US-CERT- 2022 Top Routinely Exploited Vulnerabilities

Started by Netwörkheäd, August 12, 2023, 06:12:16 AM

Previous topic - Next topic

Netwörkheäd

2022 Top Routinely Exploited Vulnerabilities

[html]

SUMMARY


The following cybersecurity agencies coauthored this joint Cybersecurity Advisory (CSA):


  • United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)

  • Australia: Australian Signals Directorate's Australian Cyber Security Centre (ACSC)

  • Canada: Canadian Centre for Cyber Security (CCCS)

  • New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)

  • United Kingdom: National Cyber Security Centre (NCSC-UK)

This advisory provides details on the Common Vulnerabilities and Exposures (CVEs) routinely and frequently exploited by malicious cyber actors in 2022 and the associated Common Weakness Enumeration(s) (CWE). In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems.


The authoring agencies strongly encourage vendors, designers, developers, and end-user organizations to implement the recommendations found within the Mitigations section of this advisory—including the following—to reduce the risk of compromise by malicious cyber actors.


  • Vendors, designers, and developers: Implement https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default" title="Security-by-Design and -Default">secure-by-design and -default principles and tactics to reduce the prevalence of vulnerabilities in your software.
    • Follow the Secure Software Development Framework (SSDF), also known as https://csrc.nist.gov/publications/detail/sp/800-218/final" title="NIST SP 800-218">SP 800-218, and implement secure design practices into each stage of the software development life cycle (SDLC). As part of this, establish a coordinated vulnerability disclosure program that includes processes to determine root causes of discovered vulnerabilities.

    • Prioritize secure-by-default configurations, such as eliminating default passwords, or requiring addition configuration changes to enhance product security.

    • Ensure that published CVEs include the proper CWE field identifying the root cause of the vulnerability.


  • End-user organizations:
    • Apply timely patches to systems. Note: First check for signs of compromise if CVEs identified in this CSA have not been patched.

    • Implement a centralized patch management system.

    • Use security tools, such as endpoint detection and response (EDR), web application firewalls, and network protocol analyzers.

    • Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities and to set secure default settings.


Download the PDF version of this report:






   

    AA23-215A PDF
    (PDF,       980.90 KB
  )

 


TECHNICAL DETAILS


Key Findings


In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems. Proof of concept (PoC) code was publicly available for many of the software vulnerabilities or vulnerability chains, likely facilitating exploitation by a broader range of malicious cyber actors.


Malicious cyber actors generally have the most success exploiting known vulnerabilities within the first two years of public disclosure—the value of such vulnerabilities gradually decreases as software is patched or upgraded. Timely patching reduces the effectiveness of known, exploitable vulnerabilities, possibly decreasing the pace of malicious cyber actor operations and forcing pursuit of more costly and time-consuming methods (such as developing zero-day exploits or conducting software supply chain operations).


Malicious cyber actors likely prioritize developing exploits for severe and globally prevalent CVEs. While sophisticated actors also develop tools to exploit other vulnerabilities, developing exploits for critical, wide-spread, and publicly known vulnerabilities gives actors low-cost, high-impact tools they can use for several years. Additionally, cyber actors likely give higher priority to vulnerabilities that are more prevalent in their specific targets' networks. Multiple CVE or CVE chains require the actor to send a malicious web request to the vulnerable device, which often includes unique signatures that can be detected through deep packet inspection.


Top Routinely Exploited Vulnerabilities


Table 1 shows the top 12 vulnerabilities the co-authors observed malicious cyber actors routinely exploiting in 2022:




































































Table 1: Top 12 Routinely Exploited Vulnerabilities in 2022

CVE



Vendor



Product



Type



CWE



https://nvd.nist.gov/vuln/detail/CVE-2018-13379" title="CVE-2018-13379">CVE-2018-13379



Fortinet



FortiOS and FortiProxy



SSL VPN credential exposure



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2021-34473" title="CVE-2021-34473">CVE-2021-34473


(Proxy Shell)



