US-CERT- AA22-117A: 2021 Top Routinely Exploited Vulnerabilities

Started by Netwörkheäd, April 28, 2022, 12:16:39 AM

Previous topic - Next topic

Netwörkheäd

AA22-117A: 2021 Top Routinely Exploited Vulnerabilities

[html]Original release date: April 27, 2022

Summary

This joint Cybersecurity Advisory (CSA) was coauthored by cybersecurity authorities of the United States, Australia, Canada, New Zealand, and the United Kingdom: the Cybersecurity and Infrastructure Security Agency (https://www.cisa.gov/">CISA), National Security Agency (https://www.nsa.gov/Cybersecurity/">NSA), Federal Bureau of Investigation (https://www.fbi.gov/investigate/cyber">FBI), Australian Cyber Security Centre (https://www.cyber.gov.au/">ACSC), Canadian Centre for Cyber Security (https://www.cyber.gc.ca/en/">CCCS), New Zealand National Cyber Security Centre (https://www.gcsb.govt.nz/">NZ NCSC), and United Kingdom's National Cyber Security Centre (https://www.ncsc.gov.uk/">NCSC-UK). This advisory provides details on the top 15 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious cyber actors in 2021, as well as other CVEs frequently exploited.



U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities assess, in 2021, malicious cyber actors aggressively targeted newly disclosed critical software vulnerabilities against broad target sets, including public and private sector organizations worldwide. To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities across a broad spectrum of targets. 



The cybersecurity authorities encourage organizations to apply the recommendations in the Mitigations section of this CSA. These mitigations include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious cyber actors.



Click https://us-cert.cisa.gov/sites/default/files/publications/AA22-117A_Joint_CSA_2021_Top_Routinely_Exploited_Vulnerabilities_Final.pdf">here for a PDF version of this report. 


Technical Details

Key Findings



Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities. For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (POC) code within two weeks of the vulnerability's disclosure, likely facilitating exploitation by a broader range of malicious actors.



To a lesser extent, malicious cyber actors continued to exploit publicly known, dated software vulnerabilities—some of which were also https://www.cisa.gov/uscert/ncas/alerts/aa21-209a">routinely exploited in 2020 or earlier. The exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.



Top 15 Routinely Exploited Vulnerabilities



Table 1 shows the top 15 vulnerabilities U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities observed malicious actors routinely exploiting in 2021, which include:




       
  • CVE-2021-44228. This vulnerability, known as Log4Shell, affects Apache's Log4j library, an open-source logging framework. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system that causes that system to execute arbitrary code. The request allows a cyber actor to take full control over the system. The actor can then steal information, launch ransomware, or conduct other malicious activity.[1] Log4j is incorporated into thousands of products worldwide. This vulnerability was disclosed in December 2021; the rapid widespread exploitation of this vulnerability demonstrates the ability of malicious actors to quickly weaponize known vulnerabilities and target organizations before they patch.

  •    
  • CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, CVE-2021-27065. These vulnerabilities, known as ProxyLogon, affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination (i.e., "vulnerability chaining") allows an unauthenticated cyber actor to execute arbitrary code on vulnerable Exchange Servers, which, in turn, enables the actor to gain persistent access to files and mailboxes on the servers, as well as to credentials stored on the servers. Successful exploitation may additionally enable the cyber actor to compromise trust and identity in a vulnerable network.

  •    
  • CVE-2021-34523, CVE-2021-34473, CVE-2021-31207. These vulnerabilities, known as ProxyShell, also affect Microsoft Exchange email servers. Successful exploitation of these vulnerabilities in combination enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft's web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers. 

  •    
  • CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center, could enable an unauthenticated actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a POC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.



Three of the top 15 routinely exploited vulnerabilities were also https://www.cisa.gov/uscert/ncas/alerts/aa21-209a">routinely exploited in 2020: CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors.



