The term “zero-day” indicates no time between developers discovering a vulnerability and attackers exploiting it.
According to the Indusface zero-day vulnerability report, over 700 0-day vulnerabilities were identified in Q3, 2023.
This blog outlines the risks that zero-day exploits cause and how to reduce the window of vulnerability through virtual patching.
What is Zero Day Vulnerability?
A “zero-day vulnerability” is a security flaw or weakness in a software application, operating system, or hardware device unknown to the vendor or the public.
Key Characteristics of Zero-Day Vulnerabilities
- Undisclosed: Zero-day vulnerabilities are unknown to the software or hardware vendor, which means they are unaware of the issue.
- No Patch Available: Since the vendor is unaware of the vulnerability, no official patch or fix addresses the issue.
- Exploitable: Attackers can craft exploits to take advantage of the vulnerability; since it’s unknown, there are no defenses or countermeasures.
Zero-Day Vulnerabilities Identified Q3, 2023
The following graph showcases the zero-day vulnerabilities discovered by security researchers during Q3 of 2023:
Recent Examples of Publicly Disclosed Zero-Day Vulnerabilities
In 2023, several zero-day vulnerabilities came to light:
CVE-2023-35708 (MOVEit Transfer): This vulnerability allows attackers to use SQL injection to breach MOVEit Transfer databases. They can even delete the databases, disrupting business operations for extortion. The Lace Tempest Ransomware group discovered this vulnerability, responsible for Cl0p ransomware attacks on 27 companies, including Shell and U.S. government agencies. Notably, this vulnerability was part of a cluster of overlapping vulnerabilities, including CVE-2023-35036 and CVE-2023-34362.
CVE-2023-26360 (Adobe ColdFusion): In March 2023, a significant security flaw was found in Adobe ColdFusion, identified as CVE-2023-26360. Attackers can execute arbitrary code remotely due to poor access control. This puts sensitive information at risk and allows unauthorized access to ColdFusion servers.
CVE-2023-38035 (Ivanti): Ivanti’s product faces a severe zero-day vulnerability in 2023, marked as CVE-2023-38035. This flaw grants unauthenticated attackers unauthorized access to sensitive APIs. They could manipulate configurations, execute commands, or write files on the system.
CVE-2023-44487 (HTTP/2 Rapid Reset): The HTTP/2 Rapid Reset vulnerability enables large-scale DDoS attacks in 2023 by overwhelming web servers. Attackers have targeted major service providers like Google, AWS, and Cloudflare. Strong protective measures are needed to counter this threat.
While the victim vendors raced to create patches for these vulnerabilities, application-specific virtual patches were instrumental in reducing the window of vulnerability. On AppTrana WAAP, less than 7% of zero-day vulnerabilities required application-specific custom rules.
Zero-Day Threat Coverage on WAAP/WAF
Zero-day vulnerabilities pose complex challenges long before anyone detects a problem. Once these vulnerabilities come to light, developers get a chance to fix their systems.
However, in most cases, applying permanent patches can be time-consuming, sometimes spanning months, which leaves digital assets vulnerable to attacks.
A WAF/WAAP protects against the latest application layer threats, offering a virtual patch and real-time protection as threats evolve while organizations work on implementing patches.
Virtual patching acts as a rapid defense mechanism against known vulnerabilities. It establishes a barrier that blocks attacks, particularly in the face of zero-day exploits when official updates are absent.
Here are scenarios where virtual patching plays a vital role:
- Virtual patches serve as critical protection for enterprises, bridging the gap until a vendor releases an official software patch to address a new vulnerability.
- Many large enterprises following traditional patch management methods don’t roll out patches immediately. Their testing phase adds more delays after a vendor issues a software patch. Virtual patching takes on significant importance during the initial stages of an active exploit campaign, delivering essential protection for known vulnerabilities while the enterprise evaluates the vendor’s patch.
- Virtual patching becomes even more vital for protecting mission-critical assets that require careful planning and cannot afford downtime.
When developing a virtual patch, it is essential to uphold the two primary aspects of WAAP/WAF: ensuring that legitimate traffic is not blocked by mistake (avoiding false positives) and adhering to SLA for virtual patching.
As with any rule in a WAF, there is a risk of false positives. The managed service team of your WAF provider should assess the accuracy of the rules they write to prevent false positives.
The second critical factor is the time taken by the security team to apply a particular patch. Ideally, mitigation should occur ASAP when dealing with actively exploited vulnerabilities. Find a WAAP vendor that specifies SLAs on application-specific virtual patches.
With AppTrana WAAP, SLAs guarantee virtual patches within 24 hours for all critical vulnerabilities, and the managed services team will serve as an extended SOC team, testing for false positives in any rule they create.
This graph provides insight into the number of zero-day vulnerabilities discovered each week and how the default rules set and application-specific virtual patches on AppTrana WAAP blocked these vulnerabilities.
Remember the Basics:
The success of a zero-day attack depends on the organization’s “window of exposure,” or the time between the discovery of a vulnerability and the release of a patch that fixes it.
Organizations must adopt a complete security approach, combining secure coding practices, thorough vulnerability management, timely patch application, and the latest threat intelligence to limit the impact of zero-day exploits.
Continuously monitoring and enhancing the security of web applications is essential in stopping potential vulnerabilities, including those arising from zero-day risks.