US-CERT- 2022 Top Routinely Exploited Vulnerabilities

Started by Netwörkheäd, August 03, 2023, 06:13:57 PM

Previous topic - Next topic

Netwörkheäd

2022 Top Routinely Exploited Vulnerabilities

[html]

SUMMARY


The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):


  • United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)

  • Australia: Australian Signals Directorate's Australian Cyber Security Centre (ACSC)

  • Canada: Canadian Centre for Cyber Security (CCCS)

  • New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)

  • United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.


The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.


  • Vendors, designers, and developers: Implement https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default" title="Security-by-Design and -Default">secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
    • Follow the Secure Software Development Framework (SSDF), also known as https://csrc.nist.gov/publications/detail/sp/800-218/final" title="NIST SP 800-218">SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.

    • Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.

    • Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.


  • End-user organizations:
    • Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.

    • Implement a centralized patch management system.

    • Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.

    • Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.


Download the PDF version of this report:






   

    https://www.cisa.gov/sites/default/files/2023-08/aa23-215a_joint_csa_2022_top_routinely_exploited_vulnerabilities.pdf" class="c-file__link" target="_blank">AA23-215A PDF
    (PDF,       980.90 KB
  )

 


TECHNICAL DETAILS


Key Findings


In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.


Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).


Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets' networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.


Top Routinely Exploited Vulnerabilities


Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:










































Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022

CVE



Vendor



Product



Type



CWE



https://nvd.nist.gov/vuln/detail/CVE-2018-13379" title="CVE-2018-13379">CVE-2018-13379



Fortinet



FortiOS and FortiProxy



SSL VPN credential exposure



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2021-34473" title="CVE-2021-34473">CVE-2021-34473


(Proxy Shell)



Microsoft



Exchange Server



RCE



https://cwe.mitre.org/data/definitions/918.html" title="CWE-918: Server-Side Request Forgery (SSRF)">CWE-918 Server-Side Request Forgery (SSRF)



https://nvd.nist.gov/vuln/detail/CVE-2021-31207" title="CVE-2021-31207">CVE-2021-31207


(Proxy Shell)



Microsoft



Exchange Server



Security Feature Bypass



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2021-34523" title="CVE-2021-34523">CVE-2021-34523


(Proxy Shell)



Microsoft



Exchange Server



Elevation of Privilege



https://cwe.mitre.org/data/definitions/287.html" title="CWE-287: Improper Authentication">CWE-287 Improper Authentication



https://nvd.nist.gov/vuln/detail/CVE-2021-40539" title="CVE-2021-40539">CVE-2021-40539



Zoho ManageEngine



ADSelfService Plus



RCE/


Authentication Bypass



https://cwe.mitre.org/data/definitions/287.html" title="CWE-287: Improper Authentication">CWE-287 Improper Authentication



https://nvd.nist.gov/vuln/detail/CVE-2021-26084" title="CVE-2021-26084">CVE-2021-26084



Atlassian



Confluence Server and Data Center



Arbitrary code execution



https://cwe.mitre.org/data/definitions/74.html" title="CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')">CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')



https://nvd.nist.gov/vuln/detail/CVE-2021-44228" title="CVE-2021-44228">CVE-2021- 44228


(Log4Shell)



Apache



Log4j2



RCE



https://cwe.mitre.org/data/definitions/917.html" title="CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')">CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')


Let's not argue. Let's network!