vFeed Newsletter November 2024
November 29, 2024
Zetafence acquires vFeed IO to vastly expand Threat Intelligence & Cloud Vulnerability insights with correlated feeds across
We are happy and thrilled to announce that vFeed IO has joined forces with Zetafence to expand Threat Intelligence and Vulnerability Management Offerings.
Over the next few weeks, we will work on streamlining update processes, improving development processes, adding more mapper sources for our feed aggregation, leveraging data semantics to recommend threat insights to customers such as advisories, etc.
Core engineering teams will be working on integrating vFeed threat vulnerabilities to correlate with attack surface vulnerabilities across clouds, and Kubernetes deployments to provide unified infrastructure and deployment threat intel across platforms.
For more information, please visit the link below.
Critical Vulnerabilities – November 2024
| CVE | Description | CVSS 3 Base | Date Published | Weakness | Versions Affected | References |
| CVE-2024-42450 | Versa Director uses PostgreSQL (Postgres) to store operational and configuration data. It is also needed for the High Availability function of the Versa Director. The default configuration has a common password across all instances of Versa Director. | 10 | 2024-11-19 18:15:21 | CWE-798 Use of Hard-coded Credentials | Versa Director 22.1.4 version | https://security-portal.versa-networks.com/emailbulletins/6735a300415abb89e9a8a9d3 |
| CVE-2024-11590 | 1000 Projects Bookstore Management System /forget_password_process.php. The manipulation of the argument un m leads to sql injection. The attack may be launched remotely | 9.8 | 2024-11-21 13:15:06 | CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) | /forget_password_process.php. | https://github.com/1ighttack/CVE/issues/1 |
| CVE-2024-52401 | WordPress: Hacklog DownloadManager allows Upload a Web Shell to a Web Server CSRF | 9.6 | 2024-11-19 17:15:55 | CWE-352 Cross-Site Request Forgery (CSRF) | DownloadManager Plugin <= 2.1.4 is vulnerable | https://patchstack.com/database/vulnerability/hacklog-downloadmanager/wordpress-hacklog-downloadmanager-plugin-2-1-4-csrf-to-arbitrary-file-upload-vulnerability?_s_id=cve |
| CVE-2024-10094 | Pega Platform versions 6.x to Infinity 24.1.1 are affected by an issue with Improper Control of Generation of Code | 9.1 | 2024-11-20 15:15:08 | CWE-94 Improper Control of Generation of Code (‘Code Injection’) | Pega Platform versions 6.x to Infinity 24.1.1 | https://support.pega.com/support-doc/pega-security-advisory-d24-vulnerability-remediation-note |
| CVE-2024-10898 | WordPress: Contact Form 7 Email Add on plugin is vulnerable to Local File Inclusion in all versions 1.9 | 8.8 | 2024-11-21 11:15:24 | CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) | Up to (including),1.9 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d82efaa3-ea61-476c-ad1a-60585450c63a?source=cve |
| CVE-2024-52451 | WordPress: Cross-Site Request Forgery (CSRF) vulnerability in Aaron Robbins Post Ideas allows SQL Injection | 8.2 | 2024-11-20 12:15:22 | CWE-352 Cross-Site Request Forgery (CSRF) | Post Ideas Plugin <= 2 | https://patchstack.com/database/vulnerability/post-ideas/wordpress-post-ideas-plugin-2-csrf-to-sql-injection-vulnerability?_s_id=cve |
| CVE-2024-10855 | WordPress: Image Optimizer, Resizer and CDN Sirv plugin vulnerable to unauthorized modification of data that can lead to a denial of service due to insufficient validation on the filename parameter | 8.1 | 2024-11-20 7:15:08 | CWE-639 Authorization Bypass Through User-Controlled Key | Sirv <= 7.3.0 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d6ec09e5-4994-4d23-bf8e-26b64d5303fa?source=cve |
| CVE-2024-48990 | Qualys discovered that needrestart, before version 3.8, allows local attackers to execute arbitrary code as root by tricking needrestart into running the Python interpreter with an attacker-controlled PYTHONPATH environment variable | 7.8 | 2024-11-19 18:15:22 | CWE-427 Uncontrolled Search Path Element | Before version 3.8 | https://www.qualys.com/2024/11/19/needrestart/needrestart.txt |
Vulnerability Trends
How did November Vulnerability trend after October Cybersecurity Awareness Month?
The first histogram under each platform shows the High count, and second the Medium count.
Curiosity Questionnaire of the Month
We got asked a number of curious questions during the month, and thought we should share those insights here.
What vulnerability data format should I adhere to if I start off now? Any standards?
Depends on your use case. Don’t we shudder at that answer? But there is some meaning to it. True, you can start with existing CVE, CVSS, CPE formats that are widely adopted and reported. Many SBOM tools work back with those, although SBOMs have now moved towards System Package Data Exchange (SPDX), which is an open standard capable of representing systems with software components as SBOMs.
There is also this OpenVEX is an open source specification, library, and suite of tools designed to enable software users to eliminate vulnerability noise and focus their security efforts on vulnerabilities that pose an immediate risk.
