August 26, 2019
Risk Based Security reported today that VulnDB aggregated 11,092 vulnerabilities with disclosure dates during the first half of 2019, with CVE/NVD falling behind by 4,332 entries, according to their 2019 Mid-Year Vulnerability QuickView Report.
Top ten vendors for this year, as well as how their standings compare to last year, by mid-year 2019
Five major vendors accounted for 24.1% of those vulnerabilities in 2019 so far. Further analysis reveals that 54% of 2019 vulnerabilities are Web-related, 34% have public exploits, 53% can be exploited remotely, and that 34% of 2019 vulnerabilities do not have a documented solution.
“34% of vulnerabilities do not have a solution, which may be because vendors are not patching. This can occur when the researcher has not informed the vendor, so they don’t know about the vulnerability,” commented Brian Martin, Vice President of Vulnerability Intelligence at Risk Based Security.
“Additionally, if an organization is using vulnerability scanning, they may simply not know about all of their assets. For example, if they are not scanning their entire IP space, or are using a scanner that is unable to identify 100% of their assets, then devices and servers may go unpatched.”
This strengthens the analysis published in Risk Based Security’s 2019 Mid-Year Data Breach Report, which identified that the practice of targeting open, unsecured databases has contributed to the growing amount of records exposed within the last two years.
The report reveals that out of the vulnerabilities not published by CVE/NVD, 28.2% of them have a CVSSv2 score between 7.0 and 10. Meanwhile, 8.6% of vulnerabilities that do have a CVE ID are in RESERVED status despite having a public disclosure.
All named/notable vulnerabilities that were disclosed in the first half of 2019
“An ongoing theme in VulnDB reports is that CVE/NVD continues to fall short in vulnerability coverage,” commented Brian Martin. “Many organizations, scanning companies, risk platforms, and security service providers insist that vulnerability intelligence from CVE/NVD is ‘good enough’. However, our mindset and approach to vulnerability aggregation is completely different.” Martin offers the CVE IDs in RESERVED status as an example of this different mindset. “These are cases where an ID has been assigned to an issue that was published, but MITRE isn’t aware. There are thousands of vulnerabilities that we cover with complete details that MITRE still does not. Worse yet, some RESERVED vulnerabilities have been in that state for up to a decade, despite being public for just as long.”
“Overall, in the eight years that RBS has been operating, the evolution of our own database has been incredible,” concluded Martin. “One of the most beneficial points of change is collaborating with our clients to better understand what software is critical to them. As you can imagine, not all companies are the same! We are thankful to our clients who take the time to share their stories and needs, so we can better help them.”
“Additionally, if an organization is using vulnerability scanning, they may simply not know about all of their assets. For example, if they are not scanning their entire IP space, or are using a scanner that is unable to identify 100% of their assets, then devices and servers may go unpatched,” Afonso Infante.