Microsoft



Exchange Server



RCE



https://cwe.mitre.org/data/definitions/918.html" title="CWE-918: Server-Side Request Forgery (SSRF)">CWE-918 Server-Side Request Forgery (SSRF)



https://nvd.nist.gov/vuln/detail/CVE-2021-31207" title="CVE-2021-31207">CVE-2021-31207


(Proxy Shell)



Microsoft



Exchange Server



Security Feature Bypass



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2021-34523" title="CVE-2021-34523">CVE-2021-34523


(Proxy Shell)



Microsoft



Exchange Server



Elevation of Privilege



https://cwe.mitre.org/data/definitions/287.html" title="CWE-287: Improper Authentication">CWE-287 Improper Authentication



https://nvd.nist.gov/vuln/detail/CVE-2021-40539" title="CVE-2021-40539">CVE-2021-40539



Zoho ManageEngine



ADSelfService Plus



RCE/


Authentication Bypass



https://cwe.mitre.org/data/definitions/287.html" title="CWE-287: Improper Authentication">CWE-287 Improper Authentication



https://nvd.nist.gov/vuln/detail/CVE-2021-26084" title="CVE-2021-26084">CVE-2021-26084



Atlassian



Confluence Server and Data Center



Arbitrary code execution



https://cwe.mitre.org/data/definitions/74.html" title="CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')">CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')



https://nvd.nist.gov/vuln/detail/CVE-2021-44228" title="CVE-2021-44228">CVE-2021- 44228


(Log4Shell)



Apache



Log4j2



RCE



https://cwe.mitre.org/data/definitions/917.html" title="CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')">CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')


 


https://cwe.mitre.org/data/definitions/20.html" title="CWE-20: Improper Input Validation">CWE-20 Improper Input Validation


 


https://cwe.mitre.org/data/definitions/400.html" title="CWE-400: Uncontrolled Resource Consumption">CWE-400 Uncontrolled Resource Consumption


 


https://cwe.mitre.org/data/definitions/502.html" title="CWE-502: Deserialization of Untrusted Data">CWE-502 Deserialization of Untrusted Data



https://nvd.nist.gov/vuln/detail/CVE-2022-22954" title="CVE-2022-22954">CVE-2022-22954



VMware



Workspace ONE Access and Identity Manager



RCE



https://cwe.mitre.org/data/definitions/94.html" title="CWE-94: Improper Control of Generation of Code ('Code Injection')">CWE-94 Improper Control of Generation of Code ('Code Injection')



https://nvd.nist.gov/vuln/detail/CVE-2022-22960" title="CVE-2022-22960">CVE-2022-22960



VMware



Workspace ONE Access, Identity Manager, and vRealize Automation



Improper Privilege Management



https://cwe.mitre.org/data/definitions/269.html" title="CWE-269: Improper Privilege Management">CWE-269 Improper Privilege Management



https://nvd.nist.gov/vuln/detail/CVE-2022-1388" title="CVE-2022-1388">CVE-2022-1388



F5 Networks



BIG-IP



Missing Authentication Vulnerability



https://cwe.mitre.org/data/definitions/306.html" title="CWE-306: Missing Authentication for Critical Function">CWE-306 Missing Authentication for Critical Function



https://nvd.nist.gov/vuln/detail/CVE-2022-30190" title="CVE-2022-30190">CVE-2022-30190



Microsoft



Multiple Products



RCE



None Listed



https://nvd.nist.gov/vuln/detail/CVE-2022-26134" title="CVE-2022-26134">CVE-2022-26134



Atlassian



Confluence Server and Data Center



RCE



https://cwe.mitre.org/data/definitions/74.html" title="CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')">CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')


Additional Routinely Exploited Vulnerabilities


In addition to the 12 vulnerabilities listed in Table 1, the authoring agencies identified vulnerabilities—listed in Table 2—that were also routinely exploited by malicious cyber actors in 2022.






























































































































































