Rapid CVE Mitigation by Cato Security Research

OWASP defines virtual patching as “a security policy enforcement layer which prevents the exploitation of a known vulnerability”. Cato performs virtual patching via the IPS layer of the Cato Single Pass Cloud Engine (SPACE). Cato experts deploy new IPS rules to quickly adapt to new CVEs without requiring any customer involvement.

Selected Critical CVEs mitigated by Cato

Name

OWASSRF, MS Exchange RCE

CVE

CVE-2022-41082

Severity Score

8.8 (High)

Description

Part of the ProxyNotShell exploit chain, some versions of MS Exchange are vulnerable to RCE (Remote Code Execution)

Detection

December 21, 2022 at 5:00 PM

Opt-in Protection

December 21, 2022 at 11:29 PM

Global Protection

December 22, 2022 at 4:45 PM

Detect to Protect

23 hours, 45 minutes

Name

Microsoft Exchange Remote Code Execution

CVE

CVE-2022-41040, CVE-2022-41082

Severity Score

8.8 (High)

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Detection

Sep 30th, 2022 at 1:19 PM

Opt-in Protection

September 30, 2022 at 11:25 PM

Global Protection

October 2, 2022 at 12:40 PM

Detect to Protect

2 days, 10 hours, 6 minutes

Name

DogWalk – Microsoft Windows Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-34713

Severity Score

7.8 (High)

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Detection

Aug 10th, 2022 at 11:22 AM

Opt-in Protection

August 11, 2022 at 6:38 PM

Global Protection

August 12, 2022 at 4:16 PM

Detect to Protect

2 days, 4 hours, 54 minutes

Name

Apache Spark Remote Code Execution

CVE

CVE-2022-33891

Severity Score

8.8 (High)

Description

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as

Detection

July 19, 2022 at 10:06 AM

Opt-in Protection

July 19, 2022 at 7:25 PM

Global Protection

July 20, 2022 at 5:23 PM

Detect to Protect

1 day, 7 hours, 17 minutes

Name

Microsoft Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-30190

Severity Score

7.8 (High)

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Detection

May 31st, 2022 at 8:43 AM

Opt-in Protection

May 31, 2022 at 10:06 PM

Global Protection

June 1, 2022 at 5:00 PM

Detect to Protect

1 day, 8 hours, 17 minutes

Name

VMware Tanzu Spring Cloud Function Remote Code Execution

CVE

CVE-2022-22963

Severity Score

9.8 (Critical)

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources

Detection

Mar 30th, 2022 at 6:00 PM

Opt-in Protection

March 30, 2022 at 11:09 PM

Global Protection

April 1, 2022 at 7:54 PM

Detect to Protect

2 days, 1 hour, 54 minutes

Name

Log4shell

CVE

CVE-2021-44228

Severity Score

10.0 (Critical)

Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Detection

Dec 10th, 2021 at 8:45 PM

Opt-in Protection

December 11, 2021 at 3:16 AM

Global Protection

December 11, 2021 at 1:47 PM

Detect to Protect

17 hours, 2 minutes

Name

Apache HTTP Server Path Traversal

CVE

CVE-2021-41773

Severity Score

7.5 (High)

Description

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution

Detection

Oct 6th, 2021 at 7:19 AM

Opt-in Protection

October 7, 2021 at 2:01 PM

Global Protection

October 8, 2021 at 12:05 AM

Detect to Protect

1 day, 16 hours, 46 minutes

Name

Exchange Autodiscover Password

CVE

Severity Score

(Critical)

Description

Detection

Sep 30th, 2021 at 2:33 PM

Opt-in Protection

September 30, 2021 at 5:40 PM

Global Protection

October 5, 2021 at 8:03 PM

Detect to Protect

5 days, 5 hours, 30 minutes

Name

VMware vCenter RCE (II)

CVE

CVE-2021-22005

Severity Score

9.8 (Critical)

Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file

Detection

Sep 23rd, 2021 at 8:36 AM

Opt-in Protection

September 23, 2021 at 6:23 PM

Global Protection

September 26, 2021 at 6:37 PM

Detect to Protect

3 days, 10 hours, 1 minute

Name

PrintNightmare Spooler RCE Vulnerability

CVE

CVE-2021-1675

Severity Score

8.8 (High)

