More Than 22,000 Vulnerabilities Disclosed In 2018

Risk Based Security today announced the publication of its 2018 Year End Vulnerability QuickView Report, showing over 22,000 new vulnerabilities were disclosed during the year. While approximately 33% of published vulnerabilities received a CVSSv2 score of 7 or above, the number of vulnerabilities scoring 9 or above declined for the third year in a row.

The report confirms that CVE / National Vulnerability Database (NVD) continues to face challenges staying up-to-date with the relentless pace of new disclosures. The VulnDB research team at Risk Based Security (RBS) catalogued 6,780 more vulnerabilities than CVE/NVD. This is notable as it represents nearly 31% of all the published vulnerabilities in 2018.

RBS VP of Vulnerability Intelligence, Brian Martin advises, “Companies can’t afford to miss almost a third of vulnerabilities each year. It is time to move from a ‘good enough’ mentality and toward the paradigm of ‘Better Data Matters’ that Risk Based Security and its VulnDB research is built upon. Missing 31% is unacceptable in today’s cyber landscape, especially when tools are available to prevent it.”

Of the 6,780 vulnerabilities not published by the CVE/NVD, 45.5% have a CVSSv2 score between 7.0 – 10.0, and 13.6% scored between 9.0 – 10. This once again calls attention to the importance of having a comprehensive view into vulnerability activity. Martin added, “No organization can afford to ignore a single vulnerability ranked between a 7 and 10, let alone over 3,000 of them!” These vulnerabilities cover a wide variety of software including web browsers, enterprise tools, and third-party libraries that impact hundreds or thousands of software packages.

The most significant vulnerability attack type for 2018 is Input Manipulation. “68.7% of the disclosed vulnerabilities are due to insufficient or improper input validation,” expounds Martin, “While a lot of vulnerabilities fall under this umbrella, including cross-site scripting, SQL injection, shell command injection, and buffer overflows, it underlines that software developers still struggle to carefully validate untrusted input. Having a mature SDL that includes secure coding practices can iron out many such issues and significantly reduce the threat from attackers.”

The Vulnerability Quick view report also shows that 32.7% of 2018’s vulnerabilities have public exploits and 50.5% can be exploited remotely, meaning that few of the reported vulnerabilities require any type of physical proximity to a system or a device to be exploited. Another revealing finding, 27.1% of vulnerabilities had no known solution, which unfortunately is up 5% from 2017 based on current data. And for those following the hot topic of bug bounty programs, almost 8% of vulnerabilities were coordinated through bug bounty programs – a solid increase from the 5.8% last year.

Notably, SCADA vulnerabilities are on the rise. 3.5% of 2018 vulnerabilities were classified as SCADA vulnerabilities, double that of last year. The report notes that this will be an area to keep an eye on as more SCADA systems become internet accessible for convenience without full realization to safety risk and ramifications.

About the Vulnerability QuickView Report

Because RBS believes that the ability to properly apply vulnerability data is vital to business decision making processes, the VulnDB QuickView report is created through extensive research conducted by Risk Based Security’s VulnDB team. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2018. Contact Risk Based Security for any specific analysis of the 2018 vulnerabilities.

Get your copy of the 2018 Year End Vulnerability QuickView report here