Heimdal
article featured image

Contents:

In analyzing the threatscape, regardless of the chosen timeframe, the unequivocal conclusion we face is that the reactionary dynamic between defender and threat actor compels each other to transform, evolve, and, ultimately, face one another on a different type of battlefield. Defenders now have to oppose and repel increasingly complex malware, imbued with malicious code which is more viral, easy to produce (and reproduce), and capable of inflicting crippling damage all across the grid.

This clash between the defender and the attacker becomes increasingly visible when scrutinizing the public sector An  assessment by UK Council’s study on the cyber threat status suggests that city councils all across the United Kingdom have witnessed a steep increase in cyber-attacks, with some regions, such as Sefton, combating up to 30,000 cyber-threats each month.

Based on the indicators, we are looking at a 50% YoY increase in attacks, the bulk of which abuse outdated, unsecured, or legacy software. Denmark is also facing its own cybersecurity crisis; although being deemed one of the most cyber-secure countries in the world, it’s still confronted with numerous challenges, some of which are not necessarily related to the public sector. Denmark’s Centre for Cybersecurity endeavored to create a taxonomy of all (cyber) threats that can potentially endanger the country. Among the threats that received the “Very High” were cyber-espionage and “well-organized” APTs acting from without and within the country to target and undermine various societal levels.

Taking into consideration the characteristics and nuances of how the threatscape has evolved in both geographical regions, Heimdal® has begun a private investigation to determine whether or not municipalities have gone up the hitlist or if this is conjectural or based on seasonality.

Investigative Methodology & Findings

Our investigation’s starting point revolved around the following claim – third-party software is, in general, much more prone to exploitation and, implicitly, more vulnerable compared to OS-centric software. However, in spite of severity and volume, our data (i.e., correlated with open-source threat intelligence) has revealed that vulnerabilities endemic to third-party applications have a less severe impact across all five security areas (i.e., confidentiality, integrity, availability, authenticity, and non-repudiation) compared to OS-associated vulnerabilities.

Operating under this assumption, Heimdal®’s SOC team has proceeded to probe the extracted data.

Insofar, Heimdal®’s investigation has uncovered the following facts – although there is significant percentile difference between identified Operating System-related vulnerabilities and those associated with Heimdal®-monitored third-party application, our data suggests that the OS flaws rated the 8 to 10 CVSS scale (i.e. High to Critical) have a more powerful impact on business operations (compared to 3rd-party app vulnerabilities), potentially jeopardizing continuity. Subsequently, we can surmise that OS vulnerabilities carry a higher computed risk score.

Furthermore, the same dataset has revealed that throughout the queried time-frame, the incidence rate for OS vulnerabilities is 670 per 1000 (i.e., for every 1,000 discovered vulnerabilities, 670 of them are Operating System related) and 329.35 per 100 for 3rd-party-related flaws (i.e., for every 1,000 discovered flaws, 329.35 of them are related to third-party applications). The results have been represented in the graph below.

We’ve also computed trend distribution of 3rd party and OS vulnerabilities based on CVSS scores. Our findings are enclosed in the graph below.

Risk assessment scores* (i.e., computed by factoring in attack vectors used for each vulnerability bracket, average detection time, average remediation time, costs vs benefits vs business impact) when comparing OS vulnerabilities to third-party vulnerabilities are as follows.

CVSS score Risk Score
101.977843
9 – 9.8 0.133054
8 – 8.80.354871
7 – 7.8 1.400114

*Risk score metric ∈ [0,2] interval, where 0 signifies negligible impact across all business environment and 2 signifies critical impact, scoring associated with high infiltration potential, data breach, data loss and/or destruction.

Vulnerability Management

Another dimension we’ve inspected was CVSS distribution per unit (i.e. both OS-centric and 3rd party patches shall be considered statistical units.

Our statistical analysis performed on the third-party patching workflow has revealed that a staggering 1.5% of all third-party vulnerabilities patched within the last 3 months carried a CVSS score between 7 (i.e., High) and 10 (i.e. Critical). All vulnerabilities were related to (third-party) drivers, definitions, and security updates. A drill-down of the high-scoring defects reveals the following facts.

