2019 Mid-Year QuickView

Vulnerability Report
Issued August, 2019
Data as of July, 2019

1|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
 Key Findings
 Risk Based Security’s VulnDB® team aggregated 11,092 newly-disclosed
vulnerabilities during the first half of 2019.

o Web-related vulnerabilities accounted for 54.5% of those

vulnerabilities.

o 34% have public exploits.

o 34% do not have a documented solution.

o 53% can be exploited remotely.

o 2.8% were classified as SCADA vulnerabilities.

o 4.5% were classified as impacting security software.

 Risk Based Security’s VulnDB published 4,332 more vulnerabilities than

CVE/NVD in the first half of 2019.
Vice President
 The first half of 2019 showed less than a 4% decrease in vulnerabilities Vulnerability Intelligence
disclosed over the same period in 2018.

Brian Martin has been studying, collecting, and

 CVSSv2 scores of 7.0+ accounted for 36.4% of all vulnerabilities
cataloging vulnerabilities for twenty-five years
published in the first half of 2019.
both personally and professionally. Starting with a
personal collection organized in the FILES.BBS
 28.2% of the vulnerabilities not published by CVE/NVD in the first half of
format and ultimately becoming the Content
2019 have a CVSS score between 7.0 and 10.
Manager of the Open Sourced Vulnerability
Database (OSVDB). Brian has pushed for the
 8.6% of vulnerabilities, disclosed in the first half of 2019, with a CVE ID
evolution of Vulnerability Databases (VDBs) for
are still in RESERVED status.
years via blogs, presentations, and public dialogue
on social media, and has challenged VDBs to
 Coordinated disclosure accounted for 44% of vulnerabilities disclosed
improve their processes and coverage at every
in the first half of 2019. 11.8% of coordinated disclosures were through
step.
bug bounty programs.

Brian has been involved in all aspects of the

 Five major vendors accounted for 24.1% of vulnerabilities disclosed in
vulnerability management process, including
the first half of 2019.
discovering new vulnerabilities, writing advisories,
coordinating disclosure, and working with a variety
of organizations to improve vulnerability handling
and response. Brian was on the CVE Editorial
Board for ten years and remains an in-demand
speaker for security conferences.
This report covers the vulnerability disclosures captured by Risk Based
Security during the first six months of 2019. The information collected is
summarized in a variety of charts that depict key insights and
conclusions that Risk Based Security was able to draw from the data.

2|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
Table of Contents

How Does 2019 Compare to Previous Years, So Far? .................................................4

What This Means for You & CVE ……..…….….…..............................................................5
How Bad Has 2019 Been? …………………………………………………………………………………..6
What Did Vulnerabilities Look Like So Far in 2019? …………………………………………….7
Top Vendors & Vulnerabilities in the 1st Six Months ……………..……………………….11
Closing Thoughts………………………………………………………………………………………………12
Methodology and Terms ………………………………………………………………………………….13
About Risk Based Security………………………………………………………………………………..13

3|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
How Does 2019 Compare to Previous Years, So Far?

The first half of 2019, in the world of vulnerability disclosures and VulnDB, was mostly business as usual. As
researchers look to new technology to assess security weaknesses, vendors continue to patch incredible
numbers of vulnerabilities (e.g. Adobe disclosed 86 in their May release alone). In addition to monitoring the
common sources of disclosures, the VulnDB team has steadily broadened our coverage through our own
continuous improvement processes as well as by working closely with customers to better understand their
third-party dependencies.

As we have seen in prior reports, the current

tally for this time period (Q1 & Q2) as compared
to the prior year dips a bit. However, in each
case, the months following that period see an
increase as both new and older vulnerabilities
continue to be added with disclosure dates
occurring in the first half of the year. Ultimately,
based on past experience, we expect the 2019
mid-year point to show an increase over 2018
once all vulnerabilities are accounted for.

Figure 1: The number of vulnerabilities disclosed by Q2 in the past 8 years .

Figure 2: The number of vulnerabilities disclosed by Q2 2019
Similar to the small dip in the last chart, June shows a dip
in vulnerabilities largely due to the process of aggregating
the information. As new sources of information are
processed, the prior period (e.g. month in this case)
will continue to grow.
.

4|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
 What This Means for You & CVE

An ongoing theme in VulnDB reports (we can’t help

ourselves) has been that CVE/NVD continue to fall
dramatically short in providing comprehensive
vulnerability coverage. While this is no surprise to
most security practitioners, we continue to marvel at
the fact that organizations, security companies and
scanning vendors continue to defend their decision to
use CVE/NVD or vulnerability scanning, security
services and remediation, knowing full well of its lack
of coverage.

One difference in the VulnDB approach to

vulnerability aggregation is highlighted by the number
of CVE IDs that are in RESERVED status.

Figure 3: The # of vulnerabilities disclosed by Q2 2019, with and without a CVE ID

These are cases, (Vulnerabilities), where an ID has

been assigned, but no information is available
from MITRE. Figure 4 shows the number of CVE
IDs in RESERVED status, (again, meaning no
information available according to MITRE), that
actually do have a public disclosure, and that
information can be found with complete details in
VulnDB. The sad reality is that there are
thousands of vulnerabilities in such RESERVED
status in CVE/NVD, with some in RESERVED status
for up to a decade, despite the details being
available. Sadder still is the number of
organizations, security companies and scanning
vendors that despite these inadequacies view
Figure 4: The # of vulnerabilities disclosed each month with a CVE ID in RESERVED status. CVE/NVD as “good enough”.

5|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
 How Bad Has 2019 Been?

The severity distribution of vulnerabilities in the first half of 2019, when looking at CVSSv2 scores, is on par with
prior years. In figures 5 and 6, one can see a bias in CVSS scoring causing certain ranges to be less frequent, for
example at 1.0 – 1.9 and 8.0 – 8.9.

While a significant number of organizations still use the venerable version 2 of the scoring standard, many are
considering a move to version 3. RBS has written an extensive blog series analyzing the pros and cons of each
version. As seen when we compare the two figures there is an incredible disparity between the two versions of
CVSS.

Figure 5: The distribution of CVSSv2 severity in vulnerabilities disclosed by Q2. Figure 6: The distribution of CVSSv3 severity in vulnerabilities disclosed by Q2.

With this view of CVSSv3 severity, we see that a considerable number of vulnerabilities are scored much higher
than version 2. For organizations that remediate primarily based on risk scoring, using CVSSv3 may cause a
considerably higher workload as they have to remediate many more vulnerabilities than if they were to use the
prior version.

6|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
 What Did Vulnerabilities Look Like So Far in 2019?

2018

The access required for exploiting vulnerabilities

did not change much between 2018 and 2019.
The major takeaway is that a majority of

2019 disclosed vulnerabilities have a remote vector

(53%) or context-dependent vector (27%), such as
requiring a user to click on a malicious URL or
file.

Yet again, this reinforces the need for strong

perimeter security technologies that are based
on even stronger vulnerability intelligence.

Figure 7: Location of vulnerabilities disclosed by Q2 in 2019 and 2018.

2018 4%

2019
Like every prior year, input manipulation remains
the top cause for vulnerabilities. While it may seem
an easy problem to tackle, summed up with “we’ll
just sanitize input!”, it is often more complicated in
practice. Many organizations still do not have a
rigorous procedure for testing their source code for
such issues despite many having an otherwise
mature process.

Figure 8: Attack type of vulnerabilities disclosed by Q2 in 2019 and 2018.

7|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
 2018

Almost half of all vulnerabilities disclosed in the first

half of 2019 have a straight upgrade as a solution to
remediate the vulnerability, with around 20% more
having some kind of patch available. Despite that,

2019 organizations still fail to upgrade at times due to

Figure 9: Solution of vulnerabilities disclosed by Q2 in 2019 and 2018.
simply not having a comprehensive asset inventory.
For those using vulnerability scanning, as an
example, if they aren’t scanning their entire IP space
and using a scanner that can identify 100% of their
assets, then critical devices (servers), may go
unpatched. Another important point to consider, if
your scanning services relies only on CVE/NVD, and
most do, you know the scan will only find a subset
of the actual vulnerabilities disclosed, and that
assumes the scanner has a correct signature to
identify the vulnerability.

2018

Figure 10 shows the well-known “CIA” triad of

information security; Confidentiality, Integrity,
and Availability. This gives us a very high-level

2019
view of the impact of the vulnerabilities
disclosed. As usual, vulnerabilities impacting
integrity, which range from cross-site scripting
to SQL injection to remote code execution,
dominate the landscape.

Figure 10: Impact of vulnerabilities disclosed by Q2 in 2019 and 2018.

8|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
 2018

There are many aspects of a disclosure that prove

2019 interesting to track, including vendor disposition,

third-party involvement, coordination, and bug
bounties.

Figure 11: Disclosure of vulnerabilities disclosed by Q2 in 2019 and 2018.

2018

As organizations begin to move past the base CVSS

scores to determine risk, one of the most popular
aspects of a vulnerability to consider is the

2019
presence of an exploit. VulnDB breaks this out as a
proof-of-concept (PoC), public exploit, private
exploit, commercial exploit, if the exploit has been
used in known malicious activity, and if the exploit
status is unknown. With the heavy weighting toward
higher risk scores, when using CVSSv3, this
additional metric gives another way for
organizations to better prioritize remediation.

Figure 12: Exploit of vulnerabilities disclosed by Q2 in 2019 and 2018.

9|Vulnerability Intelligence Copyright ©Risk Based Security, Inc. All rights reserved.
 Table 1 aims to show the levels of correlation between two classifications of a vulnerability. It can be read as
follows: what’s the probability of the classification in blue being true, given that the classification in green is true?
As a trivial example, the probability of a vulnerability being Remotely exploitable, given that it is known to be
Remotely exploitable, is 100% and colored darkest. More interestingly, the probability that a vulnerability will be
Context Dependent, for example, when we know it is Web related is 28%. Conversely, the probability that a
vulnerability will be Web related given that we know it’s Context Dependent is about twice as much (54%). In
this way, knowing that a vulnerability is Context Dependent means it’s more likely than not Web related, but the
same can’t be said of a vulnerability we know only to be Web related. In that case, it’s very likely to be Remote
and just as likely to involve Authentication than to be Context Dependent.

Remote Auth. Un-auth. Mobile Local C/D Physical Web

Remote 100% 59% 23% 20% 1% 0% 0% 72%

Auth. 35% 100% 0% 59% 96% 0% 7% 24%

Un-auth. 30% 0% 100% 41% 4% 1% 18% 1%

Mobile 1% 6% 2% 100% 13% 1% 18% 1%

Local 0% 42% 1% 56% 100% 0% 0% 0%

C/D 0% 0% 41% 11% 0% 100% 0% 28%

Physical 0% 0% 1% 5% 0% 0% 100% 0%

Web 75% 43% 59% 11% 1% 54% 0% 100%

Table 1: Probability of a classification in the row being true of a vulnerability, given that the classification in the column is true of that vulnerability, by mid-year 2019.

In some cases, as in the relationship between Remotely exploitable and Unauthenticated vulnerabilities, one is
equally likely to be true given that the other is known to be true. In another case, we can be very sure that an
issue would require Authentication if it can only be exploited Locally, but an issue known to require
Authentication is only 42% likely to be only Locally exploitable. We can't presume to know everything about
your organization's vulnerabilities, but you can make assumptions about them based on what you do know and
act accordingly.

10 | V u l n e r a b i l i t y I n t e l l i g e n c e Copyright ©Risk Based Security, Inc. All rights reserved.

 Top Vendors & Vulnerabilities in the 1st Six Months

Name Rank Vuln Count Severity Old Rank Old Count Old Sev.
Software in the Public Interest 1 602 6.13 4 677 6.06
(Debian and more)
SUSE 2 562 6.05 2 847 5.91
Oracle Corporation 3 533 5.77 3 777 6.06
IBM 4 507 5.33 7 615 5.54
Microsoft 5 468 6.18 9 425 5.86
Canonical (Ubuntu) 6 443 6.18 6 634 6.29
Google 7 347 6.78 1 910 7.2
Red Hat 8 341 5.95 5 649 5.83
Cisco 9 335 5.99 > 10 274 6.09
Adobe 10 227 7.14 > 10 154 6.91
Table 2: Top ten vendors for this year, as well as how their standings compare to last year, by mid-year 2019.

Name Date Severity # of Products Description

Affected
RAMBleed 6/11/19 2.1 3 DDR3 / DDR4 SDRAM Memory Page Bit-flip Handling Side-
channel Local Memory Disclosure
BlueKeep 5/14/19 10.0 95 Microsoft Windows Remote Desktop Services RDP Connection
Request Handling Remote Code Execution
Thrangrycat 5/13/19 6.2 25 Cisco Multiple Products FPGA On-premise Update Improper
Code Check Local Secure Boot Bypass Weakness
RIDL / 4/29/19 2.1 341 Intel Multiple Processors Speculative Execution Functionality
Fallout Microarchitectural Store Buffer Data Sampling (MSBDS) Local
Kernel Information Disclosure
RIDL 4/29/19 2.1 341 Intel Multiple Processors Speculative Execution Functionality
Microarchitectural Load Port Data Sampling (MLPDS) Local
Kernel Information Disclosure
RIDL 5/14/19 1.2 341 Intel Multiple Processors Speculative Execution Functionality
Microarchitectural Data Sampling Uncacheable Memory
(MDSUM) Local Kernel Information Disclosure Weakness
RIDL / 4/29/19 2.1 380 Intel Multiple Processors Speculative Execution Functionality
ZombieLoad Microarchitectural Fill Buffer Data Sampling (MFBDS) Local
Kernel Information Disclosure
10KBLAZE 4/23/19 10.0 9 SAP Multiple Products Insecure Configuration Unauthorized
Remote Access Weakness
SPOILER 3/1/19 4.3 1 Intel Core Processors Speculative Load Dependency Resolution
Logic Side-channel Attack Arbitrary Cache Memory Disclosure

Table 3: All named/notable vulnerabilities that were disclosed in the first half of 2019.

11 | V u l n e r a b i l i t y I n t e l l i g e n c e Copyright ©Risk Based Security, Inc. All rights reserved.

The top ten vendors account for 4,365 vulnerabilities in the first half of 2019, just under 40% of the total. While
their vulnerability count ranges between 602 and 227, the average severity falls in the same two point range
(5.5 – 7.5). Despite these numbers above, there is a disparity between some of these vendors; Microsoft and
Apple predominantly disclose issues in their native operating systems, while Software in the Public Interest (e.g.
Debian), Canonical (e.g. Ubuntu), and Red Hat ship operating systems with a significant base of third-party
software that contribute heavily to their vulnerability counts. In this time period the Linux Kernel, shared by all
three operating systems, accounted for 68 vulnerabilities.

The first half of 2019 gave us nine high-profile “named” vulnerabilities. Despite the naming and hype behind
some of them, the severity and risk is rather low. Over half of the named vulnerabilities have a CVSSv2 score
under 3.0. In contrast, two of these vulnerabilities have a score of 10.0, meaning full remote code execution
without user interaction is possible. This is a great reminder that news cycles and hype don’t mean the
vulnerability is critical, and that those news cycles may distract us from other higher risk vulnerabilities
disclosed the same day.

Closing Thoughts

“One of our clients operates nuclear power plants, while another writes
software used on a majority of desktops. The diversity in these two clients
and the software or hardware that is important to them is eye-opening.”

