This is the last of a four-part series examining the period of time between when a vulnerability is first discovered and when it is fully disclosed on the National Vulnerability Database. In this installment, we examine eight notable CVEs with significant gaps in disclosure timelines and discuss how Tenable can help.
Curiosity demands that we ask questions, that we try to put things together and try to understand this multitude of aspects and perhaps resulting from the action of a relatively small number of elemental things and forces acting in an infinite variety of combinations.
—Richard. P. Feynman
In the last of our four-part blog series we take a closer look at eight notable CVEs in 2022 and explore how the gaps between their discovery and their full disclosure on the National Vulnerability Database (NVD) could put organizations at risk. These are three key findings:
- Of the eight notable CVEs from 2022 analyzed for this study, some had gaps of 50 days or more between the time of their initial disclosure and the time they were fully disclosed in NVD. This gap gives threat actors the advantage, as they can utilize the flaw before many security teams even know there is a risk, let alone assess to see if they’re impacted.
- We saw 186 days elapse between the time CVE-2022-1096 (a type confusion vulnerability in V8 in Google Chrome) was discovered and the time it was fully disclosed on NVD. This vulnerability had at least one exploit available 101 days before it was fully disclosed on NVD.
- Between January 1, 2000, and Dec. 31, 2022, Tenable provided Nessus plugin coverage for 32,862 vulnerabilities ahead of NVD, of which 677 had not been fully disclosed in NVD as of the release date of this study.
Selected vulnerabilities with significant gaps in 2022
In this section we highlight eight CVEs from 2022 for which we tracked a significant delay in details being fully disclosed on NVD; for at least three of these, it took months before they were fully disclosed on NVD.
As Fig. 1 shows, the eight CVEs:
- Received details on NVD after Tenable plugin coverage was available.
- Have been rated by Tenable Vulnerability Priority Rating (VPR) as Critical or High.
- Had a functional exploit identified.
Fig. 1
CVE | Description | CVSS v3 | VPR* |
---|---|---|---|
Type confusion in V8 Google Chrome | 8.8 | Critical | |
Type confusion in V8 Turbofan in Google Chrome | 8.8 | Critical | |
Type confusion in V8 in Google Chrome | 8.8 | Critical | |
Vulnerability in Animation in Google Chrome | 8.8 | Critical | |
Out-of-bounds write issue in iPadOS | 7.8 | Critical | |
authentication bypass in Fortinet FortiOS | 9.8 | Critical | |
Privilege escalation - VMWare | 7.8 | High | |
Multiple vulnerabilities in CISCO Small Business RV160, RV260, RV340, and RV345 Series Routers | 9.8 | High |
*as of the day of publication of this study
Source: Tenable Research, April 2023
Below we provide a closer look at how the timelines played out for each of the above CVEs.
CVE-2022-1134 CVE-2022-1134 is a type confusion in V8, the Javascript engine used by Google Chrome. For this vulnerability, Tenable discovered the first piece of intelligence on March 29, 2022, and provided the earliest Nessus plugin coverage on the same day. Vulnerability details were fully disclosed on NVD 100 days later, on July 23, 2022. |
CVE-2022-1364 CVE-2022-1364 is a type confusion in V8, the Javascript engine used by Google Chrome. For this vulnerability, Tenable discovered the first piece of intelligence on April 14, 2022, and provided the earliest Nessus plugin coverage on the same day. Vulnerability details were fully disclosed on NVD 100 days later, on July 26, 2022. |
CVE-2022-1096 CVE-2022-1096 is a type confusion in V8, the Javascript engine used by Google Chrome. For this vulnerability, Tenable discovered the first piece of intelligence on January 18, 2022, and provided the earliest Nessus plugin coverage on March 25, 2022. Vulnerability details were fully disclosed on NVD 186 days later, on July 23, 2022. For this vulnerability, we observed at least one exploit available on March 28, 2022. |
CVE-2022-0609 CVE-2022-0609 is a vulnerability in Animation in Google Chrome. For this vulnerability, Tenable discovered the first piece of intelligence on February 14, 2022, and provided the earliest Nessus plugin coverage on the same day. Vulnerability details were fully disclosed on NVD 50 days later, on April 4, 2022. For this vulnerability, we observed at least one exploit available on February 15, 2022. |
