IPA 独立行政法人 情報処理推進機構

• HOME
• IT Security
• IT Knowledge Center on emerging tech trends
• Japan Information- Tecnology Engineers Examination
• IT Human Resources Development
• Exploratory IT Human Resources Project

HOME IT Security Measures for Information Security Vulnerabilities Quarterly ReportsVulnerability Countermeasure Information Database JVN iPedia Registration Status [2020 4th Quarter (Oct. - Dec.)]

Vulnerability Countermeasure Information Database JVN iPedia Registration Status [2020 4th Quarter (Oct. - Dec.)]

February 17, 2021
IT Security Center

1. 2020 4th Quarter: Vulnerability Countermeasure Information Database JVN iPedia Registration Status

The vulnerability countermeasure information database JVN iPedia (https://jvndb.jvn.jp/en/) is endeavoring to become a comprehensive vulnerability database where vulnerability information is aggregated for easy access for IT users. JVN iPedia collects and/or translates the vulnerability information published by 1) domestic software developers, 2) JVN (*1), a vulnerability information portal run by JPCERT/CC and IPA, and 3) NVD (*2), a vulnerability database run by NIST (*3). JVN iPedia has been making vulnerability information available to the public since April 25, 2007.

1-1. Vulnerabilities Registered in 2020/4Q

~ JVN iPedia now stores 125,388 vulnerabilities ~

The summary of the vulnerability information registered to the Japanese version of JVN iPedia during the 4th quarter of 2020 (October 1 to December 31, 2020) is shown in the table below. As of the end of December 2020, the total number of vulnerabilities stored in JVN iPedia is 125,388 (Table 1-1, Figure 1-1).

As for the JVN iPedia English version, the total number of vulnerabilities stored is 2,217 as shown in the lower half of the Table 1-1.

1-2. 【Observation 1】Vulnerability in Microsoft Server Products called "Zerologon"

~ Zerologon vulnerability(CVE-2020-1472)is classified as ‘Critical’, the highest severity.
Many other vulnerabilities in Microsoft Server products are also classified as ‘Critical’. ~

Zerologon vulnerability (CVE-2020-1472) is a privilege escalation vulnerability discovered in the Netlogon Remote Protocol (MS-NRPC) used in the domain controller function of Windows Server products. If this vulnerability is exploited by attackers, it could lead to gaining domain admin privileges for a domain, theft of important confidential information of an organization, or taking over computers participating in the domain. When the vulnerability countermeasure information was provided by Microsoft in August 2020 (*4), the vulnerability was rated 10.0 in CVSSv3 rating scale. Since Microsoft later disclosed that it had confirmed an attack that exploits this vulnerability (*5), users had to address the vulnerability as soon as possible.

Microsoft released a patch for the Zerologon vulnerability (CVE-2020-1472) in August 2020. However, the Netlogon Remote Protocol is implemented in products other than Windows so Microsoft announced that the vulnerability will be addressed in two phases considering compatibility with those products (*6). Users of the software products and system administrators should refer to the dedicated guidance website provided by Microsoft, understand the work required at their organization and prepare to take immediate action when the second phase is released (scheduled to be released on February 9, 2021).

Other than the Zerologon vulnerability, many vulnerabilities in Microsoft Server products were disclosed in 2020.
Figure 1-2 shows the percentage of severity of vulnerability information for Microsoft Server products registered to JVN iPedia during the year (Jan. 1 – Dec.31) and the fourth quarter (Oct. 1 – Dec. 31) of 2020.
Of the vulnerabilities registered in the past year, 78% were classified as the highest severity "High" (Level III, CVSS Base Score=7.0–10.0) which can lead to serious damage, 21% as "Medium" (Level II, CVSS Base Score =4.0-6.9), and 1% as "Low" (Level II, CVSS Base Score = 0.1-3.9).

In the most recent fourth quarter (Oct. 1 to Dec. 31), the "High" vulnerability still accounted for 70% of the total, and the trend is likely to continue in 2021.

