US-CERT- 2022 Top Routinely Exploited Vulnerabilities

[Netwörkheäd]

2022 Top Routinely Exploited Vulnerabilities

[html]

SUMMARY

The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):

• United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)


• Australia: Australian Signals Directorate's Australian Cyber Security Centre (ACSC)


• Canada: Canadian Centre for Cyber Security (CCCS)


• New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)


• United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.

The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.

• Vendors, designers, and developers: Implement https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default" title="Security-by-Design and -Default">secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
  
  • Follow the Secure Software Development Framework (SSDF), also known as https://csrc.nist.gov/publications/detail/sp/800-218/final" title="NIST SP 800-218">SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.
  
  
  • Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.
  
  
  • Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.
  
  


• End-user organizations:
  
  • Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.
  
  
  • Implement a centralized patch management system.
  
  
  • Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.
  
  
  • Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.
  
  

Download the PDF version of this report:

   

    https://www.cisa.gov/sites/default/files/2023-08/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf" class="c-file__link" target="_blank">AA23-215A PDF
    (PDF,       980.90 KB
  )
 

TECHNICAL DETAILS

Key Findings

In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.

Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).

Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets' networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.

Top Routinely Exploited Vulnerabilities

Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:

• https://nvd.nist.gov/vuln/detail/CVE-2018-13379" title="CVE-2018-13379">CVE-2018-13379. This vulnerability, affecting Fortinet SSL VPNs, was also https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-209a" title="Top Routinely Exploited Vulnerabilities">routinely exploited in 2020 and https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-117a" title="2021 Top Routinely Exploited Vulnerabilities">2021. The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors.


• https://nvd.nist.gov/vuln/detail/CVE-2021-34473" title="CVE-2021-34473">CVE-2021-34473, https://nvd.nist.gov/vuln/detail/CVE-2021-31207" title="CVE-2021-31207">CVE-2021-31207, https://nvd.nist.gov/vuln/detail/CVE-2021-34523" title="CVE-2021-34523">CVE-2021-34523. These vulnerabilities, known as ProxyShell, affect Microsoft Exchange email servers. In combination, successful exploitation enables a remote actor to execute arbitrary code. These vulnerabilities reside within the Microsoft Client Access Service (CAS), which typically runs on port 443 in Microsoft Internet Information Services (IIS) (e.g., Microsoft's web server). CAS is commonly exposed to the internet to enable users to access their email via mobile devices and web browsers.


• https://nvd.nist.gov/vuln/detail/CVE-2021-40539" title="CVE-2021-40539">CVE-2021-40539. This vulnerability enables unauthenticated remote code execution (RCE) in Zoho ManageEngine ADSelfService Plus and was linked to the usage of an outdated third-party dependency. Initial exploitation of this vulnerability https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-259a" title="APT Actors Exploiting Newly Identified Vulnerability in ManageEngine ADSelfService Plus">began in late 2021 and https://media.defense.gov/2022/Oct/06/2003092365/-1/-1/0/Joint_CSA_Top_CVEs_Exploited_by_PRC_cyber_actors_.PDF" title="Top CVEs Actively Exploited By People's Republic of China State-Sponsored Cyber Actors">continued throughout 2022.


• https://nvd.nist.gov/vuln/detail/CVE-2021-26084" title="CVE-2021-26084">CVE-2021-26084. This vulnerability, affecting Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) could enable an unauthenticated cyber actor to execute arbitrary code on vulnerable systems. This vulnerability quickly became one of the most routinely exploited vulnerabilities after a PoC was released within a week of its disclosure. Attempted mass exploitation of this vulnerability was observed in September 2021.


• https://nvd.nist.gov/vuln/detail/CVE-2021-44228" title="CVE-2021-44228">CVE-2021- 44228. This vulnerability, known as Log4Shell, affects Apache's Log4j library, an open-source logging framework incorporated into thousands of products worldwide. An actor can exploit this vulnerability by submitting a specially crafted request to a vulnerable system, causing the execution of arbitrary code. The request allows a cyber actor to take full control of a system. The actor can then steal information, launch ransomware, or conduct other malicious activity.https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance">[1] Malicious cyber actors began exploiting the vulnerability after it was publicly disclosed in December 2021, and continued to show high interest in CVE-2021- 44228 through the first half of 2022.


