The risks of silent patching and why it must end
The goal of vulnerability research is to improve the security of the industry at large by helping software and device vendors fix vulnerabilities within their products.
Unfortunately, some vendors hinder the improvements with silent patching, which circumvents the public disclosure and documentation of vulnerabilities and their patches. Ultimately, their customers, partners and the cybersecurity community pay the price for silent patching.
During the past two years, my Forescout Technologies colleagues and I have worked on Project Memoria, an extensive study of vulnerabilities in the TCP/IP stacks that connect millions of operational technology devices in many critical industries. Our researchers discovered 97 vulnerabilities in 14 TCP/IP stacks across 3 billion IoT, operational technology (OT) and IT devices. We spent months speaking with government officials and affected vendors about how to mitigate these risks.
Vulnerability disclosure is not always appreciated. Some vendors will do anything to avoid drawing attention to these risks, even if it means continuing to pass these problems along to their customers, partners and even other IoT devices as a result. Some vendors refuse to acknowledge their vulnerabilities, which is why working with government officials can help. Others refuse to prioritize a response but instead may silently patch vulnerabilities. Silent patching raises concern.
Silent patching occurs when vulnerabilities are discovered and privately fixed, but never assigned a Common Vulnerabilities and Exposures (CVE) ID available for public documentation. Although it may seem that vendors that silently patch vulnerabilities have been responsible in addressing an immediate problem, the lack of public disclosure and documentation can cause a variety of challenges.
An unsettling insight from Project Memoria reveals how silently patched vulnerabilities exist in millions of critical connected devices. In Nucleus:13 we found instances of silently patched vulnerabilities for the second time. That means that millions of vulnerable devices could still be operating unbeknownst to the companies using them because their vendors remained silent about their patches.
The convergence of IT and OT systems, coupled with an ever-increasing number of connected devices and industrial IoT means that TCP/IP software vulnerabilities have the potential for attackers to wreak havoc across multiple industries.
The domino effect in the supply chain
If you've ever had a water leak in your house, you know that stopping the leak is only the first step. Not only do you need to clean up all of the water in that room, but you also need to think about how other rooms in the house are affected, if there could be unseen damage in floors and ceilings, mold and so forth. This same mentality should apply to patching vulnerabilities.