The risks of silent patching and why it should stop
The goal of vulnerability research is to improve security for the industry as a whole by helping software and device vendors fix vulnerabilities within their products.
Unfortunately, some vendors hamper improvements with silent fixes, which bypass the public disclosure and documentation of vulnerabilities and their patches. Ultimately, their customers, partners, and the cybersecurity community pay the price for silent fixes.
Over the past two years, my colleagues at Forescout Technologies and I have been working on Memoria project, an in-depth study of vulnerabilities in the TCP / IP batteries that connect millions of technological devices operating in many critical industries. Our researchers discovered 97 vulnerabilities in 14 TCP / IP stacks across 3 billion IoT, operational technology (OT) and computing devices. We have spent months discussing with government officials and affected vendors how to mitigate these risks.
Disclosure of vulnerabilities is not always appreciated. Some vendors will do anything to avoid drawing attention to these risks, even if that means continuing to push these issues to their customers, partners, and even other IoT devices. Some vendors refuse to acknowledge their vulnerabilities, which is why working with government officials can help. Others refuse to prioritize a response but may instead silently patch vulnerabilities. Quiet fixes are cause for concern.
Quiet patches occur when vulnerabilities are discovered and fixed privately, but no Common Vulnerability and Exposure ID (CVE) is assigned for public documentation. While it may appear that vendors who silently patch the vulnerabilities were responsible for fixing an immediate problem, the lack of public disclosure and documentation can lead to a variety of challenges.
A disturbing snapshot of Project Memoria reveals just how silently-patched vulnerabilities exist in millions of critical connected devices. In Core: 13 we found instances of the vulnerabilities silently fixed for the second time. This means that millions of vulnerable devices could still be functioning without the knowledge of the companies that use them, as their vendors have remained silent on their fixes.
the convergence of IT and OT systems, coupled with an ever-growing number of connected devices and industrial IoT means that TCP / IP software vulnerabilities have the potential for attackers to wreak havoc across multiple industries.
The domino effect in the supply chain
If you’ve ever had a water leak in your home, you know stopping the leak is only the first step. Not only do you have to clean up all the water in that room, but you also have to think about how other rooms in the house are affected, if there might be invisible damage to floors and ceilings, mold, mildew, etc. This same mindset should apply to patching vulnerabilities.
For example, in the 2021 report from Forescout Name: Wreck, our researchers discovered the CVE-2016-2009 vulnerability, which was previously exposed by Exodus Intelligence in 2016. The vulnerability was never given a CVE ID, nor publicly reported by the vendor. Silent patches have left other critical devices with the same vulnerability vulnerable to attack for at least five years.
Much like a water leak, a manufacturer may have patched a vulnerability to secure an IoT device, but other devices with the same issue ended up with casting security. After rediscovering this vulnerable battery in 2021, other critical infrastructure providers who use the vulnerable software have had to publish advisories, such as Siemens gas turbines, BD Alaris infusion pumps and General Electric healthcare devices.
An inconvenient burden
Beyond negatively affecting the security posture of customers and partners, silent patches are a major annoyance for security researchers. The process of working with affected vendors to identify and remediate vulnerabilities is already complex and difficult enough as many companies refuse to acknowledge the situation or do anything to prioritize a response. Applying silent patches makes the process even more difficult.
When security researchers independently rediscover vulnerabilities that have never been given a CVE ID or disclosed publicly, it forces them to repeat work that should already have been completed and distracts attention from other valuable work that might. be carried out. It also creates the problem of coordinating with all of the original researchers who discovered the vulnerability, further complicating the disclosure process and wasting more time.
Ultimately, silent patching extends the remediation process, from issuing a CVE ID to alerting customers and partners throughout the supply chain. Acting more effectively and publicly disclosing fixes immediately can optimize everyone’s time to find and fix vulnerabilities so that we can get back to our goal of securing the industry as a whole.
About the Author
Daniel dos Santos holds a doctorate. in Computer Science from the University of Trento, Italy, and has published over 30 journal and conference papers on cybersecurity. He has experience in software development, security testing and research. He is now Senior Research Director at Forescout Technologies, leading a vulnerability and threat research team, and collaborating in the research and development of innovative features for network security monitoring.