Company
Deception / 12.01.2021

Deception – A Shield Between Vulnerability Disclosure and Patch Deployment: The Case of CVE-2021-22005

By Guy Waizel, Chief Operating Officer, TrapX Security

Every day we hear about the discovery and disclosure of new vulnerabilities. In the best case, a patch is released after a few hours or days and deployed within 24 hours; however, often the whole cycle from the disclosure of the vulnerability, over a patch being available, until the complete deployment of the patch to all relevant network assets can take a few months.

A great example of patch frequency is Microsoft, who releases patches every second Tuesday of the month – Patch Tuesday – and by necessity sometimes even more frequently.

In this blog we will take a closer look at CVE-2021-22005 disclosed on by VMWare on September 21st. Three days later the CISA published a warning about vCenter, VMware’s Server, being affected by an arbitrary file upload vulnerability in the Analytics service. A malicious cyber actor with network access to port 443 can exploit this vulnerability to execute code on the vCenter Server. The CISA warning included further a confirmation by VMware about reports of CVE-2021-22005 already being exploited in the wild. 

Patch management is time-consuming. IT departments usually verify in a controlled environment that patches do not harm processes before wide deployments to prevent losses in productivity i.e., in production-environments. However, occasionally there are business constraints, limited resources, or insufficient time for testing. Just in October 2021 the University Düsseldorf suffered from a significant interruption due to a patch deployment.

In their 2020 blog research, FireEye says that 42% of vulnerabilities continued to be exploited after a patch was issued. They found that vulnerabilities are exploited within two days of either PoC or exploit code being made publicly available. The average critical exposure time for threats, between disclosure and patch availability, was approximately 9 days.

How can DeceptionGrid™ help mitigate the risk of being exploited by cyber threats during this exposure time from vulnerability disclosure until complete patching?

DeceptionGrid™ can automatically create and deploy decoys that replicate the vulnerabilities of network assets, based on vulnerability assessments or inventory systems.  The likelihood of a cyber threat targeting the disclosed vulnerabilities to land on a legit asset is reduced, and interactions with the vulnerable decoys provide visibility by disclosing an attempted attack.

For instance, let’s look at a use case example of a customer running a vCenter in their organization that was not patched yet with the recent VMware patch for vulnerability CVE-2021-22005.

During the preparation time for patching, the organization can create four additional vCenter decoys with high-interaction web services with TrapX DeceptionGrid. 

Cybercriminals, beginning their reconnaissance stage and scanning the organization to look for a vulnerable vCenter, will detect five vCenters: one real asset and the four decoys. As soon as the attacker scans the assets, he will receive similar fingerprint responses from all of them. Immediately upon the scan, DeceptionGrid alerts the targeted organization about the connection. For example:

The attacker might also decide to use the VMware workaround that was recently published to check if the vCenter is vulnerable to CVE-2021-22005 as described in detail also by Censys. As soon the attacker does that for any of the four decoy vCenters, DeceptionGrid produces an interaction alert, showing the attacker running a Post command to check the vCenter for the vulnerability. For example:

By creating these vCenter decoys, we reduced risk by reducing Threat Event Frequency.  Without deception, it is 100% likely that the vCenter that was discovered is real. With four decoys it is 20% likely that vCenter that was discovered is real.  For this example we used just four decoys, but an organization can use many more.

Summary 

We provided just one small example, regarding recent Vmware vulnerability CVE-2021-22005, of how Deception technology, specifically TrapX DeceptionGrid, is crucial for reducing cyber security risks and acting as a valuable active defense strategy for any organization.

Moreover, with the ‘new normal’ situation of increased remote work environments resulting in increased challenges of cybercriminals taking advantage of the pandemic, the massive rise of new vulnerabilities, any organization needs to re-evaluate their approach to reducing cyber security risks by leveraging DeceptionGrid from TrapX as an active defense strategy. 

About TrapX Security

TrapX provides a new generation of Deception technology that provides real-time breach detection and prevention. Our proven solutions immerse tangible IT assets in a virtual minefield of traps that misinform and misdirect would-be attackers, alerting SOC teams to malicious activity with immediate, actionable intelligence. Our solutions enable our customers to isolate, fingerprint rapidly and disable new Zero-Day attacks and APTs in real-time. TrapX Security has thousands of government and Global 2000 users worldwide, servicing customers in manufacturing, defense, healthcare, finance, energy, consumer products, and other vital industries. For more information, visit www.trapx.com.

Learn more about our unique approach to Deception

Discover why more than 300 global customers call TrapX "simple, powerful, and affordable."