My recent post on the Internet Storm Center website about the surprisingly high number of systems still affected by critical vulnerabilities, which have been patched for a long time, received quite a positive feedback. I have consequently decided to take a look at the issue in a more comprehensive manner and since I didn’t know, which vulnerabilities Shodan was able to detect, I’ve used my TriOp tool to gather data for all of the approximately 190k CVEs ever published. After couple of days the script took to run, I have the results and they are quite interesting…
Before we get to them though, let’s take a quick look at how many vulnerabilities is Shodan capable of detecting. The magic number seems to currently be 2246. Or, rather, that is the number of CVEs, for which Shodan detected at least one affected IP address. Since for each of 40 different CVEs it detected only 1 vulnerable IP and for 99 more CVEs it detected only between 2 and 10 affected IPs, it is quite possible that Shodan is capable of identifying other vulnerabilities as well, but it didn’t find them on any of the systems it scanned in the past few days or weeks.
On the other hand, as you may see from the following chart, there are a significant number of CVEs for which Shodan detected over 1 million affected IP addresses – 145, to be specific.
We won’t, for obvious reasons, discuss all of them but I thought that a closer look at the top 15 CVEs detected most often might be worth it, since all of these had more than 4 million detections.
As the chart above shows, we have couple of sets of vulnerabilities with similar numbers of detections. This is mostly due to them affecting the same version of a specific system, which corresponds with the similar (and sometimes nearly sequential) CVE numbers.
The most common vulnerability seems to be CVE-2017-15906, which affects OpenSSH and luckily isn’t too critical. That unfortunately can’t be said about some of the other ones, as three vulnerabilities (two in Apache and one in PHP), which have made it into the top 15, have CVSSv3 score 9.8. You may take a find details for all of the most commonly detected vulnerabilities in the following table.
| CVE | Number of affected IP addresses | CVSSv3 |
|---|---|---|
| CVE-2017-15906 | 7,551,378 | 5.3 |
| CVE-2018-1312 | 6,936,210 | 9.8 |
| CVE-2019-0220 | 5,687,693 | 5.3 |
| CVE-2017-7679 | 5,581,571 | 9.8 |
| CVE-2018-17199 | 5,392,949 | 7.5 |
| CVE-2018-15919 | 5,299,655 | 5.3 |
| CVE-2016-8612 | 5,267,545 | 4.3 |
| CVE-2016-4975 | 5,051,548 | 6.1 |
| CVE-2018-1283 | 4,971,245 | 5.3 |
| CVE-2017-15715 | 4,971,235 | 8.1 |
| CVE-2017-15710 | 4,971,199 | 7.5 |
| CVE-2019-9641 | 4,149,029 | 9.8 |
| CVE-2019-9639 | 4,149,025 | 7.5 |
| CVE-2019-9638 | 4,149,024 | 7.5 |
| CVE-2019-9637 | 4,149,015 | 7.5 |
As we see, the vulnerabilities we discussed in the ISC post may all have high impact, but would seem not to be the most common ones.
Although it’s not too probable, let’s hope that the number of systems affected by the CVEs mentioned above start falling soon, as otherwise they might quite quickly become dangerous not just for their users but to others as well, since public exploits for some of the vulnerabilities are freely available…