Vulnerabilities

Top 30 most exploited software vulnerabilities being used today

October 12, 2021 by Kurt Ellzey

For all the zero-days, custom-crafted malware and other completely unknown security vulnerabilities, others have been around for years and are widely used across the board. To showcase this, the FBI (United States Federal Bureau of Investigation), CISA (United States Cybersecurity and Infrastructure Security Agency), ACSC (Australian Cyber Security Centre) and NCSC (United Kingdom National Cyber Security Centre) issued a Joint Cybersecurity Advisory. In this Advisory, they broke down the top 30 vulnerabilities used in 2020 and 2021.

Many of these vulnerabilities have been around for years, despite the manufacturer’s and developers’ best efforts. As shown by the “PrintNightmare” vulnerability in Microsoft’s Print Spooler, for example, just because something is known does not mean that it is easily eliminated.

Accellion

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2021-27101 (NVD & MITRE) Accellion, FTA SQL Injection Requires Version Upgrade
CVE-2021-27102 (NVD & MITRE) Accellion, FTA OS Command Execution Requires Version Upgrade
CVE-2021-27103 (NVD & MITRE) Accellion, FTA Server Side Request Forgery (SSRF) Requires Version Upgrade
CVE-2021-27104 (NVD & MITRE) Accellion, FTA OS Command Execution Requires Version Upgrade

It’s very important to remember while going down this list that every vulnerability in this article is either considered “critical” at some point, and they all have been used extensively. Therefore the major takeaway from all of this is that if you’re using a product listed here, make sure you’re patched immediately.

The FTA server mentioned here is primarily used for transferring very large files. The program itself has been updated over 20 years and has been in sunset status since 2018. It is now considered End-of-Life as of April 30, 2021, with their Kiteworks software taking over. All of the four mentioned vulnerabilities were announced in the same package, each a different vulnerability type.

Qualys was one of the higher-profile organizations to be impacted by this vulnerability, with an FTA server in their DMZ compromised. Their account of the events and what took place, as told by their CISO Ben Carr, can be found here.

Atlassian

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2019-3396 (NVD & MITRE) Atlassian, Confluence Server and Data Center Widget Connector Server-Side Template Injection Patch Available
CVE-2019-11580 (NVD & MITRE) Atlassian, Crowd and Crowd Data Center Remote Code Execution (RCE) Patch Available

Confluence server is a wiki-style collaboration environment. By leveraging a “widget connector macro” in a vulnerable version of the software, malicious users would be able to explore directories on the server, deploy templates and achieve remote code execution.

This particular vulnerability has been used to deploy both cryptocurrency mining software and ransomware.

Crowd and Crowd Data Center are both identity management systems — providing single-sign-on services, which can assist with authentication across multiple platforms through a central provider. The production versions of these programs had a development plugin known as pdkinstall enabled incorrectly by default. Through this vulnerability, malicious users could install their plugins, creating the remote code execution scenario.

Security researcher Corben Leo has a full walkthrough available on their site on how they exploited this vulnerability here.

Citrix

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2019-19781 (NVD & MITRE) Citrix, Netscaler Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliance Remote Code Execution (RCE) and Full System Compromise Patch Available

During the COVID-19 pandemic, the shift to remote work was swift and in many cases, unplanned. This meant that many organizations were deploying potentially untested remote access systems in an incompletely configured state. As such, this vulnerability was the most exploited flaw in 2020.

Researchers at Carnegie Mellon University were able to show that the software did not restrict access to a particular section of scripts in a directory called “vpns”’ which was made accessible via directory traversal. Once they were in this directory, they could perform remote code execution of their designs.

Drupal

NVD & MITRE Details Vendor& Product Vulnerability Type Patch Availability
CVE-2018-7600 (NVD & MITRE) Drupal, Core Remote Code Execution (RCE) Patch Available

Drupal is used by many as a content management system (CMS) for websites and wikis. The vulnerability involves the way that Drupal requests parameters. According to Tenable, malicious users can use this to deploy payloads to the system without input sterilization because it accepts parameters in arrays.

It is potentially possible to exploit both the application and the Host OS. Despite the severity of the issue, there are still many unpatched systems, even though patches have been available since mid-2018.

