Vulnerability PoCs: What’s It Mean To Me?
8–28–2023 (Monday)
Hello and welcome to another edition of The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, August 28, 2023, and aside from battling a bit of a summer cold, we’re going to jump right in to a bit of a more technical discussion about how to think about vulnerabilities, Proofs of Concept, and the disclosure/response process.
Vulnerability Proof of Concepts: What’s It Mean for Me?
While we’ve talked about vulnerabilities plenty on this show this past year, the past week saw a string of newly disclosed vulnerabilities and “Proofs of Concept,” or PoCs.
This includes vulnerabilities for Juniper Firewalls, popular software package WinRaR, and Ivanti’s Avalanche Manager. But what do these PoCs really indicate, and how should we think of them.
This week’s examples are particularly interesting because they give us some insight into the process behind finding, disclosing, and fixing these sorts of issues - and it’s worth recognizing that most large software and hardware packages have vulnerabilities in them that simply haven’t been publicly surfaced yet.
Let’s look first at the vulnerability in the Ivanti tool, which was discovered by researchers at Tenable. In a thoughtful write-up of the PoC and disclosure process, the Tenable researchers helpfully lay out not only the code that is vulnerable, but also the disclosure and resolution timeline. The short story here is that the issue was first reported to Ivanti on April 4th, 2023 - though, obviously, it existed prior to that. It took until August 1st for a fix to become available, and the initial advisory was released on August 14th - or 132 days.
During this window, then, there was a known Critical vulnerability (9.8 out of 10) where at least some researchers knew about it and how to exploit it. Did others - such as foreign intelligence services or other threat actors? We’ll never know, but that’s a pretty long window to get it closed out. Meantime, anyone running this service was vulnerable.
Tenable CEO Amit Yoran recently publicly criticized Microsoft for their slow response on fixing another finding that Tenable researchers discovered. His main points of contention came from the length of the time to deploy the fix - over 120 days - and the fact that Microsoft was limited on their disclosure to customers, preventing them from making fully risk-informed decisions.
This is not the first time Yoran has taken a somewhat adversarial position against other tech companies, and I would refer you to his Senate testimony on tackling risks to Critical Infrastructure.
Let’s look at another example featuring research from WatchTowr Labs stringing together a few different vulnerabilities to result in Remote Code Execution in Juniper devices.
A couple of things to note from this piece. First, it’s highly technical - featuring code snippets, and digging into the bowels of how the PHP language works to find and execute code.
Secondly, each of the required “Proofs of Concept” have been posted on GitHub.
Why are these things important?
Because this sort of work enables both adversarial and defensive researchers to build on these bug strings to emulate the behavior in other systems that utilize the same technology.
I know there are some who saw that disclosing these sorts of PoCs and research are only going to enable the threat actors to get better faster, but by not releasing it, you also guarantee that the defenders are slowed in their own learning and discovery - essentially forcing each development team to learn every lesson independently, instead of being able to leverage these sorts of disclosures to prevent the same mistakes from happening in their own software.
So what does this mean to us, as investors and operators?
The Juniper example is a great one to learn from because it requires multiple activities to succeed - each of which give us an opportunity to deter, detect, and disrupt the threat actor. We should focus on ensuring that we’re up to date on the latest versions and patching for all of our software and hardware, but at the same time, ensure that we’re limiting permissions, logging activity, surfacing alerts, and responding to anomalous activity at machine speed.
The modern enterprise - even small business - has gotten too complex for a single person to keep everything both running and secure. As researchers continue to expand their capabilities, iterate, and share their work, defenders need to be doing the same thing. If your teams aren’t leaning in as actively as these researchers, it’s time to step it up.
Fundraising
Quiet fundraising week, led by Blackstone’s fourth tactical opportunities fund with $5.2b in capital commitments.
As we mentioned last week, it’s peak vacation season. We do have some IPOs getting prepped - ARM announced early in the week, and Friday saw three new filings - Instacart, Klaviyo, and Neumora Therapeutics. Q4 is going to be quite busy, indeed.
You can find all the links to the stories we covered in the comments section below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next Monday for another Intentional Brief.
Links
https://nvd.nist.gov/vuln/detail/CVE-2023-36844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40477
https://nvd.nist.gov/vuln/detail/CVE-2023-32560
https://www.tenable.com/security/research/tra-2023-27
https://www.congress.gov/117/meeting/house/114553/witnesses/HHRG-117-HM00-Wstate-YoranA-20220405.pdf
https://labs.watchtowr.com/cve-2023-36844-and-friends-rce-in-juniper-firewalls/