The U.S. government has created a catalog of known, actively exploited vulnerabilities and is requiring federal civilian agencies to apply patches for them in “a more aggressive” timeline.
The requirements from the Cybersecurity and Infrastructure Security Agency (CISA) come as part of a new binding operational directive (BOD), which is a mandate for federal departments and agencies to safeguard information systems. The specific directive released on Wednesday, BOD 22-01, establishes a catalog of actively exploited flaws, managed by CISA, which “carry significant risk to the federal enterprise.”
Currently, agencies have until Nov. 17 to apply patches for vulnerabilities added to the catalog that were discovered in 2021, and until May 3, 2022 to apply patches for flaws in the catalog that were discovered before 2021.
“The Directive lays out clear requirements for federal civilian agencies to take immediate action to improve their vulnerability management practices and dramatically reduce their exposure to cyber attacks," said CISA Director Jen Easterly in a statement. "While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”
Currently, there are 291 bugs in the catalog. These flaws include a vulnerability (CVE-2020-10148) in the SolarWinds Orion platform previously leveraged by attackers to install Supernova malware on the software of victims; an array of bugs in the Pulse Connect Secure VPN (CVE-2019-11510, CVE-2020-8260, CVE-2020-8243 and CVE-2021-22893) that were exploited by attackers to target several federal agencies and critical infrastructure organizations in April; and a number of vulnerabilities (including CVE-2021-26855,) associated with the ProxyLogon attacks in March where cybercriminals targeted vulnerable Microsoft Exchange servers.
CISA said it would consider the addition of vulnerabilities to the catalog if there is “reliable evidence” that they are being exploited by a threat actor to target public or private organizations. Flaws must also have a CVE identifier and patches that are available in order to be added to the list.
This is different from previous BODs that focused on the severity of vulnerabilities rather than whether they were being exploited. In 2015, for instance, BOD 15-01 was issued to require agencies to fix “critical risk” flaws detected on their systems within 30 days; and in 2019, BOD 19-02 ordered agencies to mitigate “critical risk” flaws in 15 days and “high risk” flaws within 30 days. Of note, CISA said that its new directive “enhances but does not replace BOD 19-02.”
“Although the Department of Homeland Security has long focused on patching Internet facing systems, today’s Directive is a great example of CISA prioritizing risk mitigation for internal networks by identifying fixes federal agencies must apply as quickly as possible.”
CISA said its emphasis on vulnerability exploitation rather than severity stems from the fact that Common Vulnerability Scoring System (CVSS) risk scores don’t always accurately depict the actual hazard that a CVE represents. For instance, attackers may target high- or medium-severity flaws in widespread attacks rather than a critical-severity vulnerability, which may have a higher impact but might be more complex for attackers to exploit. In addition, threat actors are chaining together multiple vulnerabilities - which may not be critical in severity - to launch some of the more dangerous attacks, as seen in ProxyLogon attacks.
The new catalog also streamlines CISA's listing of vulnerabilities that need to be patched by agencies. Previously, each vulnerability that was prioritized for remediation was being highlighted via individual Emergency Directives, eight of which have been issued since 2019.
By making this catalog public, CISA hopes to encourage private entity firms to apply patches as well - although unlike federal agencies, they aren’t required to do so.
“This will help state and local governments and private sector critical infrastructure operators to guard their networks against malicious hackers,” said congressman Jim Langevin (R-DI), who is a member of the U.S. Cyberspace Solarium Commission. “Although the Department of Homeland Security has long focused on patching Internet facing systems, today’s Directive is a great example of CISA prioritizing risk mitigation for internal networks by identifying fixes federal agencies must apply as quickly as possible.”
CISA said the patches must be applied on any federal information system (including ones used by other entities on behalf of the agency). In addition to patching the flaws listed in the catalog, in the next two months federal agencies must create a process for ongoing remediation of the vulnerabilities identified. Part of this will include internal tracking and reporting requirements to evaluate whether the agency is adhering to the directive and report that to CISA.
Vulnerability management continues to be a top issue for both government agencies, as well as other industries. A July report from NTT Application Security found that critical vulnerabilities remain open on average for 202 days. Ray Kelly, principal security engineer at NTT Application Security, said CISA’s approach to its directive - being very specific about known vulnerabilities that should be mitigated - can easily be turned into actionable tasks that can be tracked and verified by the different departments.
“However, while there is good coverage of high impact vulnerabilities being addressed, it’s important to note that this doesn’t mean continuous assessments and vulnerability analysis should be stopped,” he said. “Malicious actors will always be looking to take advantage of the next security gap in any organization.”