Software vulnerabilities vary in their severity – some are difficult to exploit and have minimal implications, while others can be exploited easily, giving an attacker significant leverage over a computer system. In cases where widely-implemented software contains high-severity vulnerabilities, the damage caused by their exploitation can affect millions of developers and services worldwide.
In this article, you will learn how the KEV Catalog tracks known exploited software vulnerabilities, and how it serves as a tool for developers and federal agencies. In addition, you will explore Log4Shell, Heartbleed, and Shellshock, three infamous software vulnerabilities which have had major impacts on software security worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) operates the Known Exploited Vulnerabilities (KEV) Catalog, which is populated with CVEs that have existing exploits “in the wild”. The KEV Catalog serves as a tool for developers as it identifies CVEs that need to be prioritized for remediation because of their exploitability status. Federal civilian executive branch agencies must remediate vulnerabilities present in the KEV Catalog by a due date specified by the CISA. Focusing on patching out these vulnerabilities limits the ability of attackers to find a potential known route into a system.
Some of the vulnerabilities in the KEV Catalog are infamous for the impacts of their exploitation. When a vulnerability affects a piece of software present in an array of systems, its exploitation can reach far and wide, and efforts to remediate it can be difficult to fully implement. The following vulnerabilities are present in the KEV Catalog and serve as examples of how damaging ubiquitous software vulnerabilities can be.
Log4Shell is a vulnerability impacting the Apache Log4j Java logging utility, a popular library used on millions of devices worldwide. The vulnerability allows an attacker to perform a remote code execution (RCE) attack by logging code that runs a Java Naming and Directory Interface (JNDI) endpoint lookup. An attacker can exploit this behavior by performing a JNDI lookup to a server under their control containing malicious code. This vulnerability has affected Log4j since version 2.0-beta9 (released in 2013), and was patched out in version 2.16.0 in 2021.
Due to the popularity of Log4j, Log4Shell was extremely pervasive, impacting a variety of services such as those offered by Amazon Web Services and IBM, among others. Its widespread use makes this vulnerability difficult to completely remediate as it may be unknown if a vulnerable version of Log4j is present on a system, such as in the case of a federal network being affected months after the vulnerability was first documented.
To learn more about Log4Shell, check out its listing on the Apache Log4j Security Vulnerabilities page.
Heartbleed is a buffer over-read vulnerability in OpenSSL, a popular cryptographic library commonly used for encrypting SSL/TLS communications on the internet. The vulnerability allows an attacker to read the memory of a system without detection. As a result, cryptographic keys, credentials, and other content can be silently extracted from a server’s memory.
Heartbleed affected OpenSSL versions 1.0.1-1.0.1f (inclusive) and was discovered in 2014, about two years after the vulnerability was first introduced to OpenSSL. Due to its undetectable nature, determining if it was exploited against a particular server is difficult. It was estimated at the time of discovery that around half a million websites may have been vulnerable to the bug.
To learn more about the Heartbleed vulnerability, check out the Heartbleed website.
Shellshock is an arbitrary code execution vulnerability which went unnoticed for 25 years, existing in Bash since 1989 and first being reported in version 4.3 in 2014. Through this vulnerability, commands that should be inaccessible can instead be executed through Bash’s function export feature. In affected verions, Bash processes function definitions stored in environment variables, causing the unintended behavior that enables malicious code to be run. Following the initial CVE report, further CVEs were soon filed addressing additional related vulnerabilities.
As Shellshock was not discovered for over two decades after its inception, the scope of its influence is significant, with it still being leveraged against systems today. Soon after the vulnerability was uncovered, large-scale attacks using botnets were deployed against high-profile entities like the U.S. Department of Defense.
To learn more about Shellshock and its related vulnerabilities, check out the CISA’s Shellshock alert.
In this article, you learned how the CISA’s KEV Catalog tracks exploited vulnerabilities, and how the catalog is used by developers and federal agencies to prioritize vulnerability remediation. You also explored three infamous software vulnerabilities: Log4Shell, Heartbleed, and Shellshock, and learned how they have impacted systems across the world.
To learn more about these vulnerabilities and other exploited vulnerabilities, dive further into the KEV Catalog, or check out the full CVE database.