OpenSSF Day Tokyo 2023 Keynote presentation.

CVE Trend 2006-2023
Security Researcher
Kazuki Omo: ka-omo@sios.com

Who am I?
- Security Researcher/Engineer/Trainer (23y)
- SELinux/MAC Evangelist (16y)
- Linux Engineer (21y)
- System Administrator(4y) at Bank.
- Antivirus Professional Engineer (3y) at Sophos.
- SIEM Professional Engineer (3y) at HP.
- Threat Intelligence /OSINT Trainer (2y) Sub-job.
CISSP #366942

Agenda
1. Number of CVEs since 2006-2023
○ Total, OSS CVEs
○ Breakdown OSS CVEs
2. Exploited vulnerabilities and OSS
○ Breakdown “Exploited” CVEs.
○ Compare each country sponsored attack.
○ Which phase the Threat Actor use OSS vulnerability?
3. Conclusion

What kind of data-source for vulnerability.
cve.org (old cve.miter.org)
● Get CVE-ID, details, and rejected info.
NIST
● CPE, CVSS, CWE info.
CISA Known Exploited Vulnerabilities Catalog (CISA KEV)
● CISA maintains the authoritative source of vulnerabilities that have been
exploited in the wild.

1. Number of CVEs since
2006-2023

Total number of CVEs since 2006-2023 (Sep.)
Avg. ≒ 2400 CVEs/Month ≒ 80 CVEs/Month

Total number of OSS CVEs since 2006-2023 (Sep.)

Num of OSS vulnerability(2006-2023)

Ratio of OSS vulnerabilities (2006-2023)
- Browser
- Wordpress+Plugin
are now majority.

From the Ratio of OSS vulnerabilities, we can guess..
1. Recently (especially since 2022) Browser and Wordpress vulnerabilities are
increasing.
a. Basic Software (like LAMP architecture) seems to be now well
debugged.
i. Sometime we still find several Critical vulnerabilities.
b. Our IT environment(including OSS) are moving to Web-based
architecture. Then many of Web-based OSS projects are publishing
their products (and unfortunately vulnerabilities).

2. Exploited vulnerabilities
and OSS

How to check the “exploited” vulnerability?
CISA KEV(Known Exploited Vulnerabilities) catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Number of the “Exploited Vulnerabilities”
Number of
CVEs
Number of OSS
CVEs
OSS %
2022 24647 7336 29.80%
2023(〜Aug.) 21594 5998 27.80%
KEV-listed
CVE
KEV-listed OSS
CVE
OSS %
2022 741 120 16.20%
2023(〜Oct.) 181 47 25.90%
This is a main reason why you
need to prioritize in
“Vulnerability Management”.

Prioritize is important.
So, we need to “prioritize”.
0. (Basic) We are using the affected products, version.
1. “Exploited” (or “in-the-wild”) vulnerability. <- Priority High!!
2. Serious Remotely vulnerability.
3. Serious Local vulnerability.
4. … and so on.
But this is another topic. Sorry…
Let’s go back to the trend of KEV.

Number of the “Exploited Vulnerabilities”
Number of
CVEs
Number of OSS
CVEs
OSS %
2022 24647 7336 29.80%
2023(〜Aug.) 21594 5998 27.80%
KEV-listed
CVE
KEV-listed OSS
CVE
OSS %
2022 741 120 16.20%
2023(〜Oct.) 181 47 25.90%
OSS is around 25% in KEV.
So, who use it?

Categorize What CVEs are used by Which Threat Actor
TAG-22 APT24
China
Sandworm DEV-0586
CISA KEV
2022-2023
CVE
CVE
CVE
CVE
CVE
CVE CVE
CVE
CVE
CVE
CVE
Russia
Check TA
TTP(Tactics,
Techniques and
Procedures) .
CISA advisory,
and other data
source.
(OSINT)
Profile
Profile
Profile
Profile
CVE
CVE
CVE

CISA Advisory
https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persisten
t-threats/north-korea

OSS % for each country
Money
Motivated
China Russia DPRK Iran Not
Identify
KEV
Total
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
Government Name : Government sponsored Threat Actor.
(espionage, agitation, destroy infrastructure, etc.)

Threat actor and vulnearbilities
Total OSS

OSS % for each country/motivate
Money China Russia DPRK Iran Not
Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
China use many of vulnerabilities, but not so love OSS… :(
This seems to be China is targeting more “closed source(windows,
etc.)” or other commercial SW/HW.

What kind of vulnerabilities are exploited?
Server 31 Infra 35
Client 18 Mail 6
NW 10 App 18
Server 8 Infra 3
Client 0 Mail 5
NW 0 App 0
Microsoft 26
Adobe 3
Fortinet 3
F5 2
Cisco 3
Oracle 3
Others(OSS, etc) 19
China loves to exploit Microsoft Products. :-p
Also China focus on NW devices.
Total
OSS
Products

Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
Russia also use many of vulnerabilities, and OSS vulnerabilities. :)
It seems that Russia is more targeting Government infra system which is using
OSS.

Server 7 Infra 1
Client 5 Mail 9
NW 0 App 1
Server 13 Infra 14
Client 11 Mail 11
NW 4 App 3
Russia equality use any of vulnerabilities. :-p
Recently they are focusing more Mail exploit.
Microsoft 6
Adobe 0
Fortinet 1
F5 1
Cisco 2
Oracle 0
Others(OSS, etc.) 18
Total
OSS
Products

Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
DPRK(aka North Korea) also use many of vulnerabilities including OSS
vulnerabilities. :)

DPRK also equality use any of vulnerabilities, but not so much. :-)
Server 8 Infra 6
Client 11 Mail 2
NW 0 App 11
Server 4 Infra 2
Client 3 Mail 2
NW 0 App 3
Microsoft 5
Adobe 3
Zimbra 2
Others(OSS, etc.) 9
Total
OSS
Products

Categorised KEV(2022-2023)
By Impact/Type

DPRK (CVE-2021-4034: Red Hat Polkit vulnerability)
Tactic Technique Description Activity
PRIVILEGE
ESCALATION
T1078 Valid
Accounts
Exploitation of CVE-2021-4034 in ‘pkexec’
known as pwnkit, to perform local
privilege escalation to root.
-

Categorize KEV CVE 2022-2023
CISA KEV
2022-2023
CVE
CVE
CVE
CVE CVE
Apache -> Server
iPhone -> IoT
Priv Escalation -> Priv.
Priv Escalation -> Priv.
Command Exec -> Exec.
1
1
2
Server, Priv.
Server, Priv. , Exec.

KEV(2022-2023) By Impact/Category
All of KEV 2022-2023 OSS KEV 2022-2023
Server Client NW etc. IoT Server Client NW etc. IoT
Command Exec 137 120 77 23 70 20 3 1
Privilege Escalation 132 6 21 21 24 2 1 0
Information Disclosure 31 15 9 6 10 4 1 0
Auth/Security Bypass 23 7 4 3 7 1 0 0
Change Config/Data 14 0 7 0 3 0 1 0
DoS 13 56 32 5 4 13 0 0
Total 362 186 148 62 124 49 9 1

All of KEV 2022-2023 OSS KEV 2022-2023
Command Exec 137 120 77 23 70 20 3 1
DoS 13 56 32 5 4 13 0 0
Total 362 186 148 62 124 49 9 1
Server is mainly target system. For Client(including browser)/NW/IoT,
OSS not so much.

All of KEV 2022-2023 OSS KEV 2022-2023
Command Exec 137 120 77 23 70 20 3 1
DoS 13 56 32 5 4 13 0 0
Total 362 186 148 62 124 49 9 1
For All of KEV, vulnerabilities are mostly like Command Exec, Privilege
Escalation, Information Disclosure, DoS. But other type of

All of KEV 2022-2023 OSS KEV 2022-2023
Command Exec 137 120 77 23 70 20 3 1
DoS 13 56 32 5 4 13 0 0
Total 362 186 148 62 124 49 9 1
For the OSS, Command Exec/Priv Escalation/Information Disclosure
vulnerabilities are mostly targeted by Threat Actor/Ransomware Gang.

All of KEV 2022-2023 OSS KEV 2022-2023
Command Exec 137 120 77 23 70 20 3 1
DoS 13 56 32 5 4 13 0 0
Total 362 186 148 62 124 49 9 1
But still we can’t ignore other number of vulnerabilities for OSS.

Conclusion
1. Published CVEs still growing up. OSS CVEs also growing up.
○ Now Browser/Wordpress+Plugin are majority of OSS vulnerabilities.
2. Threat Actor(TA) interest is different in each country;
○ Chinese TA loves Microsoft and NW devices.
○ Russian TA focusing everything, more focusing Mail exploit.
○ DPRK TA focusing everything.
3. Threat Actor target OSS vulnerabilities for attacking infrastructure.
○ Command Exec / Privilege Escalation are mostly targeted by Threat
Actor/Ransomware Gang.

So, what we can do?
1. Be careful about Browser, Wordpress, and several GitHub based
project vulnerability.
○ Can we enforce them to use SCA type of scanner? (GitHub Dependabot)
2. Be careful about OSS vulnerability on infrastructure because Country
sponsored Threat Actor is targeting them.
○ Many of country infrastructure now contain OSS.
3. We need to be careful for {Command Exec, Privilege Escalation,
Information Disclosure} vulnerabilities for OSS.
○ But we can’t ignore other vulnerabilities.

Identify
ALL
KEV
Number of
OSS_KEV_CVE
16 7 12 8 3 128 166
Total Number
of KEV_CVE
85 58 28 17 13 743 921
OSS% 18.82% 12.07% 42.86% 47.06% 23.08% 17.23% 18.02%
Everybody loves money! :-p
They are using any of vulnerability, and don’t care OSS or not.

Money motivated threat actor(Ransomware Gang, etc.)
don’t care Server/Client, products, etc. :-(
Total
OSS
Products
Server 40 Infra 53
Client 39 Mail 3
NW 7 App 30
Server 8 Infra 8
Client 7 Mail 0
NW 0 App 7
Microsoft 31
Adobe 1
Fortinet 2
F5 2
Cisco 0
Oracle 4
Citrix 2
VMWare 2
Others(OSS, etc.) 74

OSS % in the “Exploited Vulnerabilities”
Number of
CVEs
Number of OSS
CVEs
OSS %
2022 24647 7336 29.80%
2023(〜Aug.) 21594 5998 27.80%
KEV-listed
CVE
KEV-listed OSS
CVE
OSS %
2022 741 124 16.70%
2023(〜Oct.) 181 47 25.90%
OSS ratio in the “Exploited
Vulnerabilities” are not much
different to OSS ratio in total
number of CVEs.

Prioritize is important.
So, we need to “prioritize”.
0. (Basic) We are using the affected products, version.
1. “Exploited” (or “in-the-wild”) vulnerability. <- Priority High!!
2. Serious Remotely vulnerability.
3. Serious Local vulnerability.
4. … and so on.

OpenSSF Day Tokyo 2023 Keynote presentation.

Recommended

Recommended

More Related Content

Similar to OpenSSF Day Tokyo 2023 Keynote presentation.

Similar to OpenSSF Day Tokyo 2023 Keynote presentation. (20)

More from Kazuki Omo

More from Kazuki Omo (14)

Recently uploaded

Recently uploaded (20)

OpenSSF Day Tokyo 2023 Keynote presentation.