The Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 22-01, requiring that United States federal agencies update their processes for remediation of almost 300 vulnerabilities listed in a CISA-maintained Known Exploited Vulnerabilities Catalog. Federal agencies must also set internal tracking and reporting requirements to ensure and evaluate their own adherence to the Directive, and to provide reporting to CISA.
For many agencies, the timelines for identifying and patching the list of CVEs will be aggressive, as many organizations are still developing the maturity and technology required to find difficult-to-detect vulnerabilities. Adding to the complexity, many of the catalogued CVEs have a high potential for re-introduction into environments that were, at least theoretically, already free of them. However, the benefits of addressing these vulnerabilities can be enormous for organizations that see it through. By closing these attack avenues, enterprises set themselves up for a much stronger security posture against current and future attackers. By setting these timelines, CISA is adding urgency for organizations to accelerate their security modernization efforts and add visibility into devices and protocols on their network.
How Long Do Agencies Have To Comply?
The Directive gives several timelines for required action:
- November 17, 2021: Organizations must patch vulnerabilities disclosed in 2021.
- January 2, 2022: Organizations must update vulnerability management procedures per the guidelines in the Directive.
- May 3, 2022: Organizations must patch vulnerabilities disclosed prior to 2021, and address any newly-added vulnerabilities within two weeks of disclosure.
Which Vulnerabilities Are Included in the Catalog?
As of today, the Known Exploited Vulnerabilities Catalog, maintained by CISA, lists 291 Common Vulnerabilities and Exposures (CVEs) including several exploited in high profile attacks over the past eighteen months, including SolarWinds (SUNBURST), PrintNightmare, and Microsoft Exchange Server RCE (ProxyShell/ProxyLogon). CISA plans to add high-priority vulnerabilities to the list on an ongoing basis.
The catalog notably includes a few older vulnerabilities, dating as far back as 2010 and 2014, including CVE-2014-1812, a Microsoft Group Policy vulnerability that allows attackers to elevate privileges in a target network.
The presence of 11+ year old CVEs on this list serves as a tacit reminder of an important fact about cyberattackers: They don't have to rely on zero-day attacks. They'd much rather use whatever works. The vulnerabilities in CISA's list are low hanging fruit for attackers, but also for defenders, who can take away valuable tools from attackers by using currently available patches.
While CISA's Directive is only binding for federal agencies, attackers are actively using these vulnerabilities to exploit both public and private organizations. In their press release, CISA stressed why it is essential for all organizations to adopt the policies outlined in the Directive: "While this Directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities. It is therefore critical that every organization adopt this Directive and prioritize mitigation of vulnerabilities listed in CISA's public catalog."
How to Fix Known Vulnerabilities Fast
ExtraHop Reveal(x) customers already have the ability to instantly audit their environments for potential exposure and exploit attempts against many of the CVEs listed in CISA's Known Exploited Vulnerabilities Catalog.
ExtraHop NDR technology helps organizations mitigate risk with purpose-built detections for known network vulnerabilities. As new, critical CVEs are discovered, the ExtraHop Threat Research Team deploys new detectors so that Reveal(x) users automatically have the tools they need to detect actively-exploited vulnerabilities. Should a vulnerability be exploited, Reveal(x) uses machine learning with strategic decryption to analyze network traffic and alert users to signs of compromise.
ExtraHop has built-in detectors for most of the network exploits, and will add more network-based detectors listed in the CISA catalogue in the coming weeks. Currently available detectors include some of the most commonly exploited CVEs, including:
- CVE-2021-34527: PrintNightmare
- CVE-2021-38647: OMIGod
- CVE-2021-26855, CVE-2021-26858, CVE-2021-34473, CVE-2021-27065: MS Exchange ProxyLogon
- CVE-2019-0604: Sharepoint RCE
- CVE-2021-22005, CVE-2021-21985: VMWare vCenter
- CVE-2020-10148: SolarWinds Orion
- CVE-2021-21972: VMWare vSphere
- CVE-2021-41773, CVE-2021-42013: Apache path traversal
ExtraHop Reveal(x) helps security teams discover potentially vulnerable devices that should be patched. Reveal(x) also offers continuous visibility into exploitation attempts that use many of the vulnerabilities listed in CISA's catalog of CVEs. With these capabilities, Reveal(x) supports better security hygiene and preventive measures, as well as enabling rapid detection and response against CVEs new and old. If you're not a Reveal(x) customer, you can see how it detects threats in our online demo.