Mind the Gap: A Closer Look at Eight Notable CVEs from 2022

This is the last of a four-part series examining the period of time between when a vulnerability is first discovered and when it is fully disclosed on the National Vulnerability Database. In this installment, we examine eight notable CVEs with significant gaps in disclosure timelines and discuss how Tenable can help.

Curiosity demands that we ask questions, that we try to put things together and try to understand this multitude of aspects and perhaps resulting from the action of a relatively small number of elemental things and forces acting in an infinite variety of combinations.

—Richard. P. Feynman

In the last of our four-part blog series we take a closer look at eight notable CVEs in 2022 and explore how the gaps between their discovery and their full disclosure on the National Vulnerability Database (NVD) could put organizations at risk. These are three key findings:

1. Of the eight notable CVEs from 2022 analyzed for this study, some had gaps of 50 days or more between the time of their initial disclosure and the time they were fully disclosed in NVD. This gap gives threat actors the advantage, as they can utilize the flaw before many security teams even know there is a risk, let alone assess to see if they’re impacted.
2. We saw 186 days elapse between the time CVE-2022-1096 (a type confusion vulnerability in V8 in Google Chrome) was discovered and the time it was fully disclosed on NVD. This vulnerability had at least one exploit available 101 days before it was fully disclosed on NVD.
3. Between January 1, 2000, and Dec. 31, 2022, Tenable provided Nessus plugin coverage for 32,862 vulnerabilities ahead of NVD, of which 677 had not been fully disclosed in NVD as of the release date of this study.

Selected vulnerabilities with significant gaps in 2022

In this section we highlight eight CVEs from 2022 for which we tracked a significant delay in details being fully disclosed on NVD; for at least three of these, it took months before they were fully disclosed on NVD.

As Fig. 1 shows, the eight CVEs:

• Received details on NVD after Tenable plugin coverage was available.
• Have been rated by Tenable Vulnerability Priority Rating (VPR) as Critical or High.
• Had a functional exploit identified.

Fig. 1

*as of the day of publication of this study

Source: Tenable Research, April 2023

Below we provide a closer look at how the timelines played out for each of the above CVEs.

Conclusion

As this blog series demonstrates, security teams are inundated with tens of thousands of vulnerabilities each year. While the frameworks and systems put in place to help prioritize remediation efforts are indispensable tools, they often leave gaps in visibility that could be exploited by attackers. The Tenable VPR functionality discussed in this report offers additional guidance to help security professionals identify the vulnerabilities to find and fix first. But it’s only the start.

A preventive cybersecurity strategy requires visibility not only of the vulnerabilities that are present, but also of the misconfigurations that can occur in cloud assets and identity management systems, the unknown web applications that exist across an organization’s attack surface and the non-IT assets such as operational technology and internet of things devices. The siloed nature of preventive security tools makes it difficult for security organizations to analyze all of the above in context in order to obtain an objective view of cyber risk.

At Tenable, we believe preventive cybersecurity requires a new approach. We envision a future in which vulnerability management and other preventive cybersecurity tools come together in a new paradigm we call exposure management. While vulnerability management best practices are foundational, an exposure management program goes beyond classical vulnerability details (e.g., descriptions and CVSS scores) provided by commonly used public vulnerability sources to provide security teams with important context about attack paths, user privileges, cloud configurations and web applications so they can obtain a continuous and complete picture of what’s happening across the attack surface. Only by examining the depth and breadth of vulnerability information in context with the other elements of the attack surface can organizations hope to create a preventive security strategy that effectively reduces their cyber risk.

A list of Tenable plugins covering the CVEs analyzed in this study can be found here.

About The Mind the Gap series

This four-part Mind the Gap blog series is a valuable resource for security professionals that provides an overview of the observed vulnerability landscape with a focus on vulnerabilities discovered by Tenable Research before detailed information appeared on the (NVD. This series stems from the analysis of our own dataset, one of the most extensive and rich datasets in the industries. Through the years, we gathered a broad knowledge of the vulnerability landscape, enmeshed with Tenable Research-specific insights and reporting capabilities.

Other blogs in this series:

• Mind the Gap: How Waiting for NVD Puts Your Organization at Risk
• Mind the Gap: How Existing Vulnerability Frameworks Can Leave an Organization Exposed
• Mind the Gap: A Closer Look at the Vulnerabilities Disclosed in 2022

Learn More

Read the blog post So Many Vulnerabilities So Little Time: Zero In and ‘Zero Click’ into the Current Vulnerability Landscape

From our Cyber Exposure Alerts:

• CVE-2022-40684 Critical Authentication bypass in FortiOS and FortiProxy
• CVE-2022-22972: VMware Patches Additional Workspace ONE Access Vulnerabilities (VMSA-2022-0014)
• CVE-2022-20699, CVE-2022-20700, CVE-2022-20708: Critical Flaws in Cisco Small Business RV Series Routers

• Download the 2022 Threat Landscape Report
• Read the blog, Exposure Management: Reducing Risk in the Modern Attack Surface
• View the webinar, Analyst Roundtable: How Exposure Management Helps You Gain Visibility, Prevent Attacks, and Communicate Risk for Better Decision Making