The goal of vulnerability research is to improve the security of the industry at large by helping software and device vendors fix vulnerabilities within their products.
Unfortunately, some vendors hinder the improvements with silent patching, which circumvents the public disclosure and documentation of vulnerabilities and their patches. Ultimately, their customers, partners and the cybersecurity community pay the price for silent patching.
During the past two years, my Forescout Technologies colleagues and I have worked on Project Memoria, an extensive study of vulnerabilities in the TCP/IP stacks that connect millions of operational technology devices in many critical industries. Our researchers discovered 97 vulnerabilities in 14 TCP/IP stacks across 3 billion IoT, operational technology (OT) and IT devices. We spent months speaking with government officials and affected vendors about how to mitigate these risks.
Vulnerability disclosure is not always appreciated. Some vendors will do anything to avoid drawing attention to these risks, even if it means continuing to pass these problems along to their customers, partners and even other IoT devices as a result. Some vendors refuse to acknowledge their vulnerabilities, which is why working with government officials can help. Others refuse to prioritize a response but instead may silently patch vulnerabilities. Silent patching raises concern.
Silent patching occurs when vulnerabilities are discovered and privately fixed, but never assigned a Common Vulnerabilities and Exposures (CVE) ID available for public documentation. Although it may seem that vendors that silently patch vulnerabilities have been responsible in addressing an immediate problem, the lack of public disclosure and documentation can cause a variety of challenges.
An unsettling insight from Project Memoria reveals how silently patched vulnerabilities exist in millions of critical connected devices. In Nucleus:13 we found instances of silently patched vulnerabilities for the second time. That means that millions of vulnerable devices could still be operating unbeknownst to the companies using them because their vendors remained silent about their patches.
The convergence of IT and OT systems, coupled with an ever-increasing number of connected devices and industrial IoT means that TCP/IP software vulnerabilities have the potential for attackers to wreak havoc across multiple industries.
The domino effect in the supply chain
If you've ever had a water leak in your house, you know that stopping the leak is only the first step. Not only do you need to clean up all of the water in that room, but you also need to think about how other rooms in the house are affected, if there could be unseen damage in floors and ceilings, mold and so forth. This same mentality should apply to patching vulnerabilities.
For example, in Forescout's 2021 report Name:Wreck, our researchers discovered vulnerability CVE-2016-20009, which was previously brought to light by Exodus Intelligence in 2016. The vulnerability was never assigned a CVE ID, nor was it publicly reported by the vendor. Silent patching left other critical devices with that same vulnerability susceptible to attacks for at least five years.
Just like with a water leak, a manufacturer may have patched a vulnerability to secure an IoT device, but other devices with the same problem were left with molding security. After we rediscovered this vulnerable stack in 2021, other vendors of critical infrastructure that use the vulnerable software had to release advisories, such as Siemens gas turbines, BD Alaris infusion pumps, and General Electric healthcare devices.
A troublesome burden
Beyond negatively affecting the security posture of customers and partners, silent patching is a major annoyance to security researchers. The process of working with affected vendors to identify and fix vulnerabilities is already complex and difficult enough because many companies refuse to acknowledge the situation or do anything to prioritize a response. Silent patching makes the process even more challenging.
When security researchers independently rediscover vulnerabilities that were never issued a CVE ID or publicly disclosed it forces them to repeat work that should have already been completed and distracts from other valuable work that could be done. It also creates the issue of coordinating with any original researchers that discovered the vulnerability, further complicating the disclosure process and wasting more time.
Ultimately, silent patching prolongs the remediation process -- from issuing a CVE ID to alerting customers and partners through the supply chain. Acting with greater efficiency and publicly disclosing patches right away can optimize everyone's time researching and patching vulnerabilities so that we can get back to our goal of securing the industry at large.
About the author
Daniel dos Santos holds a Ph.D. in computer science from the University of Trento, Italy, and has published over 30 journal and conference papers on cybersecurity. He has experience in software development, security testing and research. He is now senior research manager at Forescout Technologies, leading a vulnerability and threat research team, as well as collaborating on the research and development of innovative features for network security monitoring.