• https://nvd.nist.gov/vuln/detail/CVE-2022-22954" title="CVE-2022-22954">CVE-2022-22954, https://nvd.nist.gov/vuln/detail/CVE-2022-22960" title="CVE-2022-22960">CVE-2022-22960. These vulnerabilities allow RCE, privilege escalation, and authentication bypass in VMware Workspace ONE Access, Identity Manager, and other VMware products. A malicious cyber actor with network access could trigger a server-side template injection that may result in remote code execution. Exploitation of CVE-2022-22954 and CVE-2022-22960 https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-138b" title="Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control">began in early 2022 and attempts continued throughout the remainder of the year.


• https://nvd.nist.gov/vuln/detail/CVE-2022-1388" title="CVE-2022-1388">CVE-2022-1388. This vulnerability allows unauthenticated malicious cyber actors to bypass iControl REST authentication on F5 BIG-IP application delivery and security software.


• https://nvd.nist.gov/vuln/detail/CVE-2022-30190" title="CVE-2022-30190">CVE-2022-30190. This vulnerability impacts the Microsoft Support Diagnostic Tool (MSDT) in Windows. A remote, unauthenticated cyber actor could exploit this vulnerability to take control of an affected system.


• https://nvd.nist.gov/vuln/detail/CVE-2022-26134" title="CVE-2022-26134">CVE-2022-26134. This critical RCE vulnerability affects Atlassian Confluence and Data Center. The vulnerability, which was likely initially exploited as a zero-day before public disclosure in June 2022, is related to an older Confluence vulnerability (https://nvd.nist.gov/vuln/detail/CVE-2021-26084" title="CVE-2021-26084">CVE-2021-26084), which cyber actors also exploited in 2022.

Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022

CVE	Vendor	Product	Type	CWE
https://nvd.nist.gov/vuln/detail/CVE-2018-13379" title="CVE-2018-13379">CVE-2018-13379	Fortinet	FortiOS and FortiProxy	SSL VPN credential exposure	https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
https://nvd.nist.gov/vuln/detail/CVE-2021-34473" title="CVE-2021-34473">CVE-2021-34473 (Proxy Shell)	Microsoft	Exchange Server	RCE	https://cwe.mitre.org/data/definitions/918.html" title="CWE-918: Server-Side Request Forgery (SSRF)">CWE-918 Server-Side Request Forgery (SSRF)
https://nvd.nist.gov/vuln/detail/CVE-2021-31207" title="CVE-2021-31207">CVE-2021-31207 (Proxy Shell)	Microsoft	Exchange Server	Security Feature Bypass	https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
https://nvd.nist.gov/vuln/detail/CVE-2021-34523" title="CVE-2021-34523">CVE-2021-34523 (Proxy Shell)	Microsoft	Exchange Server	Elevation of Privilege	https://cwe.mitre.org/data/definitions/287.html" title="CWE-287: Improper Authentication">CWE-287 Improper Authentication
https://nvd.nist.gov/vuln/detail/CVE-2021-40539" title="CVE-2021-40539">CVE-2021-40539	Zoho ManageEngine	ADSelfService Plus	RCE/ Authentication Bypass	https://cwe.mitre.org/data/definitions/287.html" title="CWE-287: Improper Authentication">CWE-287 Improper Authentication
https://nvd.nist.gov/vuln/detail/CVE-2021-26084" title="CVE-2021-26084">CVE-2021-26084	Atlassian	Confluence Server and Data Center	Arbitrary code execution	https://cwe.mitre.org/data/definitions/74.html" title="CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')">CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
https://nvd.nist.gov/vuln/detail/CVE-2021-44228" title="CVE-2021-44228">CVE-2021- 44228 (Log4Shell)	Apache	Log4j2	RCE	https://cwe.mitre.org/data/definitions/917.html" title="CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')">CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Let's not argue. Let's network! Print Go Up Pages1 User actions Networking-Forums.com Professional Discussions Vendor Advisories US-CERT- 2022 Top Routinely Exploited Vulnerabilities User actions Print Help | Terms and Rules | Go Up ▲ SMF 2.1.4 © 2023, Simple Machines