Rapid CVE Mitigation by Cato Security Research
OWASP defines virtual patching as “a security policy enforcement layer which prevents the exploitation of a known vulnerability”. Cato performs virtual patching via the IPS layer of the Cato Single Pass Cloud Engine (SPACE). Cato experts deploy new IPS rules to quickly adapt to new CVEs without requiring any customer involvement.
Selected Critical CVEs mitigated by Cato
Name
Solarwind SERV-U Directory Traversal
CVE
CVE-2024-28995
Severity Score
10 (Critical)
Detect to Protect
0 * Due to a generic signature
Description
SolarWinds Serv-U directory traversal. Allowing access to read sensitive files on the host machine.
Detection
June 7, 2024 at 11:00 PM
Opt-in Protection
0 * Due to a generic signature
Global Protection
0 * Due to a generic signature
Name
ConnectWise ScreenConnect Authentication Bypass
CVE
CVE-2024-1709
Severity Score
10 (Critical)
Detect to Protect
4 days
Description
ConnectWise ScreenConnect 23.9.7 and prior are affected by an Authentication Bypass Using an Alternate Path or Channel vulnerability, which may allow an attacker direct access to confidential information or critical systems.
Detection
February 21, 2024
Opt-in Protection
February 23, 2024, 10:45 AM UTC
Global Protection
February 25, 2024, 09:00 AM UTC
Name
Jenkins Arbitrary File Read
CVE
CVE-2024-23897
Severity Score
9.8 (Critical)
Detect to Protect
2 days
Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Detection
January 27, 2024
Opt-in Protection
January 28, 2024, 21:50 PM
Global Protection
January 29, 2024, 17:30 PM
Name
Atlassian Confluence Data Center & Server Remote Code Execution
CVE
CVE-2023-22527
Severity Score
10 (Critical)
Detect to Protect
1 Day
Description
A Remote Code Execution vulnerability in Atlassian Confluence Server & Data Center, allowing unauthenticated attackers to gain RCE access through template injection.
Detection
January 22, 2024
Opt-in Protection
January 22, 2024, 19:00 UTC
Global Protection
January 23, 2024, 11:00 UTC
Name
Apache Struts 2 File Upload Remote Code Execution
CVE
CVE-2023-50164
Severity Score
9.8 (Critical)
Detect to Protect
1 day
Description
Remote code execution via flawed file upload logic in Apache Struts 2 web framework, allowing for arbitrary file upload and code execution
Detection
POC available – December 12, 2023
Opt-in Protection
December 12, 2023
Global Protection
December 13, 2023
Name
Cisco IOS XE Web UI Privilege Escalation Vulnerability
CVE
CVE-2023-20198
Severity Score
10 (Critical)
Detect to Protect
2 days
Description
Privilege escalation is possible in internet facing Cisco devices running IOS XE and have the HTTP Web UI feature running
Detection
POC available – October 30, 2023 20:30 UTC
Opt-in Protection
October 31, 2023 20:00 UTC
Global Protection
November 1, 2023 20:00 UTC
Name
cURL SOCKS5 Proxy Heap Buffer Overflow
CVE
CVE-2023-38545
Severity Score
7.5 (High)
Detect to Protect
1 day and 3 hours
Description
A Heap Buffer Overflow vulnerability in hostname resolution during a SOCKS5 proxy handshake can result in malicious code execution by a vulnerable libcurl implementation
Detection
October 11, 2023 06:30 UTC
Opt-in Protection
October 11, 2023 20:00 UTC
Global Protection
October 12, 2023 9:30 UTC
Name
Atlassian Confluence Data Center & Server Privilege Escalation Vulnerability
CVE
CVE-2023-22515
Severity Score
10 (Critical)
Detect to Protect
1 day and 23 hours
Description
A Privilege Escalation Vulnerability in the on-premises version of Atlassian Confluence Server & Data Center, allowing attackers to exploit a vulnerable endpoint to create unauthorized administrator users and gain server access
Detection
October 4, 2023 13:00 UTC
Opt-in Protection
October 5, 2023 11:00 UTC
Global Protection
October 6, 2023 12:00 UTC
Name
MOVEit Transfer SQLi
CVE
CVE-2023-34362
Severity Score
10 (Critical)
Detect to Protect
3 days and 6 hours
Description
An SQLi in the managed file transfer (MFT) solution MOVEit Transfer by InProgress allows attackers to execute SQL commands and can result in installation of a dedicated backdoor allowing for RCE.
