The cybersecurity sector has been shaken by the discovery of critical vulnerabilities in Ivanti Connect Secure VPN software, leading to concerns about how vendors handle vulnerability disclosures. Ivanti, in particular, has faced backlash for grouping multiple vulnerabilities under a single registered Common Vulnerabilities and Exposures (CVE) ID instead of disclosing them individually, making it challenging for organizations to pinpoint which specific vulnerability needs to be addressed. This approach can potentially lead to miscommunication within IT teams, oversight of unpatched vulnerabilities, and hindered mitigation efforts, ultimately increasing the risk of unnoticed vulnerabilities.
While incidents involving Ivanti and Juniper garnered public attention, an older case involving Microsoft serves as a cautionary tale on the consequences of mishandling vulnerability disclosures. In 2017, Microsoft silently patched the “EpMo” vulnerability in 2013 without public disclosure, allowing threat actors to exploit it for years. This delayed disclosure enabled malicious actors to exploit the vulnerability, underscoring the significance of timely and transparent vulnerability disclosures by vendors.
In addition to inaccurate vulnerability disclosures, issues such as retaining the same version number after issuing upgrades can create confusion for users regarding the security status of their software. For instance, Dell Commander 4.9.0 was found to have a vulnerability labeled as CVE 2023-28071, with a NVD score of 7.1. While the company released an updated version internally marked as A02, the publicly available version number remained unchanged, potentially causing uncertainty among sysadmins.
To improve vulnerability disclosure practices, vendors should collaborate with CVE Numbering Authorities (CNAs) to ensure accurate and detailed reporting of vulnerabilities. Following established processes for requesting CVE IDs, providing clear descriptions of vulnerabilities, assigning Common Vulnerability Scoring System (CVSS) scores, and updating information on subsequent patches are crucial steps in responsible vulnerability disclosure. Organizations must also adhere to rules regarding the resolution of errors in CVE assignments, ensuring accurate identification of vulnerabilities.
Overall, transparent and timely disclosure of vulnerabilities is vital to enhancing cybersecurity and protecting users from potential threats. Vendors are urged to prioritize transparency and compliance with disclosure practices to promote secure applications and efficient patch management processes. By adopting best practices in vulnerability disclosure, vendors can contribute to a safer digital environment for all users.