Operation Lunar Peek: A Lesson in Vulnerability Management
Back in November 2024, during Operation Lunar Peek, attackers managed to gain unauthenticated remote admin access, eventually leading to root access, across more than 13,000 exposed Palo Alto Networks management interfaces. Palo Alto Networks rated CVE-2024-0012 at 9.3 and CVE-2024-9474 at 6.9 under CVSS v4.0. Interestingly, NVD scored the same vulnerabilities at 9.8 and 7.2 under CVSS v3.1. This discrepancy highlights the limitations of scoring systems when dealing with complex vulnerabilities.
Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, emphasized how adversaries exploit vulnerabilities by chaining them together. The failure to recognize these chains in triage logic often leads to oversights in vulnerability management.
Despite both CVEs being listed in the CISA Known Exploited Vulnerabilities catalog, the scoring systems failed to flag the potential kill chain. This underscores the importance of considering the interconnected nature of vulnerabilities rather than treating them as isolated incidents.
While CVSS serves its purpose in scoring individual vulnerabilities, it falls short in capturing the real-world context in which these vulnerabilities are exploited. Peter Chronis, a seasoned security leader, and Chris Gibson from FIRST have both criticized the overreliance on CVSS base scores for prioritization, advocating for a more comprehensive approach that factors in exploitation probability and decision-tree logic.
Addressing Triage Failures in Vulnerability Management
As the volume of disclosed CVEs continues to rise, security teams are faced with new challenges that traditional scoring systems like CVSS are ill-equipped to handle.
1. Chained CVEs: The Compound Effect
The Palo Alto vulnerabilities from Operation Lunar Peek serve as a prime example of how chaining CVEs can have a significant impact. By bypassing authentication (CVE-2024-0012) and escalating privileges (CVE-2024-9474), attackers were able to exploit vulnerabilities that might have been overlooked individually. This highlights the importance of assessing vulnerabilities in context rather than in isolation.
2. Nation-State Adversaries: Swift Weaponization
Nation-state adversaries are increasingly adept at weaponizing vulnerabilities within days of disclosure. This rapid exploitation timeline necessitates shorter patch windows to mitigate the risk of exploitation.
3. Stockpiled CVEs: Lingering Threats
Some adversaries hold onto vulnerabilities for extended periods, exploiting them long after patches have been released. This underscores the need for proactive patch management to prevent long-term exposure to known vulnerabilities.
4. Identity Gaps: Overlooked Vulnerabilities
Not all vulnerabilities are technical in nature. Human process gaps, such as those related to identity verification, can also pose significant risks. These vulnerabilities often fall outside the scope of traditional scoring systems, highlighting the need for a more holistic approach to vulnerability management.
5. AI-Accelerated Discovery: Scaling Challenges
The advent of AI-driven vulnerability discovery presents both opportunities and challenges. While AI can uncover vulnerabilities at a rapid pace, it also strains existing vulnerability management pipelines. Security teams must be prepared to scale their operations to address the growing volume of disclosed vulnerabilities.
Empowering Security Directors
Security directors can take proactive steps to address these emerging challenges in vulnerability management:
1. Conduct a chain-dependency audit on KEV CVEs
2. Compress patch SLAs for internet-facing systems
3. Build aging reports for unpatched KEV CVEs
4. Include identity-surface controls in vulnerability reporting
5. Stress-test pipeline capacity for increased CVE volumes
By adopting a comprehensive approach that considers the interconnected nature of vulnerabilities and the evolving threat landscape, security directors can strengthen their organization’s resilience to cyber threats.
