Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label NVD. Show all posts

NIST to establish consortium that can collaborate on research to improve the NVD

 

The US National Institute of Standards and Technology (NIST) is to establish  a consortium to partner with NIST in responding to challenges presented by the current and expected growth in CVEs, such as through development of a way to automate some analysis activities.

The official announcement came during VulnCon, a cybersecurity conference hosted by the Forum of Incident Response and Security Teams (FIRST), held from March 25 to 27, 2024. Tanya Brewer, the NVD program manager, disclosed the news, addressing the longstanding speculation surrounding the fate of the NVD. 

In February 2024, NIST halted the enrichment of Common Vulnerabilities and Exposures (CVEs) data on the NVD website, leading to a backlog of unanalyzed vulnerabilities. This development raised alarms among security researchers and industry professionals, as the NVD plays a critical role in identifying and addressing software vulnerabilities. 

The implications of the NVD backlog are profound, potentially impacting the security posture of organisations worldwide. Without timely analysis and remediation of vulnerabilities, companies face increased risks of cyberattacks and data breaches. The situation prompted some security companies to explore alternative solutions to supplement the NVD's functions temporarily. Amidst the challenges, speculation swirled regarding the underlying causes of the NVD's issues. 

Budget constraints, contractual changes, and discussions around updating vulnerability standards were among the factors cited. The uncertainty underscored the need for transparency and clarity from NIST regarding the future of the NVD. In response to the concerns, Brewer acknowledged the challenges faced by the NVD program, attributing them to a "perfect storm" of circumstances. Despite the setbacks, NIST remains committed to addressing the issues and revitalizing the NVD. 

Plans for the establishment of an NVD Consortium, aimed at fostering collaboration and innovation, signal a proactive approach to future management. Looking ahead, NIST aims to enhance the NVD's capabilities and processes within the next one to five years. Proposed initiatives include expanding partnerships, improving software identification methods, and leveraging automation to streamline CVE analysis. 

These efforts reflect a concerted push to modernize the NVD and ensure its relevance in an ever-evolving cybersecurity landscape. The announcement at VulnCon provided much-needed clarity and reassurance to the cybersecurity community. While challenges persist, the collaborative efforts of industry stakeholders and government agencies offer hope for a resilient and robust NVD ecosystem.

New Vulnerabilities Discovered in 5 WooCommerce WordPress Plugins


The U.S. state authorities Nationwide Vulnerability Database (NVD) has recently warned of vulnerabilities in 5 WooCommerce WordPress plugins, where over 135,000 installations were affected.

Many of the vulnerabilities are rated 9.8, on the scale of 1-10, ranging in severity from moderate to as excessive as Essential. 

The respective vulnerabilities were provided a CVE (Common Vulnerabilities and Exposures) identity number, given to the discovered vulnerabilities. 

Advanced Order Exported For WooCommerce 

The Advanced Order Export for WooCommerce plugin that was installed on as many as 100,000 websites, is vulnerable to a Cross-Site Request Forgery attack (CSRF). 

A CSRF vulnerability is created via a flaw in a website plugin, that enables the threat actor to deceive the online user into conducting an unintentional action. 

Generally, a website browser consists of cookies that notify a website that a user is registered and logged in. The threat actor could assume the privilege levels of an admin, giving him complete access to a website. Consequently, exposing admin’s sensitive customer information. 

This vulnerability could lead to an export file download. It may be reasonable to presume that order data is the type of file an attacker can access, given that the plugin's goal is to export WooCommerce order data. 

1. Official Vulnerability Description: 

The Official vulnerability description states that “Cross-Site Request Forgery (CSRF) vulnerability in Advanced Order Export For WooCommerce plugin <= 3.3.2 on WordPress leading to export file download.” 

This vulnerability could impact all versions of the Advanced Order Export for WooCommerce plugin that is less than or equal to version 3.3.2. 

2. Advanced Dynamic Pricing for WooCommerce: 

The second affected plugin, the Superior Dynamic Pricing plugin for WooCommerce is being put in over 20,000 websites. The plugin was discovered to have two CSRF vulnerabilities, having an impact on all plugin versions lower than 4.1.6. 

The goal of the plugin is to make it simpler for retailers to create low-cost and pricing guidelines. 

The primary vulnerability (CVE-2022-43488) can result in a “rule sort migration.” 

The official description by the NVD reads “Cross-Web site Request Forgery (CSRF) vulnerability in Superior Dynamic Pricing for WooCommerce plugin <= 4.1.5 on WordPress resulting in rule sort migration.” 

3. Advanced Coupons for WooCommerce Coupons plugin: 

The third plugin that was affected, Advanced Coupons for WooCommerce Coupons, has over 10,000 installs. The issue being discovered in this plugin is as well a CSRF vulnerability, affecting all versions less than version 4.5.01. 

