Front Page: NCSC-FI
Front Page: NCSC-FI

Updating vulnerable systems - Race against exploitation

Information security now!

"Update now", an obvious instruction to many administrators. Repeated often enough, it may sound dull and tiresome. How acute is it really to install critical updates?


There is no avoiding the continuous flurry of information security alerts. The continuous pressure about vulnerabilities and information security alerts causes stress, which is sometimes referred to as alert fatigue.

Administrators, information security experts, and decision makers holding the budget for more resources may wonder whether there is really such a hurry to complete these tasks.

Here are three examples from our weekly news report:

Example 1: Fortinet SSL VPN (CVE-2018-13379)
Attackers can read confidential VPN information, like passwords or private keys, with a simple HTTP request.
Update available 24.5.2019 (External link) 
Exploit available 14.8.2019
Large scale exploitation observed 22.8.2019 (External link)

Example 2: Pulse Secure VPN (CVE-2019-11510)
Attackers can read confidential VPN device information with a simple HTTP request.
Update available 24.4.2019 (External link)
Exploit available 21.8.2019
Large scale exploitation observed 22.8.2019 (External link)

Example 3: Webmin (CVE-2019-15107)
Attackers can perform remote code execution with administrator rights with a simple HTTP request.
Update available 18.8.2019 (External link)
Exploit available 12.8.2019
Large scale exploitation observed 21.8.2019 (External link)
Note: The exploitation was publicly available before the update was available, making this a zero day vulnerability.

Ready, set, update

Last of the three examples, Webmin, was a zero day vulnerability and requires immediate action.

The two other examples were also exploited by actors who recognised vulnerable targets. The exploitation, conducted with automated scripts, could have been avoided within a three to four month period.

Even with months of notice, thousands of devices were not updated when the vulnerability was made public (External link).

When an exploit to a known vulnerability is published, a race between criminals begins. Who will be the first to create the most efficient, automated exploit? At this stage an organisation is late with installing critical updates, as targeted exploitation will begin immediately, followed by wider scale exploitation within a week's time.

If an organisation's update processes do not keep up with update release cycles, this has to be considered as a threat to business continuity in the decision maker's risk management review.

In this case there are usually two options:

  • Minimizing risks by improving update cycles with new job roles or automation
  • Accepting the risk of system intrusion caused by update delays

No single administrator can solve structural issues, and they are left with communicating the risks higher up in their organisation.

Read more