Detection
June 6, 2023 at 8:00 AM
Opt-in Protection
June 8, 2023 16:30 PM
Global Protection
June 9, 2023 14:00 PM
Name
Microsoft Outlook Remote Hash Vulnerability
CVE
CVE-2023-23397
Severity Score
9.8 (Critical)
Detect to Protect
0*
Description
Microsoft Outlook Elevation of Privilege Vulnerability * On the zero time: Outbound SMB traffic is blocked by default on Cato’s firewall
Detection
March 3, 2023 at 8:02 AM
Opt-in Protection
March 3, 2023 8:02 AM
Global Protection
March 3, 2023 8:02 AM
Name
OWASSRF, MS Exchange RCE
CVE
CVE-2022-41082
Severity Score
8.8 (High)
Detect to Protect
23 hours, 45 minutes
Description
Part of the ProxyNotShell exploit chain, some versions of MS Exchange are vulnerable to RCE (Remote Code Execution)
Detection
December 21, 2022 at 5:00 PM
Opt-in Protection
December 21, 2022 at 11:29 PM
Global Protection
December 22, 2022 at 4:45 PM
Name
Microsoft Exchange Remote Code Execution
CVE
CVE-2022-41040, CVE-2022-41082
Severity Score
8.8 (High)
Detect to Protect
2 days, 10 hours, 6 minutes
Description
Microsoft Exchange Server Elevation of Privilege Vulnerability
Detection
Sep 30th, 2022 at 1:19 PM
Opt-in Protection
September 30, 2022 at 11:25 PM
Global Protection
October 2, 2022 at 12:40 PM
Name
DogWalk – Microsoft Windows Support Diagnostic Tool Remote Code Execution
CVE
CVE-2022-34713
Severity Score
7.8 (High)
Detect to Protect
2 days, 4 hours, 54 minutes
Description
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability
Detection
Aug 10th, 2022 at 11:22 AM
Opt-in Protection
August 11, 2022 at 6:38 PM
Global Protection
August 12, 2022 at 4:16 PM
Name
Apache Spark Remote Code Execution
CVE
CVE-2022-33891
Severity Score
8.8 (High)
Detect to Protect
1 day, 7 hours, 17 minutes
Description
The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as
Detection
July 19, 2022 at 10:06 AM
Opt-in Protection
July 19, 2022 at 7:25 PM
Global Protection
July 20, 2022 at 5:23 PM
Name
Microsoft Support Diagnostic Tool Remote Code Execution
CVE
CVE-2022-30190
Severity Score
7.8 (High)
Detect to Protect
1 day, 8 hours, 17 minutes
Description
Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.
