According to a SANS Internet Storm Center handler, Jan Kopriva, millions of vulnerable systems remain unpatched for severe bugs, years after the bugs were first discovered and updates released.
Some prevalent and severe bugs remaining in the wild include BlueKeep, Heartbleed and SMBGhost vulnerabilities with high CVSS v3 scores. Kopriva used the Shodan software to scan and detect vulnerable systems exposed to the Internet.
BlueKeep, Heartbleed, and SMBGhost vulnerabilities open for exploitation
Over 245,000 computer systems are still running the vulnerable Windows RDP service, more than 18 months since Microsoft disclosed the BlueKeep vulnerability. This number represents about 25% of the 950,000 windows systems having the vulnerability since Microsoft performed the first scan in May 2019.
Another 103,000 Windows systems are vulnerable to SMBGhost, a Server Message Block v3 (SMB) protocol vulnerability discovered in March 2020. The bug also exists in more recent versions of the Windows operating systems.
BlueKeep and SMBGhost vulnerabilities are among the most severe bugs. Similarly, the Heartbleed vulnerability affects more than 204,878 unpatched computer systems.
BlueKeep (CVE-2019-0708), SMBGhost (CVE-2020-0796), and Heartbleed (CVE-2014-0160) vulnerabilities score highly on the CVSS v3 severity scale.
SMBGhost scores a perfect severity score of 10/10, while BlueKeep ranks 9.8/10. Heartbleed vulnerability scores 7.5/10, which is still considered to be high risk.
BlueKeep and SMBGhost vulnerabilities allow hackers to compromise Windows systems remotely and execute arbitrary code.
HeartBleed vulnerability exists in the OpenSSL cryptographic algorithm that fails to handle HeartBeat extension packets properly. The bug allows an attacker to read the memory of the systems protected using vulnerable OpenSSL software.
However, SMBGhost, BlueKeep, and HeartBleed vulnerable systems are hardly the only unpatched bugs existing in the wild.
The Czech security researcher says that millions of internet-accessible systems including IIS servers, Exim email agents, OpenSSL clients, and WordPress sites, remain vulnerable to various forms of attacks.
An Apache Web Server vulnerability (CVE-2019-0211) with a severity score of 7.8 affects 3,357,835 computer system, while Squid software bug (CVE-2019-12525) with a CVSS v3 score of 9.8 affects 1,219,716 systems.
Microsoft IIS bug (CVE-2015-1635) with a CVSSv3 perfect score of 10 affects 374,113 computer systems.
Exim vulnerable systems (CVE-2019-13917, CVE-2019-10149, and CVE-2018-6789), with CVSS v3 scores of 9.8 each affect 264,655, 246,869, and 76,344 computers, respectively.
WordPress (CVE-2019-9787) and ProFTPD (CVE-2019-12815) vulnerabilities, scoring 8.8 and 9.8 on the CVSS v3 scale, affect 83,951 and 80,434 computers, respectively.
According to Kopriva, 22% of the vulnerable systems are in Taiwan, 20% in Japan, 11% in Russia, and 9% are in the U.S.
Vulnerable systems survive the NSA advisories
Many vulnerable systems remain unpatched despite the U.S. federal agencies warning about possible exploitation.
For example, the NSA warned in May 2020 that Russian hackers targeted the Exim bug (CVE-2019-10149) as a gateway into computer systems.
The NSA also warned in October 2020 that Chinese hackers targeted the BlueKeep Bug to compromise vulnerable systems in the United States.
Kopriva says the numbers proved that vulnerable systems with well-known security bugs were “sometimes left unpatched for years on end.”
He added that given how dangerous and well known BlueKeep vulnerability is, many other less popular critical vulnerabilities could be affecting a similar number of systems.
However, he noted that although Shodan’s results are not always accurate or updated, the high numbers of vulnerable systems detected by the tool indicated an underlying problem.
“With every passing minute, an unpatched system is at greater risk of being breached. Vulnerabilities like this are well known to attackers, and they prey on targets who do not resolve them swiftly. While bad actors may keep a keen eye on large companies, this does not mean that smaller organizations are exempt.”
He advised organizations of all sizes to take preemptive measures to protect themselves from known vulnerabilities. He added that although there were valid reasons for failing to upgrade vulnerable systems, alternative mitigation procedures should be implemented.
“These procedures should only be considered as a temporary solution however until a patch or upgrade is made available by the manufacturer. Therefore, a word of advice: plan a maintenance window and patch your systems,” Cipot said. “If there are any other priorities that you need to take care of first, then do so – just do not leave unpatched systems running as they are a big risk to your organization.”