New Age Scanners - A Paradigm Shift

Biases and delays in detecting vulnerabilities using contemporary scanning techniques has led to new age scanners. The time for an "AI driven universal scanner" that can check for any new vulnerability without ever needing a plugin has not only arrived but here to stay.

The Mirth Connect Case Study

On October 26, 2023 an unauthenticated remote code execution was reported on a lesser known but widely used, quasi-open source application used by the HealthCare industry called Mirth Connect. It was recorded as CVE-2023-43208. This came on the heals of another RCE CVE-2023-37679 reported just a couple of months before this in August of 2023.

Both vulnerabilities were pretty bad for the 1200+ unique installations across the world. However Tenable's response for detection of these vulnerabilities was very different.

Nothing really happened in August 2023 when CVE-2023-37679 was first reported. Although it was equally bad (CVSS 9.8), there was no way to detect it using Tenable or for that matter any of the other scanner. Perhaps, Mirth Connect was deemed a less important application, at the time, considering its fairly limited usage across the world.

This is not surprising, considering that scanning tools now have to track close to 100 new vulnerabilities every day! If they are expected to write plugins (detection scripts) for each one of those, they are going to (and certainly do) prioritize which of those CVEs or applications deserve a plugin.

A plugin (from Tenable, also called a QID by Qualys) is a specific script or check ( written manually and packaged in a proprietary format) to assess the existence of a vulnerability in your endpoint, device or network. As of this writing, Tenable has more than 200,000 of these and about 84,000 of them map to detection of a single CVE. What about detecting the rest of the CVEs, you ask? We'll get to that in a bit. These plugins need to be downloaded to your scanner software (or scanning agent) on a regular basis to get the latest ones and any updates to existing ones. Scanners typically have ways to do this on regular schedule. In addition, many of these plugins are designed only to detect certain products, services, software, configuration or vulnerabilities not tracked by CVEs.

Coming back to the Mirth Connect RCEs, the action started (at least from Tenable) on October 27th, 2023, a day after the CVE-2023-43208 was published. First they published a plugin for detecting just the Mirth Connect service (and its installed version). Then, 3 days later, on October 30th, they released a plugin to detect CVE-2023-43208. The same day they also released a plugin to detect the older but equally dangerous CVE-2023-37679. Perhaps it was the buzz around CVE-2023-43208 being actively exploited that prompted to devote a plugin for it.

The changelog for CVE-2023-43208 plugin is interesting. It reveals that the plugin has undergone 4 revisions. All of them indicate the plugin has been updated to report the latest CVSS score and exploit information. This points to the fact that a significant part of the prioritization metrics are decentralized in the plugin and it will need to be updated any time there is a change in those. And unless you have updated your plugins, you may not even have the latest prioritization information included in the scan results.

The Root Cause

A even bigger concern is the tight coupling of detection, assessment and (perhaps) prioritization that is all tied into this single manually developed plugin which only detects one CVE!

This is going to be hard to scale for hundred and thousands of CVEs being reported every year now. So no, Tenable or any other scanner is not going to have plugins for each and every CVE regardless of how important it is for you. This is especially going to be a problem for lesser known apps like Mirth Connect. You are going to be at the mercy of a legacy scanning solution and their ability and will to provide a plugin to detect the next RCE that surfaces for Mirth Connect. Even if they do, it may be at a time that is convenient to them. And maybe that is months later (as the case with CVE-2023-37679).

Also, no one is really running all the 200,000+ plugins in each scan. Tenable organizes the plugins as families. This allows you to run only certain related categories of plugins in each scan. But how do you know your next plugin for the next RCE comes from a family you have included in your scan. The two plugins we are talking about are organized under a family called CGI Abuses. What if your daily or weekly scan doesn't include that family? How will you ever detect the next Mirth Connect RCE?

Conclusions

• Current scanning solutions depend on manually scripted plugin detection model which is prone to delays and biases.
• Availability of plugins depends on relevance of the affected product or service to the scanner, not to your enterprise.
• Many important vulnerabilities to your enterprise will probably never be covered by scanner plugins unless they become critical or are weaponized.
• Plugins for certain lesser known products and services may take several months to be manually scripted.
• Since part of the prioritization logic is often hardcoded in the plugins, they will often need frequent updates to keep up to date.
• There will be delays and gaps in detection if you are not running the latest plugins relevant to your attack surface.

Is there a better way to do this? Perhaps! But it would require us to move away from this (now) decades old model of manual plugins. An AI driven universal scanner, maybe, one that can check for any new vulnerability without ever needing a plugin!