Detection
May 31st, 2022 at 8:43 AM
Opt-in Protection
May 31, 2022 at 10:06 PM
Global Protection
June 1, 2022 at 5:00 PM
Name
VMware Tanzu Spring Cloud Function Remote Code Execution
CVE
CVE-2022-22963
Severity Score
9.8 (Critical)
Detect to Protect
2 days, 1 hour, 54 minutes
Description
In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources
Detection
Mar 30th, 2022 at 6:00 PM
Opt-in Protection
March 30, 2022 at 11:09 PM
Global Protection
April 1, 2022 at 7:54 PM
Name
Log4shell
CVE
CVE-2021-44228
Severity Score
10.0 (Critical)
Detect to Protect
17 hours, 2 minutes
Description
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled
Detection
Dec 10th, 2021 at 8:45 PM
Opt-in Protection
December 11, 2021 at 3:16 AM
Global Protection
December 11, 2021 at 1:47 PM
Name
Apache HTTP Server Path Traversal
CVE
CVE-2021-41773
Severity Score
7.5 (High)
Detect to Protect
1 day, 16 hours, 46 minutes
Description
A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution
Detection
Oct 6th, 2021 at 7:19 AM
Opt-in Protection
October 7, 2021 at 2:01 PM
Global Protection
October 8, 2021 at 12:05 AM
Name
Exchange Autodiscover Password
CVE
Severity Score
(Critical)
Detect to Protect
5 days, 5 hours, 30 minutes
Name
VMware vCenter RCE (II)
CVE
CVE-2021-22005
Severity Score
9.8 (Critical)
Detect to Protect
3 days, 10 hours, 1 minute
Description
The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file
Detection
Sep 23rd, 2021 at 8:36 AM
Opt-in Protection
September 23, 2021 at 6:23 PM
Global Protection
September 26, 2021 at 6:37 PM
Name
PrintNightmare Spooler RCE Vulnerability
CVE
CVE-2021-1675
Severity Score
8.8 (High)
Detect to Protect
6 days, 6 hours, 28 minutes
Description
Windows Print Spooler Elevation of Privilege Vulnerability
Detection
Jul 5th, 2021 at 12:16 PM
Opt-in Protection
July 11, 2021 at 10:52 AM
Global Protection
July 11, 2021 at 6:44 PM
Name
Sphere Client (HTML5) Remote Code Execution
CVE
CVE-2021-21985
Severity Score
9.8 (Critical)
Detect to Protect
3 days, 11 hours, 29 minutes
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server
Detection
May 31, 2021 at 10:55 AM
Opt-in Protection
June 1, 2021 at 9:47 PM
Global Protection
June 3, 2021 at 10:24 PM
Name
F5 Vulnerability
CVE
CVE-2021-22986
Severity Score
9.8 (Critical)
Detect to Protect
2 days, 19 hours, 38 minutes
Description
On specific versions of BIG-IP and BIG-IQ , the iControl REST interface has an unauthenticated remote command execution vulnerability
Detection
Mar 20th, 2021 at 11:43 PM
Opt-in Protection
Mar 23rd, 2021 at 12:12 PM
Global Protection
March 23, 2021 at 7:21 PM
Name
MS Exchange SSRF
CVE
CVE-2021-26855
Severity Score
9.8 (Critical)
Detect to Protect
4 days, 2 hours, 23 minutes
Description
Microsoft Exchange Server Remote Code Execution Vulnerability
Detection
March 3, 2021 at 11:03 AM
Opt-in Protection
March 4, 2021 at 10:48 PM
Global Protection
March 7, 2021 at 1:26 PM
Name
VMWare VCenter RCE
CVE
CVE-2021-21972
Severity Score
9.8 (Critical)
Detect to Protect
1 day, 1 hour, 57 minutes
Description
The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.
Detection
February 25, 2021 at 10:06 AM
Opt-in Protection
February 25, 2021 at 7:16 PM
Global Protection
February 26, 2021 at 12:03 PM
Why is CVE Mitigation such a challenge?
Customers often struggle with the process, resources, and time it takes to protect their networks from emerging CVEs. Here is why:
The vendor must research the CVE and develop a signature
The customer needs to test the signature within a maintenance window
Customer testing must ensure the signature is not breaking the traffic or impacting inspection performance or the user experience
Only when testing is successful, can the signature be activated
This resource intensive process causes many customers to move their Intrusion Prevention System (IPS) to detection mode or fall behind on maintaining optimal security posture. This increases the risk of a breach as attackers attempt to exploit unpatched CVEs including old ones.
Fully automated Virtual Patching of Emerging CVEs with Cato Networks
Cato’s process for virtual patching consists of four steps, performed by the Cato security team:
Assessment
Assessing the scope of the CVE and researching the vulnerability. Specifically, any occurrences of attacks using this CVE in the wild.
Understanding which systems are affected and how threat actors perform the attack
Development
Creating a new IPS rule to virtually patch the vulnerability
Eliminating false positives based on back testing against traffic meta data
Opt-in Protection
Selective deployment of the virtual patch in "simulate mode"
Enabling opt-in prevention for specific customers
Global Protection
Moving the virtual patch to prevention mode
Enforcing the virtual patch across all customers and all traffic
This process runs without any involvement of customer resources, and without risking the customer business operation.