F5

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2020-5902 (NVD & MITRE) F5, BIG-IP Traffic Management User Interface (TMUI) Remote Code Execution (RCE) Requires Version Upgrade

BIG-IP provides load balancing, firewall functions and DNS services. Through this vulnerability, malicious users would be able to access configuration functions of the applications, along with running code of their choosing.

Like many other configuration utilities, however, allowing access to upper-level controls only from particular IPs provides a quick workaround. At the same time, permanent fixes are enabled — this particular takeaway is very important across multiple vendors.

Fortinet

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2018-13379 (NVD & MITRE) Fortinet, Secure Socket Layer (SSL) VPN Directory Traversal Patch Available
CVE-2019-5591 (NVD & MITRE) Fortinet, Secure Socket Layer (SSL) VPN Server Impersonation Solution Available
CVE-2020-12812 (NVD & MITRE) Fortinet, Secure Socket Layer (SSL) VPN 2FA Bypass Requires Version Upgrade

For similar reasons as those reported above with Citrix, Fortinet’s SSL VPN offerings exploded in use during 2020 — making it a very tempting target for attackers. All three of these issues revolve around that Remote Access offering, each with a very different effect.

The 2018 vulnerability permitted malicious users to move to directories containing system files from the FortiOS web portal but not necessarily upload their own. While that may not necessarily sound as bad as some other vulnerabilities, according to the researchers credited with the discovery, Devcore’s Orange Tsai and Meh Chang, it permits “pre-auth arbitrary file reading,” or more specifically- they could potentially read password databases and other sensitive data.

The 2019 vulnerability could allow users on the same local subnet to impersonate the LDAP authentication server and potentially obtain sensitive data. James Renken of the Internet Security and Research Group, who was one of the discoverers of this vulnerability, reiterated how quickly access could spread through stolen credentials if used in multiple locations.

The 2020 vulnerability could allow users to bypass 2 Factor Authentication requirements if they changed their username’s case (uppercase/lowercase). If, for example, a malicious user leveraged the 2018 vulnerability to obtain credentials, they could then use this vulnerability to gain full access without requiring a 2FA token.

Microsoft

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2017-11882 (NVD & MITRE) Microsoft, Office Remote Code Execution (RCE) Patch Available
CVE-2019-0604 (NVD & MITRE) Microsoft, Sharepoint Remote Code Execution (RCE) Patch Available
CVE-2020-0688 (NVD & MITRE) Microsoft, Exchange Remote Code Execution (RCE) Patch Available
CVE-2020-0787 (NVD & MITRE) Microsoft, Background Intelligent Transfer Service (BITS) Privilege Elevation Patch Available
CVE-2020-1472 (NVD & MITRE) Microsoft, Netlogon Privilege Elevation Patch Available
CVE-2021-26855 (NVD & MITRE) Microsoft, Exchange Remote Code Execution (RCE) Patch Available
CVE-2021-26857 (NVD & MITRE) Microsoft, Exchange Remote Code Execution (RCE) Patch Available
CVE-2021-26858 (NVD & MITRE) Microsoft, Exchange Remote Code Execution (RCE) Patch Available
CVE-2021-27065 (NVD & MITRE) Microsoft, Exchange Remote Code Execution (RCE) Patch Available

Microsoft’s Windows Operating Systems, Office productivity software, Sharepoint Content Management System and Exchange Email server products power many enterprises. The 2017 Office vulnerability allows a malicious user to distribute a file to a legitimate user, which is then opened in the Office suite programs or the standalone Wordpad application. Once the user opens the file, whatever code the malicious user wishes will run with the logged-on user’s permissions.  This is very similar in concept to the 2019 Sharepoint vulnerability, where code could be run as the credentials of the Sharepoint app pool and server farm accounts.

The Background Intelligent Transfer Service (BITS) powers a great deal of the updating functionality for Windows. Using this vulnerability, a malicious user who already has access to the system could elevate their permissions to control the entire local computer.

Netlogon allows for authentication of users and computers that are members of Microsoft’s Active Directory Domain structure. Exploiting the vulnerability could allow someone to impersonate a Domain Controller and potentially acquire Domain Administrator privileges.