Table 2: Additional Routinely Exploited Vulnerabilities in 2022

CVE



Vendor



Product



Type



CWE



https://nvd.nist.gov/vuln/detail/CVE-2017-0199" title="CVE-2017-0199">CVE-2017-0199



Microsoft



Multiple Products



Arbitrary Code Execution



None Listed



https://nvd.nist.gov/vuln/detail/CVE-2017-11882" target="_blank" title="CVE-2017-11882">CVE-2017-11882



Microsoft



Exchange Server



Arbitrary Code Execution



https://cwe.mitre.org/data/definitions/119.html" title="CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer">CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer



https://nvd.nist.gov/vuln/detail/CVE-2019-11510" target="_blank" title="CVE-2019-11510">CVE-2019-11510



Ivanti



Pulse Secure Pulse Connect Secure



Arbitrary File Reading



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2019-0708" target="_blank" title="CVE-2019-0708">CVE-2019-0708



Microsoft



Remote Desktop Services



RCE



https://cwe.mitre.org/data/definitions/416.html" title="CWE-416: Use After Free">CWE-416: Use After Free



https://nvd.nist.gov/vuln/detail/CVE-2019-19781" target="_blank" title="CVE-2019-19781">CVE-2019-19781



Citrix



Application Delivery Controller and Gateway



Arbitrary Code Execution



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2020-5902" target="_blank" title="CVE-2020-5902">CVE-2020-5902



F5 Networks



BIG-IP



RCE



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2020-1472" target="_blank" title="CVE-2020-1472">CVE-2020-1472



Microsoft



Multiple Products



Privilege Escalation



https://cwe.mitre.org/data/definitions/330.html" title="CWE-330: Use of Insufficiently Random Values">CWE-330: Use of Insufficiently Random Values



https://nvd.nist.gov/vuln/detail/CVE-2020-14882" target="_blank" title="CVE-2020-14882">CVE-2020-14882



Oracle



WebLogic Server



RCE



None Listed



https://nvd.nist.gov/vuln/detail/CVE-2020-14883" target="_blank" title="CVE-2020-14883">CVE-2020-14883



Oracle



WebLogic Server



RCE



None Listed



https://nvd.nist.gov/vuln/detail/CVE-2021-20016" target="_blank" title="CVE-2021-20016">CVE-2021-20016



SonicWALL



SSLVPN SMA100



SQL Injection



https://cwe.mitre.org/data/definitions/89.html" title="CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')">CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')



https://nvd.nist.gov/vuln/detail/CVE-2021-26855" target="_blank" title="CVE-2021-26855">CVE-2021-26855


(ProxyLogon)



Microsoft



Exchange Server



RCE



https://cwe.mitre.org/data/definitions/918.html" title="CWE-918: Server-Side Request Forgery (SSRF)">CWE-918: Server-Side Request Forgery (SSRF)



https://nvd.nist.gov/vuln/detail/CVE-2021-27065" target="_blank" title="CVE-2021-27065">CVE-2021-27065


(ProxyLogon)



Microsoft



Exchange Server



RCE



https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2021-26858" target="_blank" title="CVE-2021-26858">CVE-2021-26858


(ProxyLogon)



Microsoft



Exchange Server



RCE



None Listed



https://nvd.nist.gov/vuln/detail/CVE-2021-26857" target="_blank" title="CVE-2021-26857">CVE-2021-26857


(ProxyLogon)



Microsoft



Exchange Server



RCE



https://cwe.mitre.org/data/definitions/502.html" title="CWE-502: Deserialization of Untrusted Data">CWE-502: Deserialization of Untrusted Data



https://nvd.nist.gov/vuln/detail/CVE-2021-20021" target="_blank" title="CVE-2021-20021">CVE-2021-20021



SonicWALL



Email Security



Privilege Escalation Exploit Chain



https://cwe.mitre.org/data/definitions/269.html" title="CWE-269: Improper Privilege Management">CWE-269: Improper Privilege Management



https://nvd.nist.gov/vuln/detail/CVE-2021-40438" target="_blank" title="CVE-2021-40438">CVE-2021-40438