  • 5% of vulnerable 3rd party apps carried a CVSS 8.1 – 8.8 (i.e. High)
  • 17% of vulnerable 3rd party apps carried a CVSS 7.1 – 7.8 (i.e. High)
  • 50% of all detected third-party vulnerabilities were Critical (i.e. CVSS between 9.1 and 10).

The 3rd party vulnerability distribution can be reviewed in the graph below.

Technical Analysis of 3rd Party and OS Vulnerabilities

Heimdal®’s SOC team has performed a technical analysis on the identified vulnerabilities over the reference period, but also factoring in historical data. Our findings have been summarized below.


3rd Party Vulnerabilities


Our methodology involves extracting and analyzing data vulnerabilities with a CVSS score higher than 7 (i.e., High).

Vulnerabilities with a CVSS of 10

Application NameCVECVSS
Adobe Acrobat Reader (French)CVE-2014-056610
Adobe Acrobat Reader (Norsk)CVE-2014-056610
Adobe Acrobat Reader (Svenska)CVE-2014-056610
Adobe Acrobat Reader MUICVE-2018-487210
Adobe Acrobat XI Pro (Update only)CVE-2020-374210
Adobe Flash Player ActiveXCVE-2019-806910
Adobe Flash Player NPAPICVE-2019-806910
Adobe Flash Player PPAPICVE-2020-963310
Adobe ReaderCVE-2016-103810
Adobe Reader XI MUICVE-2016-103810
FirefoxCVE-2021-3850310
Firefox DA x64CVE-2021-3850310
Firefox x64CVE-2021-3850310
Mozilla Firefox DA x64CVE-2021-3850310
Mozilla Firefox DA x86CVE-2018-1850510
Mozilla Firefox DE x86CVE-2021-3850310
Mozilla Firefox EN x86CVE-2018-1850510
Mozilla Firefox ES x64CVE-2020-1239510
Mozilla Firefox ES x86CVE-2021-3850310
Mozilla Firefox ESR x64CVE-2021-3850310
Mozilla Firefox ESR x86CVE-2018-1850510
Mozilla Firefox x64CVE-2021-3850310
Mozilla Firefox x86CVE-2021-3850310
Mozilla Thunderbird x86CVE-2018-1850510
ThunderbirdCVE-2021-3850310

CVE-2014-0566 – Adobe Acrobat Reader (French, Norsk, and Svenska)

Classified as a denial of service, RCE (i.e., Remote Code Execution), overflow, and memory corruption vulnerability, CVE-2014-0566 would potentially allow threat actors to use an idiopathic attack vector in order to cause a denial of service (i.e., memory corruption) or execute arbitrary code on the victim’s machine. The vulnerability affects machines running Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X.

Additional information (via CVE Details)

  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
  • Access Complexity: Low
  • Authentication: Not required
  • Gained Access: None

Adobe Acrobat Reader MUI – CVE-2018-4872

Classified as a security bypass vulnerability, CVE-2018-4872 could potentially allow an attacker to bypass safeguards (e.g. sandbox environments) via a defect pertaining to a cross call process. This vulnerability affects machines running Adobe Acrobat Reader 2018.009.20050 and earlier versions, 2017.011.30070 and earlier versions, 2015.006.30394 and earlier versions.

Additional information (via CVE Details)

  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
  • Access Complexity: Low
  • Authentication: Not required
  • Gained Access: None

Adobe Acrobat XI Pro (Update only) – CVE-2020-3742

Classified as a execute code vulnerability, CVE-2020-3742 allows an attacker to execute arbitrary code on the victim’s machine by leveraging a heap overflow bug. CVE-2020-3742 affects machines running Adobe Acrobat and Reader versions, 2019.021.20061 and earlier, 2017.011.30156 and earlier, 2017.011.30156 and earlier, and 2015.006.30508 and earlier.