IPA publishes emergency countermeasure information for serious vulnerability attacks. For notifying the information quickly, IPA also provides the cyber security alert service "icat for JSON" (IPA Cyber security Alert Service for JavaScript Object Notation) (*7). Please take advantage of this service as well.

In addition, "icat" (Flash version) was discontinued on January 4, 2021 due to the discon-tinuation of Adobe Flash Player on December 31, 2020 (*8), so website administrators who have been using "icat" (Flash version) are requested to migrate to "icat for JSON" as soon as possible.

1-3. 【Observation 2】Vulnerability in Software Used in Telework, etc.

~ Cyber attacks targeting vulnerabilities in VPN products and web conferencing services have been occurred. Review security measures throughout the organization to ensure continuous telework. ~

Due to the impact of the coronavirus (COVID-19) pandemic, telework spread rapidly, but at the same time, cyber attacks targeting vulnerabilities in VPN products and web conferencing services used in telework environments have been carried out, and security agencies including IPA have called for caution regarding the conduct of telework.

Since many VPN products and web conferencing service software used in telework were used for the first time, or had not been used as it was installed for emergencies, users are supposed to continue to use the software without knowing where to collect information or how to apply updates in many cases.

However, if users continue to use the software without effective vulnerability countermeasures, there is a risk that attackers may exploit the vulnerability and leak software authentication information or confidential organizational information to the outside. In fact, it has been disclosed that attackers have been targeting telework environments to steal such important information (*9), so it is necessary to be very careful when conducting teleworking.

In 2019 and 2020, JPCERT/CC released alerts and other information about several VPN products that could be exploited (*10) (*11) (*12) (*13).

Figure 1-3 shows the percentage of severity of vulnerability countermeasure information registered to JVN iPedia in 2020 for the VPN products listed in the alerts. From left to right: Palo Alto Networks' VPN (PAN-OS), Fortinet's VPN (FortiOS), and Pulse Secure's VPN (including Pulse Policy Secure and Pulse Connect Secure).

The total number of vulnerabilities classified as "High" and "Medium" accounts for more than 95%, and it is required to take immediate action when vendors release fixes. Especially, vulnerabilities that have been alerted are highly likely to be exploited, so be sure to check updates for those vulnerabilities thoroughly.

Figure 1-4 shows the percentage of severity of vulnerability countermeasure information registered to JVN iPedia in 2020 for the web conferencing services. From left to right: Microsoft Teams by Microsoft, Cisco Webex Meetings (including Desktop and Online) by Cisco System, Zoom Video From left to right: Microsoft Teams, Cisco Webex Meetings (including Desktop and Online), Zoom Video, and Zoom Communications (including Client and Meetings). Although the number of cases is small, it should be noted that the ratio of "High" and "Medium" is high as shown in Figure 1-3, so it is necessary to be very careful. IPA issued a warning regarding Zoom on April 3, 2020 (*14).

In order to prevent attacks that attempt to exploit vulnerabilities in VPN products and Web conferencing services, it is necessary to collect information on a regular basis regarding the vulnerability countermeasures of the software you are using, and to take countermeasures such as applying patches as soon as they are released by the vendor. When your organization has own servers, you need to take countermeasures not only for the software on the client side but also the software on the server side. In addition, it is important for system administrators to check for any evidence of cyberattacks from outside, etc., and review the organization's procedures and countermeasures as appropriate.

IPA publishes "Security Precautions for Teleworking" (*15) for workers in teleworking environments, and "Security Precautions for Using Web Conference Services" (*16) which summarizes key security points when using web conference services. Please refer to these documents before you start teleworking or web conference and prepare to ensure that it is conducted in a secure manner. In addition, when you continue to conduct telework, as the NISC (National Information Security Center) notifies (*17), it is also important to reevaluate information security risks and check and revise information security related regulations as necessary.

2. Details on JVN iPedia Registered Data

2-1. Types of Vulnerabilities Reported

Figure 2-1 shows the number of vulnerabilities newly added to JVN iPedia during the 4th quarter of 2020, sorted by the CWE vulnerability types.