Table 1: Top 15 Routinely Exploited Vulnerabilities in 2021




   
      
         
         
         
         
      
   
   
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
      
         
         
         
         
      
   

         

CVE


         

         

Vulnerability Name


         

         

Vendor and Product


         

         

Type


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-44228" style="color:#0563c1; text-decoration:underline">CVE-2021-44228


         

         

Log4Shell


         

         

Apache Log4j


         

         

Remote code execution (RCE)


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-40539" style="color:#0563c1; text-decoration:underline">CVE-2021-40539


         

         

 


         

         

Zoho ManageEngine AD SelfService Plus


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-34523" style="color:#0563c1; text-decoration:underline">CVE-2021-34523


         

         

ProxyShell


         

         

Microsoft Exchange Server


         

         

Elevation of privilege


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-34473" style="color:#0563c1; text-decoration:underline">CVE-2021-34473


         

         

ProxyShell


         

         

Microsoft Exchange Server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-31207" style="color:#0563c1; text-decoration:underline">CVE-2021-31207


         

         

ProxyShell


         

         

Microsoft Exchange Server


         

         

Security feature bypass


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-27065" style="color:#0563c1; text-decoration:underline">CVE-2021-27065


         

         

ProxyLogon


         

         

Microsoft Exchange Server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-26858" style="color:#0563c1; text-decoration:underline">CVE-2021-26858


         

         

ProxyLogon


         

         

Microsoft Exchange Server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-26857" style="color:#0563c1; text-decoration:underline">CVE-2021-26857


         

         

ProxyLogon


         

         

Microsoft Exchange Server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-26855" style="color:#0563c1; text-decoration:underline">CVE-2021-26855


         

         

ProxyLogon


         

         

Microsoft Exchange Server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-26084" style="color:#0563c1; text-decoration:underline">CVE-2021-26084



         

 


         

         

 


         

         

Atlassian Confluence Server and Data Center


         

         

Arbitrary code execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-21972" style="color:#0563c1; text-decoration:underline">CVE-2021-21972


         

         

 


         

         

VMware vSphere Client


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2020-1472" style="color:#0563c1; text-decoration:underline">CVE-2020-1472


         

         

ZeroLogon


         

         

Microsoft Netlogon Remote Protocol (MS-NRPC)


         

         

Elevation of privilege


         

         

https://nvd.nist.gov/vuln/detail/CVE-2020-0688" style="color:#0563c1; text-decoration:underline">CVE-2020-0688


         

         

 


         

         

Microsoft Exchange Server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2019-11510" style="color:#0563c1; text-decoration:underline">CVE-2019-11510


         

         

 


         

         

Pulse Secure Pulse Connect Secure


         

         

Arbitrary file reading


         

         

https://nvd.nist.gov/vuln/detail/CVE-2018-13379" style="color:#0563c1; text-decoration:underline">CVE-2018-13379


         

         

 


         

         

Fortinet FortiOS and FortiProxy


         

         

Path traversal


         


Additional Routinely Exploited Vulnerabilities



In addition to the 15 vulnerabilities listed in table 1, U.S., Australian, Canadian, New Zealand, and UK cybersecurity authorities identified vulnerabilities, listed in table 2, that were also routinely exploited by malicious cyber actors in 2021. 



These vulnerabilities include multiple vulnerabilities affecting internet-facing systems, including Accellion File Transfer Appliance (FTA), Windows Print Spooler, and Pulse Secure Pulse Connect Secure. Three of these vulnerabilities were also https://www.cisa.gov/uscert/ncas/alerts/aa21-209a">routinely exploited in 2020: CVE-2019-19781, CVE-2019-18935, and CVE-2017-11882.



Table 2: Additional Routinely Exploited Vulnerabilities in 2021




   
      
         
         
         
      
   
   
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
      
         
         
         
      
   

         

CVE


         

         

Vendor and Product


         

         

Type


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-42237" style="color:#0563c1; text-decoration:underline">CVE-2021-42237


         

         

Sitecore XP


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-35464" style="color:#0563c1; text-decoration:underline">CVE-2021-35464


         

         

ForgeRock OpenAM server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-27104" style="color:#0563c1; text-decoration:underline">CVE-2021-27104


         

         

Accellion FTA


         

         

OS command execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-27103" style="color:#0563c1; text-decoration:underline">CVE-2021-27103


         

         

Accellion FTA


         

         

Server-side request forgery


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-27102" style="color:#0563c1; text-decoration:underline">CVE-2021-27102


         

         

Accellion FTA


         

         