Additional information (via CVE Details)

  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
  • Access Complexity: Low
  • Authentication: Not required
  • Gained Access: None

CVE-2019-8069 – Adobe Flash Player ActiveX & Adobe Flash Player NPAPI

Classified as code execution vulnerability, CVE-2019-8069 may be leveraged by a threat actor to run arbitrary code on the victim’s machine by exploiting a Same Origin Method Execution Vulnerability. Furthermore, the defect potentially allows the attacker to execute malicious code in the context of the current user. CVE-2019-8069 affects machines running Adobe Flash Player 32.0.0.238 and earlier versions, 32.0.0.207 and earlier.

Additional information (via CVE Details)

  • Confidentiality Impact: Complete
  • Integrity Impact: Complete
  • Availability Impact: Complete
  • Access Complexity: Low
  • Authentication: Not required
  • Gained Access: None

Adobe Flash Player PPAPI – CVE-2020-9633

A code execution vulnerability that allows an attacker to run arbitrary code on the victim’s machine. CVE-2020-9633 affects clients running Adobe Flash Player Desktop Runtime 32.0.0.371 and earlier, Adobe Flash Player for Google Chrome 32.0.0.371 and earlier, and Adobe Flash Player for Microsoft Edge and Internet Explorer 32.0.0.330 (i.e. usually abused with the use-after-free defect).

Additional information (via CVE Details)

  • Confidentiality Impact: Complete
  • Integrity Impact : Complete
  • Availability Impact: Complete
  • Access Complexity: Low
  • Authentication: Not required

CVE-2016-1038 – Adobe Reader & Adobe Reader XI MUI 

Classified as a restriction bypass vulnerability, CVE-2016-1038 allows a threat actor to circumvent restrictions associated with JavaScript API execution(s). This vulnerability affects Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 (i.e., Windows and Mac OSX).

Additional information (via CVE Details)

  • Confidentiality Impact: Complete
  • Integrity Impact : Complete
  • Availability Impact: Complete
  • Access Complexity: Low
  • Authentication: Not required
  • Gained Access: None

CVE-2021-38503 – Mozilla Firefox DE x86, Mozilla Firefox ES x86, Mozilla Firefox ESR x64, Mozilla Firefox x64, Mozilla Firefox x86, Thunderbird

Catalogued as restriction bypass vulnerability, CVE-2021-38503 allows the threat actor to circumvent restrictions (i.e., navigating top-level frames or script execution) by leveraging a subpar iframe sandbox ruling implement in the XSLT stylesheets.

Additional Information (via CVE Details)

  • Confidentiality Impact: Partial
  • Availability Impact: Partial
  • Access Complexity: Low
  • Authentication: Not required
  • Gained Access: None

Prevalent vulnerabilities with a CVSS between 9.6 and 9.8

Application NameCVECVSS
Google Chrome x64CVE-2022-38909.6
Google Chrome x86CVE-2022-38909.6
Adobe ShockwaveCVE-2019-71049.8
Chrome x64CVE-2022-25879.8
Everything x64CVE-2016-109179.8
Everything x86CVE-2016-109179.8
Foxit PDF ReaderCVE-2020-265349.8
Mozilla Thunderbird x64CVE-2022-468829.8
Paint.Net x64CVE-2018-184469.8
Paint.Net x86CVE-2018-184469.8
PidginCVE-2017-26409.8
TeamViewer 10CVE-2018-165509.8
TeamViewer 10 HostCVE-2018-165509.8
TeamViewer 11CVE-2018-165509.8
TeamViewer 11 HostCVE-2018-165509.8
TeamViewer 12CVE-2018-165509.8
TeamViewer 12 HostCVE-2018-165509.8
TeamViewer 13CVE-2018-165509.8
VLC x64CVE-2019-128749.8
VLC x86CVE-2019-128749.8
WinSCPCVE-2020-288649.8

CVE-2016-10917 – Everything x86 & Everything x64

Classified as an SQL injection vulnerability, CVE-2016-10917 affects the Everything WordPress plugin, potentially allowing a threat actor to read, write or commit any changes to the SQL database.

