The lead cybersecurity and law enforcement organizations from the US, UK, and Australia have performed a forensic study and issued a joint advisory naming the top 30 vulnerabilities that were most commonly abused by threat actors over the course of 2020 and 2021.
Most of the vulnerabilities were related to remote access/work from home mechanisms deployed by organisations during the COVID-19 pandemic.
“The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching.”
The depressing results of this study were that every exploited vulnerability on the list has an available patch and that all of the exploitations could have been effectively prevented.
According to the U.S. government’s findings, the most exploited vulnerability in 2020 was a flaw in the Citrix Delivery Controller. Identified as CVE-2019-19781, the arbitrary code execution bug was rated as critical in severity and presents a score of 9.8 out of 10 on the common vulnerability scoring system (CVSS) scale. An attacker successfully exploiting this vulnerability could take over the affected system entirely. The vulnerability attracted cybercriminals because it is easily exploited and the fact that Citrix servers are used extensively worldwide.
Patch your systems!
The agencies urged organizations to patch their vulnerable systems and keep them up-to-date. It’s one of the easiest ways to mitigate the chances of the vulnerabilities being exploited and having their systems compromised.
“In cybersecurity, getting the basics right is often most important. Organizations that apply the best practices of cybersecurity, such as patching, can reduce their risk to cyber actors exploiting known vulnerabilities in their networks,” said Executive Assistant Director for Cybersecurity, CISA, Eric Goldstein.
Here are the top 13 vulnerabilities from the list, including links for remediation.
Take action. Get your systems patched.
|Citrix||Citrix Netscaler Application Delivery Control (ADC) is vulnerable to RCE and full system compromise due to poor access controls, thus allowing directory traversal.||Arbitrary code execution||https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/|
|Pulse||Pulse Secure Connect is vulnerable to unauthenticated arbitrary file disclosure. An attacker can exploit this vulnerability to gain access to administrative credentials.||Arbitrary file reading||https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101|
|Fortinet||Fortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal, which allows attackers to gain access to the sslvpn_websession file. An attacker is then able to exact clear-text usernames and passwords.||Path traversal||https://www.fortiguard.com/psirt/FG-IR-18-384|
|F5- Big IP||The Traffic Management User Interface (TMUI), also referred to as the Configuration Utility, has an RCE vulnerability in undisclosed pages.||Remote code execution (RCE)||https://support.f5.com/csp/article/K52145254|
|MobileIron||MobileIron Core & Connector, Sentry, and Monitoring and Reporting Database (RDB) software are vulnerable to RCE via unspecified vectors.||RCE||https://www.ivanti.com/blog/mobileiron-security-updates-available|
|Microsoft||An RCE vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.||RCE||https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0688|
|Atlassian||Atlassian Confluence Server and Data Center Widget Connector is vulnerable to a server-side template injection attack.||RCE||https://us-cert.cisa.gov/ncas/alerts/Patch%20Available|
|Drupal||Drupal versions before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allow remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.||RCE||https://www.drupal.org/sa-core-2018-002|
|Microsoft||Microsoft Office is prone to a memory corruption vulnerability allowing an attacker to run arbitrary code, in the context of the current user, by failing to properly handle objects in memory. It is also known as the “Microsoft Office Memory Corruption Vulnerability.”|
Cyber actors continued to exploit this four-year-old vulnerability in Microsoft Office that the U.S. Government publicly assessed last year was the most frequently targeted. Cyber actors most likely continue to exploit this vulnerability because Microsoft Office use is ubiquitous worldwide, the vulnerability is ideal for phasing campaigns, and it enables RCE on vulnerable systems.
|Microsoft||A vulnerability in an XML deserialization component within Microsoft SharePoint allowed remote attackers to execute arbitrary code on vulnerable Microsoft SharePoint servers.||RCE||https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2019-0604|
|Microsoft||The Windows Background Intelligent Transfer Service (BITS) is vulnerable to a privilege elevation vulnerability if it improperly handles symbolic links. An actor can exploit this vulnerability to execute arbitrary code with system-level privileges.|
The exploit was used in Maze and Egregor ransomware campaigns.
|Elevation of privilege||https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0787|
|Microsoft||The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (VI) in AES-CFB8 mode, which could allow an unauthenticated attacker to impersonate a domain-joined computer including a domain controller, and potentially obtain domain administrator privileges.||Elevation of privilege||https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472|