Exposed Vulnerabilities on a DoD Server: Why Intelligence Should Have Driven Early Mitigation


Last week it was reported that two RCE vulnerabilities were found to be exposed on a DoD server.  These were apparently exposed for about a year.  

Recent surveys have shown that 77% of organizations have difficulty keeping up with patching and 60% have admitted to breaches due to known but unpatched vulnerabilities.  As a result, many organizations take a threat-focused approach.  Let’s look at what the threat intelligence says about these two vulnerabilities. 

CVE-2019-0193: Remote Code Execution 

The first was CVE-2019-0192, a remote-code execution vulnerability disclosed in early March of 2019 – a month that saw nearly 700 vulnerability disclosures – so a lot to prioritize an analyze.  Within days of the disclosure, a step-by-step guide that included code examples.  Discussion continued that month and expanded into social media.  In early April of 2019, various security firm started to post analysis of the vulnerability warning of its danger.  Over the next year various bits of intelligence trickled in, including reports of exploitation in the wild. 

Using the machine-learning driven CyRating score, the CYR3CON platform analyzed the intelligence and initially pegged the vulnerability as being 30 times more likely to be exploited than average – later elevating it to the maximum score (see screenshot below). 

DOD changelog graph 

CVE-2019-0193: Apache Solr DataImportHandler Flaw 

The second vulnerability discovered was CVE-2019-0193, a flaw in Apache Solr’s optional DataImportHandler module.  This was disclosed in August - a month with over 2,000 disclosures – so the challenges to prioritize were likely intense that month. That said, there were some early indicators prior even to the full disclosure. Once disclosed, there was a flurry of discussion, including description of how to conduct the attack, available code samples, and even videos describing how to conduct the attack.

The activity was heavy in the fall of 2019 which also saw exploitation in the wild.  Mid-2020 saw a resurgence of interest in the vulnerability to include further code examples on GitHub as well as Chinese activity.  Likely due to the high level of early activity and short time to exploits appearing the wild, the CYR3CON CyRating score was maxed out at a 38.46 very soon after disclosure, but before reports of exploitation in the wild. 

Prioritize with a Focus on Threats 

While the presence of these vulnerabilities on a DoD system may seem shocking, one must consider that in the context of the size of the enterprise and the rate of disclosures. 2019 was a record year for disclosures and about 60% of vulnerabilities are at the “high” or “critical” level as reported by NIST. This is why an intelligence-driven approach is so important to making decisions when it comes to vulnerability management. 

When you consider the intelligence, these two vulnerabilities should clearly have been prioritized for remediation.