Description

Windows Print Spooler Elevation of Privilege Vulnerability

Detection

Jul 5th, 2021 at 12:16 PM

Opt-in Protection

July 11, 2021 at 10:52 AM

Global Protection

July 11, 2021 at 6:44 PM

Detect to Protect

6 days, 6 hours, 28 minutes

Name

Sphere Client (HTML5) Remote Code Execution

CVE

CVE-2021-21985

Severity Score

9.8 (Critical)

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server

Detection

May 31, 2021 at 10:55 AM

Opt-in Protection

June 1, 2021 at 9:47 PM

Global Protection

June 3, 2021 at 10:24 PM

Detect to Protect

3 days, 11 hours, 29 minutes

Name

F5 Vulnerability

CVE

CVE-2021-22986

Severity Score

9.8 (Critical)

Description

On specific versions of BIG-IP and BIG-IQ , the iControl REST interface has an unauthenticated remote command execution vulnerability

Detection

Mar 20th, 2021 at 11:43 PM

Opt-in Protection

Mar 23rd, 2021 at 12:12 PM

Global Protection

March 23, 2021 at 7:21 PM

Detect to Protect

2 days, 19 hours, 38 minutes

Name

MS Exchange SSRF

CVE

CVE-2021-26855

Severity Score

9.8 (Critical)

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Detection

March 3, 2021 at 11:03 AM

Opt-in Protection

March 4, 2021 at 10:48 PM

Global Protection

March 7, 2021 at 1:26 PM

Detect to Protect

4 days, 2 hours, 23 minutes

Name

VMWare VCenter RCE

CVE

CVE-2021-21972

Severity Score

9.8 (Critical)

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Detection

February 25, 2021 at 10:06 AM

Opt-in Protection

February 25, 2021 at 7:16 PM

Global Protection

February 26, 2021 at 12:03 PM

Detect to Protect

1 day, 1 hour, 57 minutes

Name

OWASSRF, MS Exchange RCE

CVE

CVE-2022-41082

Severity Score

8.8

Description

Part of the ProxyNotShell exploit chain, some versions of MS Exchange are vulnerable to RCE (Remote Code Execution)

Detection

December 21, 2022 at 5:00 PM

Opt-in Protection

December 21, 2022 at 11:29 PM

Global Protection

December 22, 2022 at 4:45 PM

Detect to Protect

23 hours, 45 minutes

Name

Microsoft Exchange Remote Code Execution

CVE

CVE-2022-41040, CVE-2022-41082

Severity Score

8.8

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Detection

Sep 30th, 2022 at 1:19 PM

Opt-in Protection

September 30, 2022 at 11:25 PM

Global Protection

October 2, 2022 at 12:40 PM

Detect to Protect

2 days, 10 hours, 6 minutes

Name

DogWalk – Microsoft Windows Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-34713

