TOP Routinely Exploited Vulnerabilities (AA21-209A)

Background

Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.

In 2020, cyber actors readily exploited recently disclosed vulnerabilities to compromise unpatched systems. Based on available data to the U.S. Government, a majority of the top vulnerabilities targeted in 2020 were disclosed during the past two years.

This advisory provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.

Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic. Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management. The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.

CISA, ACSC, the NCSC, and FBI consider the vulnerabilities listed in the below table to be the topmost regularly exploited CVEs by cyber actors during 2020.

Vendor CVE Type
Citrix CVE-2019-19781 arbitrary code execution
Pulse CVE 2019-11510 arbitrary file reading
Fortinet CVE 2018-13379 path traversal
F5- Big IP CVE 2020-5902 remote code execution (RCE)
MobileIron CVE 2020-15505 remote code execution (RCE)
Microsoft CVE-2017-11882 remote code execution (RCE)
Atlassian CVE-2019-11580 remote code execution (RCE)
Drupal CVE-2018-7600 remote code execution (RCE)
Telerik CVE 2019-18935 remote code execution (RCE)
Microsoft CVE-2019-0604 remote code execution (RCE)
Microsoft CVE-2020-0787 elevation of privilege
Netlogon CVE-2020-1472 elevation of privilege

Top Routinely Exploited CVEs in 2020

In 2021, malicious cyber actors continued to target vulnerabilities in perimeter-type devices. Among those highly exploited in 2021 are vulnerabilities in Microsoft, Pulse, Accellion, VMware, and Fortinet.

 

Technical Details:

2020 CVEs

CISA, ACSC, the NCSC, and FBI have identified the following as the topmost exploited vulnerabilities by malicious cyber actors from 2020:

 

CVE-2019-19781 CVE-2019-3396
CVE-2019-11510 CVE-2017-11882
CVE-2018-13379 CVE-2019- 11580
CVE-2020-5902 CVE-2018-7600
CVE-2020-15505 CVE 2019-18935
CVE-2020-0688 CVE-2019-0604
CVE-2020- 1472 CVE-2020-0787

 

Among these vulnerabilities:

  • CVE-2019-19781: It was the most exploited flaw in 2020. CVE-2019-19781 is a recently disclosed critical vulnerability in Citrix’s Application Delivery Controller (ADC)—a load balancing application for web, application, and database servers widely use throughout the United States.

 

  • CVE-2019-11510: It is a vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorized credentials for all users on a compromised Pulse VPN server and can retain unauthorize access after the system is patched unless all compromised credentials are changed.

Unremediated instances of CVE-2019-19781 and CVE-2019-11510 continued to be exploited throughout the year by nation-state advanced persistent threat actors (APTs) who leveraged these and other vulnerabilities, such as CVE-2018-13379, in VPN services to compromise an array of organizations, including those involved in COVID-19 vaccine development.

 

2021 CVEs

In 2021, cyber actors continued to target vulnerabilities in perimeter-type devices. In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited.

 

Product Manufacturer CVE Details
Microsoft Exchange: CVE-2021-26855

CVE-2021-26857

CVE-2021-26858

CVE-2021-27065

Pulse Secure CVE-2021-22893

CVE-2021-22894

CVE-2021-22899

CVE-2021-22900

Accellion CVE-2021-27101

CVE-2021-27102

CVE-2021-27103

CVE-2021-27104

VMware CVE-2021-21985
Fortinet CVE-2018-13379

CVE-2020-12812

CVE-2019-5591

 

Mitigations

One of the most effective best practices to mitigate many vulnerabilities is to update software versions once patches are available and as soon as is practicable. If this is not possible, consider applying temporary workarounds or other mitigations, if provided by the vendor. If an organization is unable to update all software shortly after a patch is released, prioritize implementing patches for CVEs that are already known to be exploited or that would be accessible to the largest number of potential attackers (such as internet-facing systems). This advisory highlights vulnerabilities that should be considered as part of the prioritization process. To further assist remediation, automatic software updates should be enabled whenever possible.

CVE-2019-19781

Citrix Netscaler Directory Traversal

Vulnerability Description
Citrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal
Recommended Mitigations
1) Implement the appropriate refresh build according to the vulnerability details outlined by the vendor: Citrix: Mitigation Steps for CVE-2019-19781
2) If possible, only allow the VPN to communicate with known Internet Protocol (IP) addresses (allow-list).https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/

 

 

CVE 2019-11510

Pulse Secure Connect VPN

Vulnerability Description
Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.
Recommended Mitigations
1) Upgrade to the latest Pulse Secure VPN.
2) Stay alert to any scheduled tasks or unknown files/executables.
3) Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read local system files.https://kb.pulsesecure.net/articles/ Pulse_Security_Advisories/SA44101

 

 

CVE 2018-13379

Fortinet FortioOS Secure Socket Layer VPN

Vulnerability Description
Fortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords.
Recommended Mitigations
1) Upgrade to the latest Fortinet SSL VPN.
2) Monitor for alerts to any unscheduled tasks or unknown files/executables.
3) Create detection/protection mechanisms that respond on directory traversal (/../../../) attempts to read the sslvpn_websessions file.https://www.fortiguard.com/psirt/FG-IR-18-384

 

 

CVE-2020-5902

F5 Big IP Traffic Management User Interface

Vulnerability Description
The Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages.
Recommended Mitigations
Download and install a fixed software version of the software from a vendor approved resource. If it is not possible to update quickly, restrict access via the following actions.

1) Address unauthenticated and authenticated attackers on self IPs by blocking all access.
2) Address unauthenticated attackers on management interface by restricting access.

https://support.f5.com/csp/article/K52145254

 

 

CVE-2020-15505

MobileIron Core & Connector

Vulnerability Description
MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.
Recommended Mitigations
Download and install a fixed software version of the software from a vendor approved resource.

https://www.ivanti.com/blog/mobileiron-security-updates-available

 

 

CVE-2020-0688

Microsoft Exchange Memory Corruption

Vulnerability Description
An RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.
Recommended Mitigations
Download and install a fixed software version of the software from a vendor approved resource.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688

 

 

CVE 2017-11882

Microsoft Office Memory Corruption

Vulnerability Description
Atlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.
Recommended Mitigations
Download and install a fixed software version of the software from a vendor-approved resource.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2017-11882

 

 

CVE 2019-11580

Atlassian Crowd and Crowd Data Center Remote Code Execution

Vulnerability Description
Atlassian Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds.
Recommended Mitigations
1) Manually check your software version to see if it is susceptible to this vulnerability.
2) CVE-2019-11580 is commonly exploited to install web shell malware. NSA provides guidance on detecting and preventing web shell malware at https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF and signatures at https://github.com/nsacyber/Mitigating-Web-Shellshttps://confluence.atlassian.com/crowd/crowd-security-advisory-2019-05-22-970260700.html

 

 

CVE 2018-7600

Drupal Core Multiple Remote Code Execution

Vulnerability Description
Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
Recommended Mitigations
Upgrade to the most recent version of Drupal 7 or 8 core. If running 7.x, upgrade to Drupal 7.58. If running 8.5.x, upgrade to Drupal 8.5.1.

https://www.drupal.org/sa-core-2018-002

 

 

CVE 2019-18935

Telerik UI for ASP.NET AJAX Insecure Deserialization

Vulnerability Description
Telerik User Interface (UI) for ASP.NET does not properly filter serialized input for malicious content. Versions prior to R1 2020 (2020.1.114) are susceptible to  remote code execution attacks on affected web servers due to a deserialization vulnerability.
Recommended Mitigations
Update to the most recent version of Telerik UI for ASP.NET AJAX (at least 2020.1.114 or later).

https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization

 

 

CVE-2019-0604

Microsoft SharePoint Remote Code Execution

Vulnerability Description
A vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.
Recommended Mitigations
1) Upgrade on-premise installations of Microsoft Sharepoint to the latest available version (Microsoft SharePoint 2019) and patch level.
2) On-premise Microsoft SharePoint installations with a requirement to be accessed by internet-based remote staff should be moved behind an appropriate authentication mechanism such as a VPN, if possible.https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604

 

 

CVE-2020-0787

Windows Background Intelligent Transfer Service Elevation of Privilege

Vulnerability Description
The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.
Recommended Mitigations
Apply the security updates as recommended in the Microsoft Netlogon security advisory.

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787

 

 

CVE-2020-1472

Netlogon Elevation of Privilege

Vulnerability Description
The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.
Recommended Mitigations
Apply the security updates as recommended in the Microsoft Netlogon security advisory.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472

 

Post a Comment