Structured Threat Information eXpression (STIX) is another format used in Cyber Threat Intelligence (CTI) reporting to describe and exchange information about threats, vulnerabilities, attacks, and defenses. STIX is designed to enable organizations to share actionable intelligence in a standardized format, facilitating better threat detection, prevention, and response.
That said, a modern approach is to have a customizable JSON schema for compatibility across tools, such as the one defined by Common Security Advisory Framework (CSAF).
Why are there so many vulnerability data formats out there? Why are those hard to change?
That’s caused by evolution due to diversification. Vulnerabilities are defined and used by various stakeholders such as developers, security teams, auditors, threat analysts, and vendors – each with unique requirements. And hence, each has their representation including STIX, CVSS, EPSS, SBOM, CPE, etc.
Such Vulnerability data must work with a variety of tools – SIEMs, vulnerability scanners, patch management systems, threat intelligence platforms, each of which may each support different formats.
Organization network effects resist changes from well adopted CVE, CVSS due to deeply integrated ecosystem needs.
How do enterprises narrow down on specific vulnerabilities that must be quickly addressed in their environment?
Focus on the 4 Rs:
- Relevance or context of what you possess and what possibly affects your environment. Match vulnerabilities to PURLs e.g., SBOM, package manifests. environments like AWS, on-prem, or specific applications, etc.
- Risk: CVSS base scores, Check exploit maturity (EPSS), and impact study of potential damage to confidentiality, integrity, availability
- Reach (exposure): Privilege Level such as IAM, admin services, Attack path analysis for lateral movement or privilege escalation, Asset Criticality: Core systems, databases, or components housing sensitive data, and sensitivity
- Remediation involves identifying what is relevant, that which is exploited, and going after those
High Risk + High Relevance + High Reach → Immediate action
High Risk + High Reach, but Low Relevance → Monitor but deprioritize
Low Risk + Low Reach, but High Relevance → Schedule patching
Why do I see so many updates to vulnerability EPSS score percentiles?
EPSS percentiles change often because it is designed to provide dynamic and data-driven predictions about the likelihood of a vulnerability being exploited in the wild. These updates reflect the constantly changing threat landscape based on the availability of new information. EPSS scores are generated using machine learning models that analyze vast amounts of data.
Is there something like a “vulnerability hangover”?
A “vulnerability hangover” is a feeling of discomfort, self-doubt, and regret that may occur due to uncertainty or anguish. In the cybersecurity world, it is informally thought to describe any lingering aspects or impacts of a major vulnerability long after its initial disclosure. This could occur due to uncertainty of systems that may be left unpatched, neglect of dependency chains, or compliance fallout. In other words, Security Debts.
To mitigate, constantly look for vulnerabilities that are relevant and poses higher risks in your specific environment, use scores beyond CVSS such as EPSS, utilize Common Attack Pattern Enumeration and Classification (CAPEC) framework to understand exploitation risks and mitigation strategies.
Concerns in Vulnerability Data Standardization
CSA Vulnerability Data Working Group published “Top Concerns with Vulnerability Data“, this month, and it’s quite a good read. We summarize some of those from our perspective.
Current State of Vulnerability Data
NVD is Overwhelmed: The National Vulnerability Database (NVD) has been struggling to keep up with the rapid and ever increasing reports of vulnerabilities. A combination of factors cause this including the growth of technology, the exploitation of system weaknesses, and a lack of resources. In 2024, the NVD even had to temporarily halt publishing CVEs due to this overwhelming influx.
Inadequate handling of complexity: Existing vulnerability data formats such as CVE and CVSS are not equipped to handle the increasing complexity of vulnerabilities. They are unable to accurately assess and prioritize threats, leading to potential security risks.
Current Challenges – CVE
CVE format and system struggles to keep pace with the rapidly evolving cybersecurity landscape. It is limited by granularity and slow assignment processes, once suitable for fewer vulnerabilities, have become major pain points. Some of the challenges in current landscape includes:
- Data Quality and Fidelity
- Perverse Incentives to not Create CVEs
- Finding Relevant Vulnerability Data
- Notifying Project Maintainers
- Lack of Interoperability
- Resolving Disputes
- Complexity of Reporting Vulnerabilities
- Handling False or Low-Quality Reports
- Increasing Number of CVEs Every Year
Current Challenges – CVSS
Analyzing the severity of vulnerabilities is crucial to consider scoring systems that weigh the vulnerability threat levels based on CVSS. However, CVSS contains glaring disadvantages in its framework that have been overlooked because there are little to no alternatives that aim to build and improve on the CVSS framework, leading to its continued perception as the standard of severity scoring systems. Some of the challenges in current landscape includes:
- Inability to Prioritize Risk
- Limited Awareness of Context
- Static Scoring System
Alternatives to CVSS: Exploit Prediction Scoring System (EPSS), Stakeholder-Specific Vulnerability Categorization (SSVC) framework, Vulnerability Prioritization System (VPR).
Summary
Traditional vulnerability systems like CVE and CVSS struggle to keep pace with the rapidly evolving threat landscape. This is where AI and ML can help revolutionize vulnerability management by automating data enrichment, improving interoperability, and providing dynamic, context-aware assessments.
Click here to schedule your demo with the vFeed today!