Apache



HTTP Server



Server-Side Request Forgery



https://cwe.mitre.org/data/definitions/918.html" title="CWE-918: Server-Side Request Forgery (SSRF)">CWE-918: Server-Side Request Forgery (SSRF)



https://nvd.nist.gov/vuln/detail/CVE-2021-41773" target="_blank" title="CVE-2021-41773">CVE-2021-41773



Apache



HTTP Server



Server Path Traversal



 https://cwe.mitre.org/data/definitions/22.html" title=" CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2021-42013" target="_blank" title="CVE-2021-42013">CVE-2021-42013



Apache



HTTP Server



Server Path Traversal



 https://cwe.mitre.org/data/definitions/22.html" title="CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')">CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')



https://nvd.nist.gov/vuln/detail/CVE-2021-20038" target="_blank" title="CVE-2021-20038">CVE-2021-20038



SonicWall



SMA 100 Series Appliances



Stack-based Buffer Overflow



https://cwe.mitre.org/data/definitions/787.html" title="CWE-787: Out-of-bounds Write">CWE-787: Out-of-bounds Write


http://cwe.mitre.org/data/definitions/121.html" title="CWE-121: Stack-based Buffer Overflow">CWE-121: Stack-based Buffer Overflow



https://nvd.nist.gov/vuln/detail/CVE-2021-45046" target="_blank" title="CVE-2021-45046">CVE-2021-45046



Apache



Log4j



RCE



https://cwe.mitre.org/data/definitions/917.html" title="CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')">CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')



https://nvd.nist.gov/vuln/detail/CVE-2022-42475" target="_blank" title="CVE-2022-42475">CVE-2022-42475



Fortinet



FortiOS



Heap-based Buffer Overflow



https://cwe.mitre.org/data/definitions/787.html" title="CWE-787: Out-of-bounds Write">CWE-787: Out-of-bounds Write



https://nvd.nist.gov/vuln/detail/CVE-2022-24682" target="_blank" title="CVE-2022-24682">CVE-2022-24682



Zimbra



Collaboration Suite



'Cross-site Scripting'



https://cwe.mitre.org/data/definitions/79.html" title="CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')">CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')



https://nvd.nist.gov/vuln/detail/CVE-2022-22536" target="_blank" title="CVE-2022-22536">CVE-2022-22536



SAP



Internet Communication Manager (ICM)



HTTP Request Smuggling



https://cwe.mitre.org/data/definitions/444.html" title="CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')">CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')



https://nvd.nist.gov/vuln/detail/CVE-2022-22963" target="_blank" title="CVE-2022-22963">CVE-2022-22963



VMware Tanzu



Spring Cloud



RCE



https://cwe.mitre.org/data/definitions/94.html" title="CWE-94: Improper Control of Generation of Code ('Code Injection')">CWE-94: Improper Control of Generation of Code ('Code Injection')


https://cwe.mitre.org/data/definitions/917.html" title="CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')">CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')



https://nvd.nist.gov/vuln/detail/CVE-2022-29464" target="_blank" title="CVE-2022-29464">CVE-2022-29464



WSO2



Multiple Products



RCE



https://cwe.mitre.org/data/definitions/434.html" title="CWE-434: Unrestricted Upload of File with Dangerous Type">CWE-434: Unrestricted Upload of File with Dangerous Type



https://nvd.nist.gov/vuln/detail/CVE-2022-27924" target="_blank" title="CVE-2022-27924">CVE-2022-27924



Zimbra



Zimbra Collaboration Suite



Command Injection



https://cwe.mitre.org/data/definitions/74.html" title="CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')">CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')



https://nvd.nist.gov/vuln/detail/CVE-2022-22047" target="_blank" title="CVE-2022-22047">CVE-2022-22047



Microsoft



Windows CSRSS



Elevation of Privilege



https://cwe.mitre.org/data/definitions/269.html" title="CWE-269: Improper Privilege Management">CWE-269: Improper Privilege Management



https://nvd.nist.gov/vuln/detail/CVE-2022-27593" target="_blank" title="CVE-2022-27593">CVE-2022-27593



QNAP



QNAP NAS



Externally Controlled Reference



https://cwe.mitre.org/data/definitions/610.html" title="CWE-610: Externally Controlled Reference to a Resource in Another Sphere">CWE-610: Externally Controlled Reference to a Resource in Another Sphere



https://nvd.nist.gov/vuln/detail/CVE-2022-41082" target="_blank" title="CVE-2022-41082">CVE-2022-41082



Microsoft



Exchange Server



Privilege Escalation



None Listed



https://nvd.nist.gov/vuln/detail/CVE-2022-40684" target="_blank" title="CVE-2022-40684">CVE-2022-40684



Fortinet



FortiOS, FortiProxy, FortiSwitchManager



Authentication Bypass



https://cwe.mitre.org/data/definitions/306.html" title="CWE-306: Missing Authentication for Critical Function">CWE-306: Missing Authentication for Critical Function


MITIGATIONS


Vendors and Developers


The authoring agencies recommend vendors and developers take the following steps to ensure their products are secure by design and default:


  • Identify repeatedly exploited classes of vulnerability. Perform an analysis of both CVEs and known exploited vulnerabilities to understand which classes of vulnerability are identified more than others. Implement appropriate mitigations to eliminate those classes of vulnerability. For example, if a product has several instances of SQL injection vulnerabilities, ensure all database queries in the product use parameterized queries, and prohibit other forms of queries.

  • Ensure business leaders are responsible for security. Business leaders should ensure that proactive steps to eliminate entire classes of security vulnerabilities, rather than only making one-off patches when new vulnerabilities are discovered.

  • Follow the SSDF (https://csrc.nist.gov/publications/detail/sp/800-218/final" title="NIST SP 800-218">SP 800-218) and implement secure design practices into each stage of the SDLC. Pay attention to:

  • Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge.

  • Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

For more information on designing secure-by-design and -default products, including additional recommended secure-by-default configurations, see joint guide https://www.cisa.gov/resources-tools/resources/secure-by-design-and-default" title="Security-by-Design and -Default">Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default.


End-User Organizations


The authoring agencies recommend end-user organizations implement the mitigations below to improve cybersecurity posture on the basis of the threat actors' activity. These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA's https://www.cisa.gov/cross-sector-cybersecurity-performance-goals" title="Cross-Sector Cybersecurity Performance Goals">Cross-Sector Cybersecurity Performance Goals for more information on CPGs, including additional recommended baseline protections.


Vulnerability and Configuration Management


  • Update software, operating systems, applications, and firmware on IT network assets in a timely manner [CPG 1.E]. Prioritize patching https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">known exploited vulnerabilities, especially those CVEs identified in this CSA, then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
    • If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.

    • Replace end-of-life software (i.e., software no longer supported by the vendor).


  • Routinely perform automated asset discovery across the entire estate to identify and catalogue all the systems, services, hardware and software.

  • Implement a robust patch management process and centralized patch management system that establishes prioritization of patch applications [CPG 1.A].

  • Document secure baseline configurations for all IT/OT components, including cloud infrastructure. Monitor, examine, and document any deviations from the initial secure baseline [CPG 2.O].

  • Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration. Store copies off-network in physically secure locations and test regularly [CPG 2.R].

  • Maintain an updated cybersecurity incident response plan that is tested at least annually and updated within a risk informed time frame to ensure its effectiveness [CPG 2.S].

Identity and Access Management


Protective Controls and Architecture


  • Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices [CPG 2.V, 2.W, 2X].
    • Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP.

    • Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting.

    • Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).


  • Implement Zero Trust Network Architecture (ZTNA) to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks [CPG 2.F, 2.X]. Note: See the Department of Defense's https://dodcio.defense.gov/Portals/0/Documents/Library/(U)ZT_RA_v2.0(U)_Sep22.pdf" title="Department of Defense (DoD) Zero Trust Reference Architecture">Zero Trust Reference Architecture for additional information on Zero Trust.

  • Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement [CPG 2.T].
    • Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure EDR, SIEM, vulnerability scanner, and other similar tools are reporting the same number of assets [CPG 2.T, 2.V].

    • Use web application firewalls to monitor and filter web traffic. These tools are commercially available via hardware, software, and cloud-based solutions, and may detect and mitigate exploitation attempts where a cyber actor sends a malicious web request to an unpatched device [CPG 2.B, 2.F].

    • Implement an administrative policy and/or automated process configured to monitor unwanted hardware, software, or programs against an allowlist with specified approved versions [CPG 2.Q].

    • Use a network protocol analyzer to examine captured data, including packet-level data.


Supply Chain Security


  • Reduce third-party applications and unique system/application builds—provide exceptions only if required to support business critical functions [CPG 2.Q].

  • Ensure contracts require vendors and/or third-party service providers to:
    • Provide notification of security incidents and vulnerabilities within a risk informed time frame [CPG 1.G, 1.H, 1.I].

    • Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities [CPG 4.B].


  • Ask your software providers to discuss their secure by design program and to provide links to information about how they are working to remove classes of vulnerabilities, and to set secure default settings.

RESOURCES


DISCLAIMER


The information in this report is being provided "as is" for informational purposes only. CISA, FBI, NSA, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK do not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring.


PURPOSE


This document was developed by CISA, NSA, FBI, ACSC, CCCS, NCSC-NZ, CERT NZ, and NCSC-UK in furtherance of their respective cybersecurity missions, including their responsibilities to develop and issue cybersecurity specifications and mitigations.


REFERENCES


[1] https://www.cisa.gov/news-events/news/apache-log4j-vulnerability-guidance" title="Apache Log4j Vulnerability Guidance">Apache Log4j Vulnerability Guidance


VERSION HISTORY


August 3, 2023: Initial version.


APPENDIX: PATCH INFORMATION AND ADDITIONAL RESOURCES FOR TOP EXPLOITED VULNERABILITIES

















































CVE



Vendor



Affected Products and Versions



Patch Information



Resources



https://nvd.nist.gov/vuln/detail/CVE-2017-0199" title="CVE-2017-0199">CVE-2017-0199



Microsoft



Multiple Products



https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-0199" title="Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows">Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows


 

https://nvd.nist.gov/vuln/detail/CVE-2017-11882" title="CVE-2017-11882">CVE-2017-11882



Microsoft



Office, Multiple Versions



https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882" title="Microsoft Office Memory Corruption Vulnerability">Microsoft Office Memory Corruption Vulnerability, CVE-2017-11882


 

https://nvd.nist.gov/vuln/detail/CVE-2018-13379" title="CVE-2018-13379">CVE-2018-13379



Fortinet



FortiOS and FortiProxy 2.0.2, 2.0.1, 2.0.0, 1.2.8, 1.2.7, 1.2.6, 1.2.5, 1.2.4, 1.2.3, 1.2.2, 1.2.1, 1.2.0, 1.1.6



https://www.fortiguard.com/psirt/FG-IR-20-233" title="FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests">FortiProxy - system file leak through SSL VPN special crafted HTTP resource requests



Joint CSAs:


https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-321a" title="Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities">Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities


https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-047a" title="Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology">Russian State-Sponsored Cyber Actors Target Cleared Defense Contractor Networks to Obtain Sensitive U.S. Defense Information and Technology


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a" title="APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations">APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations



https://nvd.nist.gov/vuln/detail/CVE-2019-11510" title="CVE-2019-11510">CVE-2019-11510



Ivanti



Pulse Secure Pulse Connect Secure versions, 9.0R1 to 9.0R3.3, 8.3R1 to 8.3R7, and 8.2R1 to 8.2R12



https://forums.ivanti.com/s/article/SA44101?language=en_US" title="SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX">SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX



CISA Alerts:


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-010a" title="Continued Exploitation of Pulse Secure VPN Vulnerability">Continued Exploitation of Pulse Secure VPN Vulnerability