Additional information (via Mitre)

  • Confidentiality: Read Application Data
  • Access Control: Bypass Protection Mechanism
  • Access Control: Bypass Protection Mechanism
  • Integrity: Modify Application Data

CVE-2017-2640 – Pidgin

Classified as a code execution vulnerability, CVE-2017-2640 would potentially allow a threat actor to execute arbitrary code in Pidgin or trigger a Denial of Service by leveraging an out-of-bounds write flaw for XML content.

CVE-2018-16550 – TeamViewer 10 Host,TeamViewer 11, TeamViewer 12, TeamViewer 13, TeamViewer 12 Host, TeamViewer 11 Host, TeamViewer 10

A vulnerable TeamViewer component allows the threat actor to circumvent the app’s brute-force authentication safeguard. With cancelling the final auth step, the threat actor could extract the user’s 4-digit PIN.

Additional information (via Mitre)

Integrity & Availability: Modify Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands

CVE-2018-18446 – Paint.Net x64 & Paint.Net x86

Catalogued as a deserialization vulnerability, CVE-2018-18446 allows the threat actor to validate untrusted data.

Additional Information (via Mitre)

  • Integrity: Modify Application Data; Unexpected State
  • Availability DoS: Resource Consumption (CPU)

CVE-2019-12874 – VLC x86 & VLC x64     

An explotaitable flaw in the zlib_decompress_extra (i.e.m modules/demux/mkv/util.cpp in VLC media player 3.x through 3.0.7 leading to a double-free vulnerability.

Additional information (via MITRE)

Integrity & Confidentiality & Availability: Modify Memory; Execute Unauthorized Code or Commands

Prevalent Vulnerabilities with a CVSS between 7.1 and 8.8

Application NameCVECVSS
Zoom Outlook PluginCVE-2022-369287.1
Adobe Acrobat Reader 2020 MUICVE-2020-97237.5
Calibre x64CVE-2021-446867.5
Calibre x86CVE-2021-446867.5
TortoiseSVN x64CVE-2021-216987.5
TortoiseSVN x86CVE-2021-216987.5
Wireshark x32CVE-2022-37257.5
Wireshark x64CVE-2022-37257.5
7-zip x64CVE-2022-290727.8
7-zip x86CVE-2022-290727.8
Adobe Acrobat PRO 2017CVE-2020-244297.8
Adobe Acrobat ReaderCVE-2022-384507.8
Adobe Acrobat Reader - DanskCVE-2022-356657.8
Adobe Acrobat Reader 2017CVE-2020-244297.8
Adobe Acrobat Reader DCCVE-2022-384507.8
Adobe Acrobat Reader DC DACVE-2022-384507.8
Adobe Acrobat Reader DC MUICVE-2022-384507.8
Adobe Acrobat Reader DC SECVE-2022-356657.8
AudacityCVE-2017-10000107.8
GimpCVE-2021-454637.8
IrfanView x64CVE-2019-168877.8
IrfanView x86CVE-2019-132427.8
Lenovo System UpdateCVE-2019-61757.8
Mozilla Firefox SE x64CVE-2022-454157.8
TeamViewer 15CVE-2021-348587.8
TeamViewer 15 HostCVE-2021-348587.8
VNC ServerCVE-2022-419757.8
WinRar x64CVE-2018-202507.8
WinRar x86CVE-2018-202507.8
PuTTY x64CVE-2021-363678.1
PuTTY x86CVE-2021-363678.1
Docker DesktopCVE-2019-57368.6
Git x64CVE-2022-368828.8
Git x86CVE-2022-368828.8
iTunes x64CVE-2020-99478.8
iTunes x86CVE-2020-99478.8
Libre OfficeCVE-2021-256318.8
Mozilla Firefox DE x64CVE-2021-435378.8
Mozilla Firefox EN x64CVE-2021-305478.8
Oracle VM VirtualBoxCVE-2022-394278.8
TeamViewer 13 HostCVE-2020-136998.8
TeamViewer 14CVE-2020-136998.8
TeamViewer 14 HostCVE-2020-136998.8
TeamViewer 15 x86CVE-2020-136998.8

CVE-2022-29072 – 7-zip x64 & 7-zip x86

A misconfiguration in 7zip’s DLLs can potentially be leveraged by a threat actor to achieve privilege escalation and/or execute arbitrary code on the victim’s machine. The vulnerability occurs each time a file with the .7z extension is dragged to the app’s Contents area, under the Help menu.