The 2020 Exchange vulnerability is caused by an Exchange Control Panel web app issue in Exchange 2019. The problem revolves around cryptographic keys, specifically that it doesn’t make a new key at install time. If a malicious user has access to the default keys, they can cause Exchange to decrypt their data. This can create a Remote Code Execution as SYSTEM- the highest permission level on the server.

The 2021 Exchange vulnerabilities, on the other hand, are part of an attack chain. According to a blog post from Microsoft Corporate Vice President of Customer Security and Trust Tom Burt, the attack contains three steps: “First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who would have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access- run from the U.S.-based private servers — to steal data from an organization’s network.”

MobileIron

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2020-15505 (NVD & MITRE) MobileIron, Core & Connector, Sentry, Monitor and Reporting Database (RDB) Remote Code Execution (RCE) Patch Available

MobileIron provides many services dealing with Mobile Device Management. Again, Devcore’s Orange Tsai discovered a vulnerability in the MobileIron Core product that could allow a malicious user to execute their code without authentication. After confirming the vulnerability, MobileIron expanded its review and discovered several other products that also had this issue.

Pulse Secure

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2019-11510 (NVD & MITRE) Pulse Secure, Connect Secure and Policy Secure Arbitrary File Access Patch Available
CVE-2021-22893 (NVD & MITRE) Pulse, Connect Secure Remote Code Execution (RCE) Patch Available
CVE-2021-22894 (NVD & MITRE) Pulse, Connect Secure Remote Code Execution (RCE) Patch Available
CVE-2021-22899 (NVD & MITRE) Pulse, Connect Secure Remote Code Execution (RCE) Patch Available
CVE-2021-22900 (NVD & MITRE) Pulse, Connect Secure Remote Code Execution (RCE) Patch Available

Pulse Secure’s Connect Secure is a form of SSL VPN, as we’ve seen multiple times already on this list. The 2019 vulnerability could allow an unauthenticated user to read files traveling across the VPN, gain access to plain text credentials, and execute commands on clients as they connect to the VPN server.

The 2021 vulnerabilities potentially allow for unauthenticated users to run their code on the VPN Gateway itself with root-level access.

Telerik

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2019-18935 (NVD & MITRE) Telerik, User Interface (UI) for ASP.NET AJAX Remote Code Execution (RCE) Patch Available

Telerik’s UI for ASP.NET AJAX allows for the rapid creation and deployment of web forms. This vulnerability is similar in concept to the Exchange decryption vulnerability. If the malicious user can access the encryption keys, either through another vulnerability or via other means, they can run their code on the server.

VMWare

NVD & MITRE Details Vendor & Product Vulnerability Type Patch Availability
CVE-2021-21985 (NVD & MITRE) VMWare, vSphere Remote Code Execution (RCE) Workaround and Version Upgrades Available
CVE-2021-21986 (NVD & MITRE) VMWare, vSphere Authentication Bypass Workaround and Version Upgrades Available

VMWare allows for the running of Virtual Machines on top of Host Operating Systems, with vSphere being their primary management interface. The first vulnerability is due to input validation not being present on a plugin enabled by default. Because of this, a user can run their code on the Host OS.  The second vulnerability also deals with plugins, but differently — it would allow the user to perform whatever actions the affected plugins could normally do, but without authentication.

Protect yourself against the most common malware

Developers are not omniscient- they can’t see every angle all the time. This means that we may very well end up with vulnerable pieces of software in our production environments.  While we might not be able to deploy every fix the second it is released — waiting for patches to fix the issues introduced by the patch — we still want to be aware of possible workarounds that we can deploy in the meantime. VMWare, for example, could allow for turning off plugins as a temporary measure until the permanent update was available. Some companies will let their customers know about possible threats like this, while others may require additional homework or awareness. Therefore we all need to be aware of what is going on in the Information Security space to know if there is something in the works that can impact us for good or ill.

 

Sources

Posted: October 12, 2021
Articles Author
Kurt Ellzey
View Profile

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.

Leave a Reply

Your email address will not be published. Required fields are marked *