The Seriousness of the Twitter Vulnerability: The Latest Updates and Solutions

If you believe you have discovered a possible vulnerability in the Twitter service, please file a report with our security team including information and detailed instructions about how to reproduce the issue. You can file your report here.

The Seriousness of the Twitter Vulnerability

Twitter says it has analyzed the recently advertised databases allegedly containing the information of hundreds of millions of its users and found no evidence that a vulnerability has been exploited.

In August 2022, Twitter informed customers that a vulnerability in its systems had been exploited to obtain user data. The flaw, patched in January 2022, was used to determine whether a specified phone number or email address were tied to an existing Twitter account.

While CVSS scores can inform vulnerability remediation strategies, Kenna Security, acquired last year by Cisco, argues that there are better prioritization signals like focusing on flaws with exploit code and counting the number of times a vulnerability is mentioned on Twitter.

Kenna Security has been working with the Cyentia Institute, a data science firm, to analyze vulnerability remediation data sets. Kenna has been publishing the findings in a series of reports, the latest of which is titled Prioritization to Prediction Volume 8, Measuring and Minimizing Exploitability.

Researchers are marveling at the scope and magnitude of a vulnerability that hackers are actively exploiting to take full control of network devices that run on some of the world's biggest and most sensitive networks.

Last week, F5 disclosed and patched a BIG-IP vulnerability that hackers can exploit to execute commands that run with root system privileges. The threat stems from a faulty authentication implementation of the iControl REST, a set of web-based programming interfaces for configuring and managing BIG-IP devices.

The severity of CVE-2022-1388 was rated at 9.8 last week before many details were available. Now that the ease, power, and wide availability of exploits are better understood, the risks take on increased urgency. Organizations that use BIG-IP gear should prioritize the investigation of this vulnerability and the patching or mitigating of any risk that arises. Randori provided a detailed analysis of the vulnerability and a one-line bash script here that BIG-IP users can use to check exploitability. F5 has additional advice and guidance here.

For this reason, it is possible to have a critical vulnerability in a code that does not affect you at all, for example, because this code runs on an IoT device that relies on other security controls that effectively mitigate exploitability of a latent vulnerability in the embedded code.

As we mentioned before, the main problem is that we are continuously fed with new vulnerabilities while still wrestling with old vulnerabilities, and there is no easy way to manage them all. We have to be quick in detection and resolution processes when something really critical is discovered and put a majority of our efforts there without forgetting the rest of the vulnerability ecosystem. It sounds simple in theory and underpins all modern security programs, but vulnerability prioritization in practice is now one of the biggest gaps in security.

Sometimes, it is large research by a company regularly testing their own code that spends great efforts to show the problem with an application or the abuse of a dependency. At other times, a vulnerability might be discovered as a result of an independent security researcher probing a system in their free time and reporting the findings as part of responsible disclosure, or by creating a proof of concept (PoC) to exploit a system and publishing the details on Twitter.

What is the best thing to do then? Improve the process to be ready as soon as possible when a 0-day is disclosed and detect it from that moment on, providing the appropriate mitigations and in many cases, verifying that this vulnerability has not been used in the past (where it really was 0-day).

The Common Vulnerability Scoring System (CVSS) provides a way to capture the key characteristics of a vulnerability and produce a numerical score that reflects its severity. Many security teams and SOCs use the CVSS to prioritize vulnerability management activities, such as incident response processes, defect tracking and resolution, or implementation of a mitigating control.

This first part corresponds to the base score, an objective value that should remain stable over time and consistent across organizations. As a supplement, there are two more metrics, temporal and environment; these values introduce more scoring complexity though and may not be something your organization chooses to pay attention to in the early phases of vulnerability management.

Vendors, such as RedHat or Debian as the base distributor provider, will also evaluate the severity of the vulnerability in a specific context (i.e., the package inside the distribution). Customers may trust the score of the vendor more than the generic scores assigned by MITRE or NIST, as it is usually more accurate.

As we can see, this score is not impacted by the remediation part or fix process. If this vulnerability needs a great effort to be solved, it does not impact the final score. In addition, two vulnerabilities with the same score could have a very different impact or likelihood because they occur in the economic sector or business vertical.

It is obvious that we must feed our systems with more information to correlate with the CVSS and improve our vulnerability management. Remember that risk-based prioritization is the goal of all modern cybersecurity programs.

What is the actual probability of a vulnerability being exploited by an attacker? That probability is explained by the Exploit Prediction Scoring System (EPSS). The EPSS model produces a probability score that, the higher the score, the greater the likelihood that a vulnerability will be exploited.

The score is maintained by the same organization as the CVSS, MITRE, which guarantees its consistency with the above-mentioned vulnerability taxonomies and classification systems. If we look at the highest rated vulnerabilities of the last 30 days, we better understand the potential real impact of vulnerabilities. An example can be seen here with CVE-2022-0441, which relates to the MasterStudy LMS WordPress plugin.

The Stakeholder-specific Vulnerability Categorization (SSVC) is mostly a conceptual tool for vulnerability management. SSVC aims to avoid one-size-fits-all solutions in favor of a modular decision-making system with clearly defined and tested parts that vulnerability managers can select and use as appropriate to their context.

It is strange that one method contradicts another. Normally they will all have a similar view of the final severity, but these small differences are crucial in a huge scale of vulnerability management. The simplicity approach is worth stressing since some of these scoring mechanisms get incredibly complicated. Many orgs would benefit by keeping their risk-scoring simplified so they can focus their efforts on addressing security problems instead of burning cycles qualifying or quantifying risk.

These vulnerability scores can be viewed ad-hoc, but effective cybersecurity requires that you ingest vulnerability feeds into appropriate security tooling that serve the relevant stage of the system lifecycle.

To help us, we need to ingest the vulnerability information that organizations like MITRE share, generate better indicators through the correlation of other sources of information, and maintain full visibility of our assets (and associated attack vectors) to be quick in detecting the impact. Without this, it is impossible to both efficiently plan the vulnerability mitigation process to reduce the noise and time in which we are vulnerable, and be effective in any cybersecurity program.

Earlier today, Grafana 8.3.1, 8.2.7, 8.1.8, and 8.0.7 were released to fix a path traversal vulnerability that could allow an attacker to navigate outside the Grafana folder and remotely access restricted locations on the server, such as /etc/passwd/.

Fig 9 shows a complementary cumulative distribution function (CCDF) plots of nine information spread measurements of discussion threads. Since there are a different number of discussion for each level of severity, it makes more sense to compare the percentage distributions, which are plotted in the figures. To illustrate how these CCDF plots present the measurement data, we can look at the depth plot for Twitter. The line plot for medium severity starts at a depth value of 1 and a 100% CCDF value, meaning that all discussion threads related to a medium severity vulnerability have a depth of at least 1. The line terminates at a depth value of 10 and a CCDF value of 0.1, meaning that only a fraction equal to 0.1% of those threads reach depth 10.

The results of our analysis clearly demonstrate that social platforms reveal actionable signals for software vulnerability awareness. The fact that most CVE discussions start on GitHub not only before Twitter and Reddit, but even before a vulnerability is officially published, is critical knowledge for cyber analysts. These and other findings can be used by analysts as well as by product vendors and codebase owners to increase the awareness about vulnerabilities and software patches among developers as well as general users. Moreover, our multi-dimensional analysis is intended inform and advance a variety of analytical frameworks [73, 14] for simulating information spread across multiple social environments including but not limited to disinformation. 2ff7e9595c