The type of the vulnerabilities reported most in the 4th quarter is CWE-269 (Improper Privilege Management) with 138 cases, followed by CWE-79 (Cross-Site Scripting) with 136 cases, CWE-20 (Improper Input Validation) with 84, CWE-200 (Information Exposure) with 75, CWE-787 (Out-of-bounds Write) with 46.

CWE-269 (Improper Privilege Management), the most reported vulnerability type in this quarter, can be exploited to gain administrator privileges and manipulate the system.

Software developers need to make sure to mitigate vulnerability from the planning and design phase of software development. IPA provides tools and guidelines, such as "Vulnerability Countermeasure Guide for Software Developers"" (*18), "How to Secure Your Website" (*19), "Secure Programming Guide" (*20) and "AppGoat" (*21), a hands-on venerability learning tool, for website developers and operators to build secure websites.

2-2. Severity of Vulnerabilities Reported

Figure 2-2 shows the yearly change in the CVSSv2 rating scale based severity of vulnerabilities registered to JVN iPedia.

As for the vulnerabilities added to JVN iPedia in 2020, 23.7 percent are "Level III" (7.0 - 10.0), 61.9 percent are "Level ll" (4.0 – 6.9) and 14.4 percent are "Level I" (0.0 – 3.9). This means 85.6 percent of all vulnerabilities registered are Level II or higher, which are potentially critical enough to cause damage like information exposure or data falsification.

Figure 2-3 shows the yearly change in the CVSSv3 rating scale based severity of vulnerabilities registered to JVN iPedia.

As for the vulnerabilities added to JVN iPedia in 2020, 14.8 percent are "Critical" (9.0 – 10.0), 42.5 percent are "High" (7.0 – 8.9), 40.6 percent are "Medium" (4.0 – 6.9) and 2.1 percent are "Low" (0.1 – 3.9).

To avoid threats posed by the known vulnerabilities, both product developers and IT users should pay close attention to vulnerability disclosure and update software they use to a fixed version or apply a security patch as soon as possible when they become available. IT users can check vulnerabilities newly published on JVN iPedia in RSS and XML format (*22) as well.

2-3. Types of Software Reported with Vulnerability

Figure 2-4 shows the yearly change in the type of software reported with vulnerability. Application vulnerabilities have been published most, accounting for 68.4 percent (9,104 out of 13,304) of the 2020 total.

Figure 2-5 shows the yearly change in the number of JVN iPedia-stored vulnerabilities in industrial control systems (ICS) used in critical infrastructure sectors. As of December 2020, the total of 2,815 ICS vulnerabilities have been registered.

2-4. Products Reported with Vulnerability

Table 2-1 lists the top 20 software whose vulnerabilities were most registered to JVN iPedia during the 4th quarter (October to December) of 2020.

In this quarter, the 1st rank continued to be Microsoft Windows 10 from the previous quarter. From 2nd to 20th, other Windows OS products are also ranked.

Besides those in the top 20 list, JVN iPedia stores and offers vulnerability information about a variety of software. IPA hopes software developers and users will make good use of JVN iPedia to efficiently check vulnerability information and take necessary action in a timely manner (*23).

3. Most Accessed Vulnerability Countermeasure Information

Table 3-1 lists the top 20 most accessed vulnerability countermeasure information in JVN iPedia during the 4th quarter of 2020 (October to December).

In this quarter, 1st, 2nd, 3rd, 4th, and 9th ranks are vulnerability countermeasure information related to WordPress. This was due to a large number of accesses that appeared to be mechanical from a certain organization.

Table 3-2 lists the top 5 most accessed vulnerability information among those reported by domestic product developers.

Note 1) Color Code for CVSSv2 Severity Rating Scale

Note 2) Color Code for CVSSv3 Severity Rating Scale

Note 3) Color Code for Published Date

Footnotes

Past Quarterly Reports

Contact

IT Security

• Security Alerts
• IT Security Evaluation and Certification
• Measures for Information Security Vulnerabilities
  • Information Security Early Warning Partnership
  • Quarterly Reports
  • Japan Vulnerability Notes (JVN)
• Cryptographic Technology Research and Evaluation Activities
• Benchmark System
• ICS Security
• Publications
• About IPA/ISEC