CVE-2022-42827 CVE-2022-42827 is an out-of-bounds write issue in iPadOS 15.7.1, iOS 16.1 and iPadOS 16. Tenable discovered the first piece of intelligence on October 25, 2022, and provided the earliest Nessus plugin coverage on October 27, 2022. Vulnerability details were fully disclosed on NVD five days laters, on November 1, 2022. For this vulnerability, at least one exploit has been observed on October 25, 2022. |
CVE-2022-40684 CVE-2022-40684 is an authentication bypass vulnerability using an alternate path in Fortinet FortiOS versions 7.2.0 – 7.2.1 and 7.0.0 – 7.0.6, FortiProxy version 7.2.0 and versions 7.0.0 – 7.0.6. Tenable discovered the first piece of intelligence on October 7, 2022, and provided the earliest Nessus plugin coverage on the same day. Vulnerability details were fully disclosed on NVD 11 days later, on November 18, 2022. For this vulnerability, at least one exploit has been observed on October 10, 2022. |
CVE-2022-22960 CVE-2022-22960 is a privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation. Tenable discovered the first piece of intelligence on April 6, 2022 and provided the earliest Nessus plugin coverage on the same day. Vulnerability details were fully disclosed on NVD seven days later, on April 13, 2022. For this vulnerability, at least one exploit was observed on April 15, 2022. |
CVE-2022-20699 CVE-2022-22960 is a privilege escalation vulnerability in VMware Workspace ONE Access, Identity Manager and vRealize Automation. Tenable discovered the first piece of intelligence on April 6, 2022 and provided the earliest Nessus plugin coverage on the same day. Vulnerability details were fully disclosed on NVD seven days later, on April 13, 2022. For this vulnerability, at least one exploit was observed on April 15, 2022. |
Conclusion
As this blog series demonstrates, security teams are inundated with tens of thousands of vulnerabilities each year. While the frameworks and systems put in place to help prioritize remediation efforts are indispensable tools, they often leave gaps in visibility that could be exploited by attackers. The Tenable VPR functionality discussed in this report offers additional guidance to help security professionals identify the vulnerabilities to find and fix first. But it’s only the start.
A preventive cybersecurity strategy requires visibility not only of the vulnerabilities that are present, but also of the misconfigurations that can occur in cloud assets and identity management systems, the unknown web applications that exist across an organization’s attack surface and the non-IT assets such as operational technology and internet of things devices. The siloed nature of preventive security tools makes it difficult for security organizations to analyze all of the above in context in order to obtain an objective view of cyber risk.
At Tenable, we believe preventive cybersecurity requires a new approach. We envision a future in which vulnerability management and other preventive cybersecurity tools come together in a new paradigm we call exposure management. While vulnerability management best practices are foundational, an exposure management program goes beyond classical vulnerability details (e.g., descriptions and CVSS scores) provided by commonly used public vulnerability sources to provide security teams with important context about attack paths, user privileges, cloud configurations and web applications so they can obtain a continuous and complete picture of what’s happening across the attack surface. Only by examining the depth and breadth of vulnerability information in context with the other elements of the attack surface can organizations hope to create a preventive security strategy that effectively reduces their cyber risk.
A list of Tenable plugins covering the CVEs analyzed in this study can be found here.
About The Mind the Gap series
This four-part Mind the Gap blog series is a valuable resource for security professionals that provides an overview of the observed vulnerability landscape with a focus on vulnerabilities discovered by Tenable Research before detailed information appeared on the (NVD. This series stems from the analysis of our own dataset, one of the most extensive and rich datasets in the industries. Through the years, we gathered a broad knowledge of the vulnerability landscape, enmeshed with Tenable Research-specific insights and reporting capabilities.
Other blogs in this series:
- Mind the Gap: How Waiting for NVD Puts Your Organization at Risk
- Mind the Gap: How Existing Vulnerability Frameworks Can Leave an Organization Exposed
- Mind the Gap: A Closer Look at the Vulnerabilities Disclosed in 2022
Learn More
Read the blog post So Many Vulnerabilities So Little Time: Zero In and ‘Zero Click’ into the Current Vulnerability Landscape
From our Cyber Exposure Alerts: