The Fed lists the 30 mostly exploited vulnerabilities. Many are years outdated
Government officials in the US, UK and Australia are calling on public and private organizations to protect their networks by ensuring that firewalls, VPNs and other network perimeter devices are patched against the most widespread exploits.
In a joint report published on Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center and the UK National Cyber Security Center listed the 30 most frequently exploited vulnerabilities. The vulnerabilities lie in a variety of devices or software marketed by Citrix, Pulse Secure, Microsoft, and Fortinet.
“Cyber actors continue to exploit publicly known – and often outdated – software vulnerabilities against broad target groups, including public and private sector organizations around the world,” the recommendation says. “However, companies around the world can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
What, do I patch?
Four of the most targeted vulnerabilities over the past year have been in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in the number of workers working from home caused by the COVID-19 pandemic, many VPN gateway devices went unpatched in 2020.
The four most common vulnerability detection dates were between 2018 and 2020, an indication of the frequency with which many organizations using affected devices are holding back from applying security patches. Vulnerabilities include CVE-2019-19781, a remote code execution bug in the Citrix Application Delivery Controller (with the customer to load balance incoming application traffic); CVE 2019-11510, which enables attackers to remotely read sensitive files stored on the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path traversal vulnerability in Fortinet VPNs; and CVE 2020-5902, a code execution vulnerability in F5’s BIG-IP Advanced Delivery Controller.
The 12 biggest mistakes are:
|Citrix||CVE-2019-19781||Execution of arbitrary code|
|pulse||CVE 2019-11510||arbitrary reading of files|
|Fortinet||CVE 2018-13379||Path crossing|
|F5- Great IP||CVE 2020-5902||Remote Code Execution (RCE)|
|Mobile iron||CVE 2020-15505||RCE|
|Microsoft||CVE-2020-0787||Increase in privileges|
|Netlogon||CVE-2020-1472||Increase in privileges|
Break through the gate
The vulnerabilities – all patches received from vendors – provided the opening vector for an innumerable number of serious attacks. According to a U.S. government recommendation published in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.
In the same month, it was revealed that another group of hackers was also exploiting CVE-2018-13379. In one case, the hackers enabled ransomware operators to take control of two production facilities of a European manufacturer.
In the consultation on Wednesday it was further said:
CISA, ACSC, NCSC and FBI assume that public and private organizations around the world will remain at risk from the exploitation of these CVEs. Malicious cyber actors will most likely continue to leverage older known vulnerabilities such as CVE-2017-11882 affecting Microsoft Office as long as they remain in effect and the systems are not patched. The exploitation of known vulnerabilities by attackers makes allocation more difficult, reduces costs and minimizes risk because they do not invest in developing a zero-day exploit for their exclusive use, which they risk losing if they become known.
The officials also listed 13 vulnerabilities discovered this year, which are also being exploited in large numbers. The weak points are:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
- Impulse Safe: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
The advisory provides technical details on each vulnerability, guidance on how to mitigate the risk, and indicators of exposure to help organizations determine if they are vulnerable or have been hacked. The advisory also includes instructions on how to lock down systems.