In the eight years RBS has been operating, our own database has evolved as we collaborate with our clients to
better understand what software is critical to them. As you can imagine, not all organizations have the same
concerns!

Vulnerability intelligence isn’t about collecting random disclosures and turning a blind eye to those who use it. It
is about collecting as many vulnerability reports as possible, and working with those who use that information
to better support their individual needs. We are thankful to our clients who take the time to share their stories
and needs, so we can better assist them.

CVE: Mission vs. Expectations

One of the fundamental objectives of VulnDB is to expand our search methods and collect as many
vulnerabilities as possible, to provide our clients with the most comprehensive vulnerability intelligence
available, allowing them to determine which vulnerabilities are important to their organization.

While we maintain a curated list of over 3,000 sources that are monitored on an hourly, daily and weekly basis,
new sources are discovered and/or are brought to our attention every day. CVE on the other hand, issues CVE
IDs when requested by a vendor or researcher. Their mission is not to search for vulnerabilities like a
vulnerability intelligence company. Rather, they are charged with assigning IDs and keeping minimal records.
Why then do organizations, scanning companies, risk platforms, and security service providers continue to use
CVE/NVD as a vulnerability intelligence service and continue to insist that it is “good enough”? Who is best
served by this approach? Certainly not those organizations, government agencies and consumers victimized by
the increasing number of data breaches from exploited sofware vulnerabilities.

12 | V u l n e r a b i l i t y I n t e l l i g e n c e Copyright ©Risk Based Security, Inc. All rights reserved.

Methodology & Terms
VulnDB is derived from a proprietary search engine and daily analysis of thousands of vulnerability sources.
Unlike some vulnerability database providers, Risk Based Security is constantly searching for and adding new
sources.

VulnDB counts only distinct vulnerabilities. Products sharing the same vulnerable codebase are considered only
one unique vulnerability. We do not consider vulnerabilities that affect multiple products as unique
vulnerabilities as some vulnerability databases do. To be clear, a vulnerability in a third-party library such as
OpenSSL is treated as one vulnerability within VulnDB. While additional products known to leverage OpenSSL
will be documented as affected by that vulnerability, the multiple products using and integrating that code do
not constitute additional unique vulnerabilities, and are not included in any VulnDB counts.

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Vulnerability Intelligence, Vendor Risk
Ratings, and Data Breaches. Our products, VulnDB, Cyber Risk Analytics (CRA) and YourCISO, provide
organizations access to the most comprehensive threat intelligence knowledge bases available, including
advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the
right actions in a timely manner.

For more information, visit www.riskbasedsecurity.com or call +1 855-RBS-RISK.

About VulnDB
VulnDB is the world’s most comprehensive, detailed and timely source of vulnerability intelligence and third-
party library monitoring. It provides actionable intelligence about the latest in security vulnerabilities through
an easy-to-use SaaS portal, RESTful APIs, and e-mail alerting. Leveraging VulnDB is simpler than ever with our
connectors to Splunk, RSA Archer, ServiceNow, GitHub, Polarity, Brinqa, Device42, Recorded Future, and more.

For more information, visit vulndb.cyberriskanalytics.com or call +1 855-RBS-RISK.

No Warranty
Risk Based Security, Inc. makes this report available on an “As-is” basis and offers no warranty as to its accuracy,
completeness or that it includes all the latest vulnerabilities. The information contained in this report is general
in nature and should not be used to address specific security issues. Opinions and conclusions presented
reflect judgment at the time of publication and are subject to change without notice. Any use of the information
contained in this report is solely at the risk of the user. Risk Based Security, Inc. assumes no responsibility for
errors, omissions, or damages resulting from the use of or reliance on the information herein. If you have
specific security concerns please contact Risk Based Security, Inc. for more detailed data loss analysis and
security consulting services.

13 | V u l n e r a b i l i t y I n t e l l i g e n c e Copyright ©Risk Based Security, Inc. All rights reserved.