Severity Score

7.8

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Detection

Aug 10th, 2022 at 11:22 AM

Opt-in Protection

August 11, 2022 at 6:38 PM

Global Protection

August 12, 2022 at 4:16 PM

Detect to Protect

2 days, 4 hours, 54 minutes

Name

Apache Spark Remote Code Execution

CVE

CVE-2022-33891

Severity Score

8.8

Description

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as

Detection

July 19, 2022 at 10:06 AM

Opt-in Protection

July 19, 2022 at 7:25 PM

Global Protection

July 20, 2022 at 5:23 PM

Detect to Protect

1 day, 7 hours, 17 minutes

Name

Microsoft Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-30190

Severity Score

7.8

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Detection

May 31st, 2022 at 8:43 AM

Opt-in Protection

May 31, 2022 at 10:06 PM

Global Protection

June 1, 2022 at 5:00 PM

Detect to Protect

1 day, 8 hours, 17 minutes

Name

VMware Tanzu Spring Cloud Function Remote Code Execution

CVE

CVE-2022-22963

Severity Score

9.8

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources

Detection

Mar 30th, 2022 at 6:00 PM

Opt-in Protection

March 30, 2022 at 11:09 PM

Global Protection

April 1, 2022 at 7:54 PM

Detect to Protect

2 days, 1 hour, 54 minutes

Name

Log4shell

CVE

CVE-2021-44228

Severity Score

10.0

Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Detection

Dec 10th, 2021 at 8:45 PM

Opt-in Protection

December 11, 2021 at 3:16 AM

Global Protection

December 11, 2021 at 1:47 PM

Detect to Protect

17 hours, 2 minutes

Name

Apache HTTP Server Path Traversal

CVE

CVE-2021-41773

Severity Score

7.5

Description

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution

Detection

Oct 6th, 2021 at 7:19 AM

Opt-in Protection

October 7, 2021 at 2:01 PM

Global Protection

October 8, 2021 at 12:05 AM

Detect to Protect

1 day, 16 hours, 46 minutes

Name

Exchange Autodiscover Password

CVE

Severity Score

Description

Detection

Sep 30th, 2021 at 2:33 PM

Opt-in Protection

September 30, 2021 at 5:40 PM

Global Protection

October 5, 2021 at 8:03 PM

Detect to Protect

5 days, 5 hours, 30 minutes

Name

VMware vCenter RCE (II)

CVE

CVE-2021-22005

Severity Score

9.8

Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file

Detection

Sep 23rd, 2021 at 8:36 AM

Opt-in Protection

September 23, 2021 at 6:23 PM

Global Protection

September 26, 2021 at 6:37 PM

Detect to Protect

3 days, 10 hours, 1 minute

Name

PrintNightmare Spooler RCE Vulnerability

CVE

CVE-2021-1675

Severity Score

8.8

Description

Windows Print Spooler Elevation of Privilege Vulnerability

Detection

Jul 5th, 2021 at 12:16 PM

Opt-in Protection

July 11, 2021 at 10:52 AM

Global Protection

July 11, 2021 at 6:44 PM

Detect to Protect

6 days, 6 hours, 28 minutes

Name

Sphere Client (HTML5) Remote Code Execution

CVE

CVE-2021-21985

Severity Score

9.8

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server

Detection

May 31, 2021 at 10:55 AM

Opt-in Protection

June 1, 2021 at 9:47 PM

Global Protection

June 3, 2021 at 10:24 PM

Detect to Protect

3 days, 11 hours, 29 minutes

Name

F5 Vulnerability

CVE

CVE-2021-22986

Severity Score

9.8

Description

On specific versions of BIG-IP and BIG-IQ , the iControl REST interface has an unauthenticated remote command execution vulnerability

Detection

Mar 20th, 2021 at 11:43 PM

Opt-in Protection

Mar 23rd, 2021 at 12:12 PM

Global Protection

March 23, 2021 at 7:21 PM

Detect to Protect

2 days, 19 hours, 38 minutes

Name

MS Exchange SSRF

CVE

CVE-2021-26855

Severity Score

9.8

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Detection

March 3, 2021 at 11:03 AM

Opt-in Protection

March 4, 2021 at 10:48 PM

Global Protection

March 7, 2021 at 1:26 PM

Detect to Protect

4 days, 2 hours, 23 minutes

Name

VMWare VCenter RCE

CVE

CVE-2021-21972

Severity Score

9.8

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Detection

February 25, 2021 at 10:06 AM

Opt-in Protection

February 25, 2021 at 7:16 PM

Global Protection

February 26, 2021 at 12:03 PM

Detect to Protect

1 day, 1 hour, 57 minutes

Why is CVE Mitigation such a challenge?

Customers often struggle with the process, resources, and time it takes to protect their networks from emerging CVEs. Here is why:

The vendor must research the CVE and develop a signature

The customer needs to test the signature within a maintenance window

Customer testing must ensure the signature is not breaking the traffic or impacting inspection performance or the user experience

Only when testing is successful, can the signature be activated

This resource intensive process causes many customers to move their Intrusion Prevention System (IPS) to detection mode or fall behind on maintaining optimal security posture. This increases the risk of a breach as attackers attempt to exploit unpatched CVEs including old ones.

Fully automated Virtual Patching of Emerging CVEs with Cato Networks

Cato’s process for virtual patching consists of four steps, performed by the Cato security team:

Assessment

Assessing the scope of the CVE and researching the vulnerability. Specifically, any occurrences of attacks using this CVE in the wild.

Understanding which systems are affected and how threat actors perform the attack

Development

Creating a new IPS rule to virtually patch the vulnerability

Eliminating false positives based on back testing against traffic meta data

Opt-in Protection

Selective deployment of the virtual patch in "simulate mode"

Enabling opt-in prevention for specific customers

Global Protection

Moving the virtual patch to prevention mode

Enforcing the virtual patch across all customers and all traffic

This process runs without any involvement of customer resources, and without risking the customer business operation.

Request a Demo