If you follow Cyentia Institute’s Jay Jacobs via social media you may FIRST ;-) have learned about the Exploit Prediction Scoring System (EPSS) from him, as I did. I quickly learned that FIRST offers an API for the EPSS Model, which immediately piqued my interest. Per FIRST, EPSS provides a fundamentally new capability for efficient, data-driven vulnerability management. While EPSS predicts the probability (threat) of a specific vulnerability being exploited, it can scale to estimate the threat for multiple vulnerabilities on a server, a subnet, mobile device, or at an enterprise level (Jacobs, 2022). Figure 1: EPSS Comparison by Effort Inspired by the work of Jay and Bob Rudis years ago via their excellent Data Driven Security book, I found myself immediately compelled to put to use all I’d learned from said book and create an app for the EPSS API. Figure 2: CVE-2022-30190 as of 09 JUN 2022 But was the score this high earlier? As the vulnerability underwent early analysis, but garnered more and more attention, and was discovered to be under active exploit, the EPSS score changed accordingly. The EPSS timeline view will help you quickly assess the changes, as seen in Figure 3. Figure 3: CVE-2022-30190 timeline Between 02 JUN and 09 JUN the EPSS score went from 0.02 to 0.12 to 0.51. to 0.69. A table view is nice but a graph is always preferred as seen via the EPSS Graph view in Figure 4. Figure 4: CVE-2022-30190 timeline graph In MAY 2022 we saw two vulnerabilities with CVSS scores of 9.8 out of 10 under active exploitation. These were CVE-2022-22954 for VMWare and CVE-2022-1388 for F5. Refer to Dan Goodin’s Ars Technica article for more insight. Given their high CVSS scores it is easy to assume their EPSS scores might follow suit. They can be queried with a variety of pivots in EVSScall. First, let’s assume an EPSS score of greater than 0.90. Ironically, as of 09 JUN 2022 EPSS results for CVE-2022-22954 and CVE-2022-1388 are returned right next to each other per Figure 5. Figure 5: CVE-2022-22954 and CVE-2022-1388 EPSS greater than 0.90 CVE-2022-22954 has a score of 0.93 and CVE-2022-1388 has a score of 0.91. You may be curious what the percentile score represents. Per FIRST, “percentiles are a direct transformation from probabilities and provide a measure of an EPSS probability relative to all other scores. That is, the percentile is the proportion of all values less than or equal to the current rank” (Jacobs & Romanosky, 2022). Figure 6: CVE-2022-22965 stands out Interestingly, CVE-2022-22965 jumps right to the top of the pile. What vuln is that you ask? Another recent nightmare, Spring4Shell. Of interest, on 10 MAY the EPSS score was 0.65 but 11 MAY it leapt 30 points to 0.95. Figure 7: CVE-2022-22965 jumps 30 points Pure speculation but perhaps this jump was driven by a number of patches being released by a variety of vendors om 10 MAY 2022 and additional attention specific to exploitation in security blogs on 11 MAY. Cheers…until next time. References: |
Russ McRee 204 Posts ISC Handler Jun 10th 2022 |
Reply Subscribe |
Jun 10th 2022 3 weeks ago |
Sign Up for Free or Log In to start participating in the conversation!