Government officials in the US, UK, and Australia urge public and private sector organizations to protect their networks by ensuring that firewalls, VPNs, and other network edge devices are patched against the most widespread vulnerabilities.
in a joint advice Released on Wednesday, the US FBI and CISA (Cyber Security and Infrastructure Agency), the Australian Center for Cyber Security and the UK National Center for Cyber Security listed the 30 most exploited vulnerabilities. The vulnerabilities reside in a large number of devices or software marketed by companies such as Citrix, Pulse Secure, Microsoft, and Fortinet.
“Cyber actors continue to exploit publicly known, and often outdated, software vulnerabilities against broad target sets, including public and private sector organizations around the world,” the advisory stated. “However, entities around the world can mitigate the vulnerabilities listed in this report by applying available patches to their systems and implementing a centralized patch management system.”
What, I patch?
Four of the most targeted vulnerabilities last year resided in VPNs, cloud-based services and other devices that allow people to remotely access employer networks. Despite the explosion of work-from-home employees fueled by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.
The discovery dates for the top 4 vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to retain the application of security patches. Security flaws include CVE-2019-19781, a remote code execution bug in the Citrix application delivery controller (which clients use to load balance incoming application traffic); CVE 2019-11510, which allows attackers to remotely read confidential files stored by Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a route traversal weakness in VPNs manufactured by Fortinet; and CVE 2020-5902, a code execution vulnerability in the BIG-IP advanced delivery controller created by F5.
The 12 main defects are:
|Citrix||CVE-2019-19781||arbitrary code execution|
|Vegetables||CVE 2019-11510||arbitrary file reading|
|Fortinet||CVE 2018-13379||route tour|
|F5- large IP||CVE 2020-5902||remote code execution (RCE)|
|Microsoft||CVE-2020-0787||elevation of privilege|
|Netlogon||CVE-2020-1472||elevation of privilege|
Breaking down the door
The vulnerabilities, all of which have been patched by vendors, have provided the opening vector for untold numbers of serious intrusions. For example, according to an advisory issued by the US government in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.
That same month, news broke that a different group of hackers was also exploiting CVE-2018-13379. In one case, hackers allowed ransomware operators to take control of two production facilities owned by a European manufacturer.
Wednesday’s ad went on to say:
CISA, ACSC, NCSC, and the FBI assess that public and private organizations around the world remain vulnerable to compromised exploitation of these CVEs. It is highly likely that malicious cyber attackers will continue to use older known vulnerabilities, such as CVE-2017-11882 that affect Microsoft Office, as long as they remain effective and systems remain unpatched. The use of known vulnerabilities by adversaries complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if known.
Officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE2021-27065
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
The advisory provides technical details for each vulnerability, mitigation guidelines, and indicators of compromise to help organizations determine if they are vulnerable or have been hacked. The notice also provides guidance for locking down systems.