OS command execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-27101" style="color:#0563c1; text-decoration:underline">CVE-2021-27101


         

         

Accellion FTA


         

         

SQL injection


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-21985" style="color:#0563c1; text-decoration:underline">CVE-2021-21985


         

         

VMware vCenter Server


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-20038" style="color:#0563c1; text-decoration:underline">CVE-2021-20038


         

         

SonicWall Secure Mobile Access (SMA)


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-40444" style="color:#0563c1; text-decoration:underline">CVE-2021-40444


         

         

Microsoft MSHTML


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-34527" style="color:#0563c1; text-decoration:underline">CVE-2021-34527


         

         

Microsoft Windows Print Spooler


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-3156" style="color:#0563c1; text-decoration:underline">CVE-2021-3156


         

         

Sudo


         

         

Privilege escalation


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-27852" style="color:#0563c1; text-decoration:underline">CVE-2021-27852


         

         

Checkbox Survey


         

         

Remote arbitrary code execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-22893" style="color:#0563c1; text-decoration:underline">CVE-2021-22893


         

         

Pulse Secure Pulse Connect Secure


         

         

Remote arbitrary code execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-20016" style="color:#0563c1; text-decoration:underline">CVE-2021-20016


         

         

SonicWall SSLVPN SMA100


         

         

Improper SQL command neutralization, allowing for credential access


         

         

https://nvd.nist.gov/vuln/detail/CVE-2021-1675" style="color:#0563c1; text-decoration:underline">CVE-2021-1675


         

         

Windows Print Spooler


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2020-2509" style="color:#0563c1; text-decoration:underline">CVE-2020-2509


         

         

QNAP QTS and QuTS hero


         

         

Remote arbitrary code execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2019-19781" style="color:#0563c1; text-decoration:underline">CVE-2019-19781


         

         

Citrix Application Delivery Controller (ADC) and Gateway


         

         

Arbitrary code execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2019-18935" style="color:#0563c1; text-decoration:underline">CVE-2019-18935


         

         

Progress Telerik UI for ASP.NET AJAX


         

         

Code execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2018-0171" style="color:#0563c1; text-decoration:underline">CVE-2018-0171


         

         

Cisco IOS Software and IOS XE Software


         

         

Remote arbitrary code execution


         

         

https://nvd.nist.gov/vuln/detail/CVE-2017-11882" style="color:#0563c1; text-decoration:underline">CVE-2017-11882


         

         

Microsoft Office


         

         

RCE


         

         

https://nvd.nist.gov/vuln/detail/CVE-2017-0199" style="color:#0563c1; text-decoration:underline">CVE-2017-0199


         

         

Microsoft Office


         

         

RCE


         

Mitigations

Vulnerability and Configuration Management




       
  • Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching https://www.cisa.gov/known-exploited-vulnerabilities-catalog">known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix. 

       

            
    • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.

    •    

       

  •    
  • Use a centralized patch management system.

  •    
  • Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.

  •    
  • Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, as MSPs and CSPs expand their client organization's attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk. For more information and guidance, see the following resources.
       
       



Identity and Access Management




       
  • Enforce multifactor authentication (MFA) for all users, without exception.

  •    
  • Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords. 

  •    
  • Regularly review, validate, or remove privileged accounts (annually at a minimum).

  •    
  • Configure access control under the concept of least privilege principle.
       

            
    • Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).

    •    

       



Note: see https://cisa.gov/sites/default/files/publications/CISA_CEG_Implementing_Strong_Authentication_508_1.pdf">CISA Capacity Enhancement Guide – Implementing Strong Authentication and ACSC guidance on https://www.cyber.gov.au/acsc/view-all-content/publications/implementing-multi-factor-authentication">Implementing Multi-Factor Authentication for more information on hardening authentication systems.



Protective Controls and Architecture 




       
  • Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. 
       

            
    • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.

    •       
    • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.

    •       
    • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).

    •    

       

  •    
  • Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks. 

  •    
  • Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware.
       

            
    • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner etc., are reporting the same number of assets.

    •       
    • Monitor the environment for potentially unwanted programs.

    •    

       

  •    
  • Reduce third-party applications and unique system/appl
Let's not argue. Let's network!