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a" title="Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity">Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity


ACSC Advisory:


https://www.cyber.gov.au/about-us/advisories/2019-129-recommendations-mitigate-vulnerability-pulse-connect-secure-vpn-software" title="2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software">2019-129: Recommendations to mitigate vulnerability in Pulse Connect Secure VPN Software


Joint CSA:


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a" title="APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations">APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations


CCCS Alert:


https://www.cyber.gc.ca/en/alerts/apt-actors-target-us-and-allied-networks-nsacisafbi" title="Alert - APT Actors Target U.S. and Allied Networks - update 1">APT Actors Target U.S. and Allied Networks - Update 1



https://nvd.nist.gov/vuln/detail/CVE-2019-0708" title="CVE-2019-0708">CVE-2019-0708



Microsoft



Remote Desktop Services



https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0708" title="Remote Desktop Services Remote Code Execution Vulnerability">Remote Desktop Services Remote Code Execution Vulnerability


 

https://nvd.nist.gov/vuln/detail/CVE-2019-19781" title="CVE-2019-19781">CVE-2019-19781



Citrix



ADC and Gateway version 13.0 all supported builds before 13.0.47.24


NetScaler ADC and NetScaler Gateway, version 12.1 all supported builds before 12.1.55.18; version 12.0 all supported builds before 12.0.63.13; version 11.1 all supported builds before 11.1.63.15; version 10.5 all supported builds before 10.5.70.12


SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO all supported software release builds before 10.2.6b and 11.0.3b



https://support.citrix.com/article/CTX267027/cve201919781-vulnerability-in-citrix-application-delivery-controller-citrix-gateway-and-citrix-sdwan-wanop-appliance" title="CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance">CVE-2019-19781 - Vulnerability in Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance



Joint CSAs:


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a" title="APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations">APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-258a" title="Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity">Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity


CCCS Alert:


https://www.cyber.gc.ca/en/alerts/detecting-compromises-relating-citrix-cve-2019-19781-0" title="Alert - Detecting Compromises relating to Citrix CVE-2019-19781">Detecting Compromises relating to Citrix CVE-2019-19781



https://nvd.nist.gov/vuln/detail/CVE-2020-5902" title="CVE-2020-5902">CVE-2020-5902



F5



BIG IP versions 15.1.0, 15.0.0 to 15.0.1, 14.1.0 to 14.1.2, 13.1.0 to 13.1.3, 12.1.0 to 12.1.5, and 11.6.1 to 11.6.5



https://my.f5.com/manage/s/article/K52145254" title="K52145254: TMUI RCE vulnerability CVE-2020-5902">K52145254: TMUI RCE vulnerability CVE-2020-5902



CISA Alert:


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-206a" title="Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902">Threat Actor Exploitation of F5 BIG-IP CVE-2020-5902



https://nvd.nist.gov/vuln/detail/CVE-2020-1472" title="CVE-2020-1472">CVE-2020-1472



Microsoft



Windows Server, Multiple Versions



https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472" title="Netlogon Elevation of Privilege Vulnerability">Microsoft Security Update Guide: Netlogon Elevation of Privilege Vulnerability, CVE-2020-1472



ACSC Advisory:


https://www.cyber.gov.au/about-us/advisories/advisory-2020-016-zerologon-netlogon-elevation-privilege-vulnerability-cve-2020-1472" title="Advisory 2020-016: "Zerologon" - Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)">2020-016: Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)


Joint CSA:


https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-283a" title="APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations">APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations


CCCS Alert:


https://www.cyber.gc.ca/en/alerts/microsoft-netlogon-elevation-privilege-vulnerability-cve-2020-1472" title="Alert - Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - update 1">Microsoft Netlogon Elevation of Privilege Vulnerability - CVE-2020-1472 - Update 1



https://nvd.nist.gov/vuln/detail/CVE-2020-14882" title="CVE-2020-14882">CVE-2020-14882



O

Let's not argue. Let's network!