Minimize Cybersecurity Risk with the Known Exploited Vulnerabilities Catalog
Secured™ recommends the CISA Known Exploited Vulnerabilities (KEV) Catalog as a source to prioritize vulnerability management. In November 2021 the Cybersecurity and Infrastructure Security Agency (CISA) started the Known Exploited Vulnerabilities (KEV) Catalog and Binding Operational Directive 22-01. The KEV catalog lists only vulnerabilities known to be actively exploited. The BOD 22-01 requires all federal civilian executive branch (FCEB) agencies to remediate all vulnerabilities in the KEV catalog. This helps organizations focus on vulnerabilities to patch. Secured encourages all enterprises to implement the CISA KEV Catalog in their vulnerability management practice.
Prioritizing Vulnerabilities
The National Vulnerability Database (NVD) is a U.S. government repository of standards-based vulnerability management data and best known for providing this CVE database. Last year over 20,000 vulnerabilities were assigned Common Vulnerabilities and Exposures (CVE) identifiers.
The KEV catalog helps prioritize vulnerability management. At the time of writing, the CISA KEV Catalog lists only 857 CVEs.
From November 1-15, 2022 over 1,190 CVEs were published, but CISA only added 8 CVEs to the KEV Catalog:
- CVE-2022-41049 Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
- CVE-2022-41091 Microsoft Windows Mark of the Web (MOTW) Security Feature Bypass Vulnerability
- CVE-2022-41073 Microsoft Windows Print Spooler Privilege Escalation Vulnerability
- CVE-2022-41125 Microsoft Windows CNG Key Isolation Service Privilege Escalation Vulnerability
- CVE-2022-41128 Microsoft Windows Scripting Languages Remote Code Execution Vulnerability
- CVE-2021-25337 Samsung Mobile Devices Improper Access Control Vulnerability
- CVE-2021-25369 Samsung Mobile Devices Improper Access Control Vulnerability
- CVE-2021-25370 Samsung Mobile Devices Memory Corruption Vulnerability
These three Samsung vulnerabilities were published in March 2021, but are now designated to be higher priority vulnerabilities to remediate. The KEV Catalog helps pinpoint older CVEs that now have clearly demonstrated risk of exploitation and verified remediation solutions.
CISA’s KEV Catalog Three Criteria
CISA uses three criteria for submitting a vulnerability into the KEV Catalog.
From the CISA website:
- The vulnerability has an assigned Common Vulnerabilities and Exposures (CVE) ID.
- There is reliable evidence that the vulnerability has been actively exploited in the wild.
- There is a clear remediation action for the vulnerability, such as a vendor-provided update.
These three criteria show that CISA emphasizes vulnerabilities that have both evidence of real-time attacks and a clear solution to prevent exploitation, either through mitigation or workaround solutions. The directive, BOD 22-01, requires all federal civilian executive branch (FCEB) agencies remediate all vulnerabilities in the KEV Catalog. Each KEV Catalog submission has a due date to remediate the vulnerability, typically two to three weeks from its submission.
Secured™ Recommendations
Actively following new submissions to the KEV Catalog helps your organization stay apprised of key vulnerabilities and remediation solutions. Secured™ recommends all organizations complete remediation solutions by the KEV Catalog due dates. Twitter users can easily become inundated with hourly updates from @CVEnew. For Twitter users, Secured™ recommends the Twitter accounts @CISAgov and @USCERT_gov for more curated KEV Catalog updates. Secured™ also recommends subscribing to CISA’s KEV Catalog Update Bulletin, which provides email updates of new KEV Catalog submissions. Secured™ actively monitors the KEV catalog and provides organizations with security assessments that check for a wide range of vulnerabilities.