need for the US Cybersecurity and Infrastructure Security Agency (CISA) to enhance its Known Exploited Vulnerabilities (KEV) catalog by incorporating more contextual information [1]. This recommendation stems from OX’s analysis of vulnerabilities, which suggests that not all listed vulnerabilities pose significant risks, particularly in cloud environments [3].

Description

Application security provider OX has urged the US Cybersecurity and Infrastructure Security Agency (CISA) to enhance its Known Exploited Vulnerabilities (KEV) catalog by adding more contextual information [1]. A recent analysis conducted by OX examined 25 common vulnerabilities (CVEs) from CISA’s KEV list across over 200 cloud environments, focusing on 10 specific entries. The findings revealed that many of these vulnerabilities do not pose actual risks, particularly in cloud containerized environments [1] [2] [3]. For instance [3], five of the examined CVEs were deemed unexploitable in these environments, while the remaining five could only be exploited under specific conditions. Among the vulnerabilities analyzed [2], six were reported on Android and required physical access to exploit [3], while two affected most Linux-based operating systems but would need to be chained with others for successful exploitation [3]. Additionally, one CVE was identified in Apple’s Safari browser [3], which is irrelevant for cloud container environments [3], and three were found in libraries used by Google Chrome [3], also not applicable to most cloud containers.

The report, published on May 28 [1], recommends that security teams abandon a blanket ‘patch everything’ approach [2], as treating all KEV vulnerabilities with equal urgency can create unnecessary workloads and divert resources from genuinely critical issues [3]. Instead, it advocates for prioritizing patching based on contextual relevance [2], encouraging organizations to evaluate the significance of vulnerabilities before taking action. Security teams should consider the original context of each CVE [3], search for proofs-of-concept [3], and assess whether a vulnerability could lead to access to sensitive information [3]. This contextual evaluation can help implement a more efficient workflow for managing critical vulnerabilities [3], reducing alert fatigue and focusing resources effectively [3]. OX also called for CISA to enrich its KEV entries with additional contextual data to assist security teams in their assessments, particularly as over 180 new KEVs emerge annually.

Conclusion

The findings and recommendations from OX underscore the importance of a more nuanced approach to vulnerability management. By prioritizing vulnerabilities based on their contextual relevance, security teams can allocate resources more effectively, reducing unnecessary workloads and focusing on genuinely critical threats. The call for CISA to enrich its KEV catalog with additional contextual information could significantly aid in this process, helping organizations better assess and respond to emerging vulnerabilities. As the landscape of cybersecurity threats continues to evolve, such strategic enhancements are crucial for maintaining robust security postures.

References

[1] https://www.infosecurity-magazine.com/news/cisa-urged-enrich-kev-catalog/
[2] https://ciso2ciso.com/cisa-urged-to-enrich-kev-catalog-with-more-contextual-data-source-www-infosecurity-magazine-com/
[3] https://www.itpro.com/security/do-you-really-need-to-fix-that-critical-flaw