The official description by the NVD reads “Cross-Web site Request Forgery (CSRF) vulnerability in Superior Coupons for WooCommerce Coupons plugin <= 4.5 on WordPress main to note dismissal.” 

4. WooCommerce Dropshipping by OPMC – Critical: 

The next affected plugin, named the WooCommerce Dropshipping by OPMC plugin has around 3,000 installations. 

A Critical Unauthenticated SQL injection vulnerability scored 9.8 (on a scale of 1-10), and occurs in versions of this plugin less than version 4.4. The SQL injection vulnerability leads an attacker to manipulate the WordPress database and assume admin-level permissions. Consequently, making changes to the database, erasing, or even downloading sensitive data. 

The NVD while describing this specific plugin vulnerability says, “The WooCommerce Dropshipping WordPress plugin before 4.4 does not properly sanitise and escape a parameter before using it in a SQL statement via a REST endpoint available to unauthenticated users, leading to a SQL injection.” 

5. Role-Based Pricing for WooCommerce: 

This plugin consists of two CSRF vulnerabilities, with over 2,000 installations. 

As noted about another plugin, a CSRF vulnerability involves a threat actor deceiving the admin or other users into clicking on a link or performing some other malicious actions. This could result in the actor acquiring the user’s website permissions levels. This vulnerability is rated as high as 8.8. 

The NVD description of the first vulnerability warns “The Role Based Pricing for WooCommerce WordPress plugin before 1.6.2 does not have authorization and proper CSRF checks, and does not validate files to be uploaded, allowing any authenticated users like subscriber to upload arbitrary files, such as PHP” 

Following this, the official NVD description of the second vulnerability says, “The Role Based Pricing for WooCommerce WordPress plugin before 1.6.3 does not have authorization and proper CSRF checks, as well as does not validate path given via user input, allowing any authenticated users like subscriber to perform PHAR deserialization attacks when they can upload a file, and a suitable gadget chain is present on the blog” 

Moreover, the official Role Based Pricing for WooCommerce WordPress plugin changelog states that the plugin is fully patched in version 1.6.2: 

“Changelog 2022-10-01 – version 1.6.2 

* Fixed the Arbitrary File Upload Vulnerability. 

* Fixed the issue of ajax nonce check.” 

Plan of Action

In order to avoid the consequences, users should update all the vulnerable plugins. It is also considered best to back up the website prior to the plugin updates and to test the plugin before updating, if at all feasible. 

NIST NVD Report Shows Increase in Low-Complexity CVEs

 

Common vulnerabilities and exposures, or CVEs, are seemingly increasing at a faster rate as a proportion of the overall number of bugs reported, which, according to a survey, have increasingly risen as per the cybersecurity teams. These are very easy to exploit. 

Recently, Redscan, a managed detection, response, and pen-testing professional, evaluated more than 18,000 CVEs filed in the National Vulnerability Database (NVD) of the U.S. National Institute of Standards and Technology (NIST) in 2020 and published a report, NIST Security Vulnerability Trends in 2020: An Analysis.

It shows that just over half (57%) is graded as "high" and "critical" - the most significant figure reported in any year till date. The report often discusses the increase in low difficulty vulnerabilities and the rise of those vulnerabilities that do not involve user interaction. That means that an attacker can take advantage of the user with limited technical skills as well. According to the research, this number has hiked since 2017, after declining dramatically between 2001 and 2014. These developments demonstrate the need for companies to enhance the awareness of wild vulnerabilities and to follow a multi-layered approach for the management of vulnerabilities. In 2020, almost 4000 vulnerabilities can be defined as the “worst of worst” – meeting the worst criteria for all types of NVD filters. 

The research report says, “The prevalence of low complexity vulnerabilities in recent years means that sophisticated adversaries do not need to ‘burn’ their high complexity zero-days on their targets and have the luxury of saving them for future attacks instead.” 

“Low complexity vulnerabilities lend themselves to mass exploitation as the attacker does not need to consider any extenuating factors or issues with an attack path. This situation is worsened once exploit code reaches the public and lower-skilled attackers can simply run scripts to compromise devices.” 

Another vulnerability trend is to be tackled: low-complex CVEs, 63 percent of vulnerabilities found in 2020, are increasing. A rising challenge for safety teams has been a large number of vulnerabilities with low complexity. Complexity is one of the most critical things to consider while evaluating vulnerability risks and in-wild exploitation the timeframes. The low-complex CVEs are loaned to rapid mass manipulation because attackers do not have to consider extenuating circumstances or route problems. 

Alongside, companies also need to improve oversight of tech vendors' activities. They must determine how their manufacturers test their custom code and the use of their goods of non-member libraries. 

“Vulnerabilities which require no interaction to exploit present a complex challenge for security teams, underscoring the need for defense-in-depth. This includes enhancing the visibility of attack behaviors once a compromise has occurred,” added George Glass, Head of Threat Intelligence at Redscan