Additional information (via MITRE)

Integrity & Availability: Modify Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands.

CVE-2021-44686 – Calibre x64 & Calibre x86

A faulty regular expression bug in Calibre allows the attacker to trigger a Regular Expression Denial of Service.

Additional information (via MITRE)

  • Availability: DoS: Crash, Exit, or Restart; DoS: Resource Consumption (CPU); DoS: Resource Consumption (Memory); DoS: Resource Consumption (Other)
  • Access Control: Protection Mechanism; Other

CVE-2019-6175 – Lenovo System Update             

A Denial of Service (i.e., DoS) vulnerability allows the attacker to write configuration files in non-standard places.

CVE-2021-25631 – Libre Office

Classified as an Incomplete lists of disallowed inputs vulnerability, CVE-2021-25631 can potentially allow the threat actor to bypass Libra Office’s denylist via link manipulation.

Additional information (via MITRE)

Access Control: Bypass Protection Mechanism

CVE-2022-3725 – Wireshark x32 & Wireshark x64            

A defect in Wireshark’s OPUS protocol dissector can permit an attacker to stage a Denial of Service attack on the victim’s machine via crafted files and/or packet injection.

Additional information (via MITRE)

Integrity &Availability: Modify Memory; DoS: Crash, Exit, or Restart; Execute Unauthorized Code or Commands


OS Vulnerabilities


Our methodology involves extracting and analyzing data vulnerabilities with a CVSS score higher than 7.

Vulnerabilities with a CVSS of 10

CVE-2013-1330 – MAC disabled vulnerability in Microsoft SharePoint and Microsoft Exchange Server. For additional information, click on the enclosed link. A threat actor can potentially leverage the unassigned Mac disabled vulnerability in order to execute arbitrary code on the victim’s machine.

Prevalent vulnerabilities with a CVSS between 9 and 9.8

CVECVSS
CVE-2008-54169
CVE-2014-02519
CVE-2014-02519
CVE-2022-380459.1
CVE-2006-13119.3
CVE-2007-00999.3
CVE-2007-02169.3
CVE-2007-09409.3
CVE-2007-17479.3
CVE-2007-17569.3
CVE-2007-22239.3
CVE-2008-01209.3
CVE-2008-10919.3
CVE-2008-37049.3
CVE-2009-01029.3
CVE-2009-02209.3
CVE-2009-05629.3
CVE-2009-09019.3
CVE-2009-25009.3
CVE-2009-25069.3
CVE-2009-31279.3
CVE-2010-02669.3
CVE-2010-08149.3
CVE-2010-08159.3
CVE-2010-25699.3
CVE-2010-27389.3
CVE-2010-27479.3
CVE-2010-31909.3
CVE-2011-06559.3
CVE-2011-12699.3
CVE-2011-19809.3
CVE-2011-19869.3
CVE-2011-34029.3
CVE-2011-34179.3
CVE-2012-00029.3
CVE-2012-01779.3
CVE-2012-25509.3
CVE-2013-00069.3
CVE-2013-13029.3
CVE-2013-13159.3
CVE-2013-31559.3
CVE-2014-03259.3
CVE-2014-17579.3
CVE-2014-17599.3
CVE-2014-63649.3
CVE-2015-00859.3
CVE-2015-16719.3
CVE-2015-25039.3
CVE-2020-12089.3
CVE-2020-14499.3
CVE-2022-22012
CVE-2022-410809.8
CVE-2023-216899.8
CVE-2023-217089.8
CVE-2023-218039.8
CVE-2023-233979.8
CVE-2021-284769.9

Prevalent vulnerabilities with a CVSS between 8 and 8.8

CVECVSS
CVE-2022-219808
CVE-2015-17638.5
CVE-2016-72498.8
CVE-2017-02838.8
CVE-2018-08048.8
CVE-2018-08528.8
CVE-2018-83118.8
CVE-2018-85018.8
CVE-2019-05858.8
CVE-2019-08888.8
CVE-2019-10688.8
CVE-2020-07608.8
CVE-2021-16368.8
CVE-2021-17078.8
CVE-2021-284558.8
CVE-2022-357778.8
CVE-2022-410368.8
CVE-2022-410628.8
CVE-2022-410898.8
CVE-2022-411288.8
CVE-2023-217058.8

Prevalent Vulnerabilities with a CVSS between 7 and 7.8

CVECVSS
CVE-2012-01787.2
CVE-2022-336317.3
CVE-2022-336317.3
CVE-2022-336317.3
CVE-2022-336317.3
CVE-2016-33787.4
CVE-2017-85167.5
CVE-2017-85167.5
CVE-2022-232677.5
CVE-2022-291437.5
CVE-2022-380137.5
CVE-2023-215387.5
CVE-2006-61337.6
CVE-2013-00057.8
CVE-2016-00217.8
CVE-2016-32357.8
CVE-2016-33137.8
CVE-2017-87257.8
CVE-2017-87427.8
CVE-2018-07487.8
CVE-2018-10277.8
CVE-2018-10297.8
CVE-2018-81727.8
CVE-2020-15827.8
CVE-2020-168567.8
CVE-2020-170197.8
CVE-2021-268577.8
CVE-2021-270567.8
CVE-2021-270567.8
CVE-2021-284497.8
CVE-2021-284527.8
CVE-2021-284537.8
CVE-2021-319417.8
CVE-2021-319497.8
CVE-2021-404867.8
CVE-2022-269297.8
CVE-2022-358207.8
CVE-2022-380107.8
CVE-2022-380487.8
CVE-2022-410327.8
CVE-2022-410617.8
CVE-2023-218087.8

Results

  • 4% of OS vulnerabilities had a CVSS of 10.
  • 26% of OS vulnerabilities had a CVSS between 9 and 9.9.
  • 32% of OS vulnerabilities had a CVSS rating between 7.2 and 8.8.

How can Heimdal® Help?

Organizations tend to rely on manual patching in order to deploy all relevant improvement-carrying packages. However, things tend to change a bit when you’re in the shoes of an IT admin catering to the needs of hundreds of users. The best way around this issue is, of course, automated patching.

If configured correctly, an automatic patching solution can ensure timely (and correct) deployment and a low risk of incompatibility. Heimdal®’s Patch & Asset Management can aid you in quickly distributing your patches, regardless if they are OS-specific, 3rd party, proprietary, or UX/UI-oriented.

Conclusion

To surmise, Heimdal®’s investigation into patching workflows, behaviors, and distribution has discovered the following facts:

  • 5% of vulnerable 3rd party apps carried a CVSS 8.1 – 8.8 (i.e. High)
  • 17% of vulnerable 3rd party apps carried a CVSS 7.1 – 7.8 (i.e. High)
  • 50% of all detected third-party vulnerabilities were Critical (i.e. CVSS between 9.1 and 10).
  • 4% of OS vulnerabilities had a CVSS of 10.
  • 26% of OS vulnerabilities had a CVSS between 9 and 9.9.
  • 32% of OS vulnerabilities had a CVSS rating between 7.2 and 8.8.
Author Profile

Vladimir Unterfingher

Senior PR & Communications Officer

Experienced blogger with a strong focus on technology, currently advancing towards a career in IT Security Analysis. I possess a keen interest in exploring and understanding the intricacies of malware, Advanced Persistent Threats (APTs), and various cybersecurity challenges. My dedication to continuous learning fuels my passion for delving into the complexities of the cyber world.

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE