Microsoft Advisories Are Getting Worse


Because the twentieth anniversary of Patch Tuesday approaches later this 12 months, many are reflecting on the significance of this system that introduced predictability to Microsoft safety patch cycles. Patch Tuesday undoubtedly improved the safety of shoppers, and the success of this system is mirrored within the variety of organizations that established their very own Patch Tuesdays, together with Adobe, Siemens, Schneider Electrical, and extra.

Nevertheless, the standard of the vulnerability particulars revealed by Microsoft on Patch Tuesday has noticeably declined. Vulnerability descriptions was helpful. Now they’re lowered to being almost meaningless. Evaluate, for instance, the CVE descriptions within the Nationwide Vulnerability Database (NVD) for CVE-2017-0290 and CVE-2023-21554 (aka QueueJumper):

CVE-2017-0290 NVD Vulnerability Description

The Microsoft Malware Safety Engine operating on Microsoft Forefront and Microsoft Defender on Microsoft Home windows Server 2008 SP2 and R2 SP1, Home windows 7 SP1, Home windows 8.1, Home windows Server 2012 Gold and R2, Home windows RT 8.1, Home windows 10 Gold, 1511, 1607, and 1703, and Home windows Server 2016 doesn’t correctly scan a specifically crafted file resulting in reminiscence corruption, aka “Microsoft Malware Safety Engine Distant Code Execution Vulnerability.”

CVE-2023-21554 Vulnerability Description

Microsoft Message Queuing Distant Code Execution Vulnerability

The primary description particulars the affected parts (Forefront and Defender), the affected variations (numerous Home windows working programs), the assault vector (crafted file), and a bug class (reminiscence corruption). The second description lacks virtually all of these particulars.

This isn’t an remoted case. In actual fact, Microsoft’s CVE descriptions have been on the decline for quite a lot of years. The next graph maps the median size of Microsoft-created CVE descriptions over the previous 20 years:

Graphic showing median length of Microsoft CVE description
Supply: Jacob Baines

Influence on Defenders

The poor descriptions have a severe affect on practitioners. It is tough to prioritize vulnerabilities when it is unclear what the issues are. How is anybody presupposed to know if Microsoft Message Queuing Distant Code Execution Vulnerability is a giant deal or not? What number of practitioners know what Microsoft Message Queuing is, or what main items of software program use it? Is it enabled by default? Does it pay attention on a community port? The practitioner is pressured to go in search of all this info themselves.

To keep away from that kind of factor, MITRE created well-defined guidelines for what’s required in a CVE description. These are the minimal necessities:

8.2.1 MUST present sufficient info for a reader to have an inexpensive understanding of what merchandise are affected.

8.2.3 MUST embody one of many following:

1. Vulnerability Kind

2. Root Trigger

3. Influence

Does Microsoft Message Queuing Distant Code Execution Vulnerability Fulfill These Necessities?

Perhaps a really unfastened interpretation of 8.2.3 could be happy with Code Execution Vulnerability. However can anybody moderately say that “Microsoft Message Queuing” describes the affected merchandise?

Not less than Microsoft included a particular service for CVE-2023-21554 (Message Queuing). It did not even try this for CVE-2023-23415. That description would not record any software program, and as an alternative opts to record an affected protocol:

CVE-2023-23415 Vulnerability Description

Web Management Message Protocol (ICMP) Distant Code Execution Vulnerability

CWE Assigned to Microsoft CVE

It is unclear why MITRE permits Microsoft to disregard (or, generously, skirt) the CVE description guidelines. What is evident is that everybody else is worse off due to it. If interesting to the overburdened practitioner is not sufficient, we are able to truly measure the affect of Microsoft’s dangerous CVE descriptions on NIST’s per CVE frequent weak point enumeration (CWE) ID task.

For each CVE in NIST’s NVD, it makes an attempt to assign a CWE. When the vulnerability comprises inadequate info to assign any particular CWE, then NIST assigns NVD-CWE-noinfo. Principally, “this CVE has inadequate particulars for us to know what the weak point is.”

Again in 2015, NIST assigned NVD-CWE-noinfo to just a few Microsoft CVEs. In 2022, the vast majority of Microsoft CVEs obtained the NVD-CWE-noinfo designation.

Graphic showing CWE assigned to Microsoft CVE
Supply: Jacob Baines

NIST’s effort to assign CWE to every CVE helps with vulnerability prioritization and makes it simpler to map vulnerabilities to CAPEC and/or MITRE ATT&CK. NVD CWE are utilized by a number of downstream initiatives, together with MITRE’s personal CWE Prime 25. Latest Microsoft vulnerabilities are largely excluded from these actions, as a result of Microsoft has chosen to offer inadequate info to even assign a CWE to its vulnerabilities.

Sadly, it isn’t as if the knowledge could be discovered within the Microsoft advisory itself, both. In actual fact, practitioners have to check with outdoors sources, as a result of Microsoft would not hold its advisories updated. For instance, each CVE-2022-41080 and CVE-2019-1388 have been added to the Cybersecurity and Infrastructure Safety Company Identified Exploited Vulnerabilities Catalog in 2023. Microsoft’s NVD entries appropriately mirror that. However each Microsoft advisories state that the vulnerabilities have not been “exploited.” That is as a result of its advisories solely mirror exploitation on the time of publication.

Microsoft Advisory Exploitability Desk for CVE-2019-1388

The result’s that Microsoft’s advisory is each outdated and lacks info. The NVD entry is updated, but in addition lacks info. Fortunately, there are a number of third events attempting to plug the knowledge hole. For instance, Zero Day Initiative publishes a rundown of each Patch Tuesday. That is its description of CVE-2023-21554 (aka QueueJumper):

This can be a CVSS 9.8 bug and receives Microsoft’s highest exploitability score. It permits a distant, unauthenticated attacker to run their code with elevated privileges on affected servers with the Message Queuing service enabled. This service is disabled by default however is often utilized by many contact middle purposes. It listens to TCP port 1801 by default, so blocking this on the perimeter would forestall exterior assaults. Nevertheless, it isn’t clear what affect this may occasionally have on operations. Your only option is to check and deploy the replace.

This description comprises vital info that the CVE entry doesn’t, resembling:

1. Message Queuing is a service.

2. Message Queuing is disabled by default.

3. Message Queuing listens on TCP port 1801.

4. Exploitation might end in elevated privileges.

All of that’s extremely helpful for defenders — info that ought to have appeared within the CVE dictionary and the NVD entry, however would not. That is info that belongs within the CVE catalog for context, vulnerability prioritization, and historic safekeeping. As a substitute, already time-constrained defenders are put at a drawback as a result of they’re pressured to go trying to find third-party descriptions of each Microsoft vulnerability.

Conclusion

Microsoft’s Patch Tuesday is nearly sufficiently old to drink, however that is not mirrored within the maturity of this system. A predictable patch cadence is good, however the related info produced by Microsoft is dangerous and has been trending that approach for years. Microsoft can do rather more, and it owes the group as a lot. Eight-word vulnerability descriptions shouldn’t and can’t be the norm.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles