The Top 10 Most Severe Vulnerabilities In 2021

Uploaded on 2022-01-04 in NEWS-Cybersecurity News, FREE TO VIEW

Brought to you by SOCPrime

The past few years spelled a radical shift to online. The global trend toward digital processes’ acceleration inevitably set the grounds for the growing number of cyber threats and their evergrowing sophistication. So as to back up this statement with supporting evidence, it is worth looking back on the top cybersecurity exploits and incidents of 2020, tapping into all the valuable insights and lessons the past year brought to the industry, put together in the SOC Prime report.

As for the year 2021, here are disturbing cybersecurity stats for 2021: security experts report about 18,582 vulnerabilities (CVEs) caught so far this year, compared to 17,041 detected in 2020. Moreover, 2021 was marked with a significant increase in reported zero-days. At least 66 zero-day issues have been publicly revealed this year, doubling the total number of those identified in 2020.

Those numbers are putting more strain on security practitioners, already keeping pace with timely threat detection and software patching. The savviest ones are turning to the world’s largest Threat Detection Marketplace powered by SOC Prime that delivers over 130K curated Sigma-based content items to identify critical threats challenging businesses, including detection algorithms for all high-severity CVEs mentioned above. Security performers can easily convert them from the generic Sigma standard to 20+ SIEM, EDR & XDR formats using the platform's inbuilt automated capabilities or with the help of Uncoder.io, a free online tool for on-the-fly content translations.

In the aforementioned circumstances, cybersecurity awareness is raising the stakes. This report, based on CISA findings & recommendations as well as SOC Prime research, highlights the ten most severe vulnerabilities and exposures of 2021 that affected a broad spectrum of products from VMware, Microsoft, Apache, Pulse Secure, and F5 Big IP, helping to make sure you have not missed on anything.

1.    Critical Unauthorized Remote Code Execution in VMware vCenter (CVE-2021-21972)

On February 23, it was announced that the vSphere Client (HTML5) contained an RCE vulnerability in a vCenter Server plugin.

●    The bug, if unpatched, allows unauthorized hackers (with access to port 443) to issue a specific request and execute arbitrary commands on the targeted server. 
●    Attackers gain access to compromised environments and sensitive data.

2.    Microsoft Exchange ProxyLogon Attack (CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065)

On March 2, Microsoft released security updates for a number of critical vulnerabilities that compromise MS Exchange servers: CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065. Today, this chain, commonly referred to as ProxyLogon, is the most well-known and impactful Exchange exploit.

●    If exploited, it enables a threat actor to bypass the authentication requirements and obtain admin privileges.
●    The majority of attacks were aimed at uploading the initial web shell to the server for future malicious actions.

3.    Critical Vulnerabilities in F5 BIG-IP, BIG-IQ (CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992)

On March 10, 2021, F5 addressed four critical vulnerabilities in BIG-IP and BIG-IQ products.

-    CVE-2021-22986, an unauthenticated RCE vulnerability in the iControl REST interface. Unauthenticated users could exploit it through the BIG-IP management interface and self IP addresses to carry out arbitrary system commands, manage files, and disable services.
-    CVE-2021-22987, the most severe out of the four, is a remote code execution vulnerability that stems from a misconfiguration in the Traffic Management User Interface. In the wrong hands, it leads to authenticated RCE in undisclosed pages if running in application mode.
-    CVE-2021-22991 is a buffer overflow issue, resulting in remote code execution and denial-of-service (DoS) on the impacted installations.
-    CVE-2021-22992— much like the previous one, this critical security hole allows for DoS and RCE, with a potential of a complete system compromise.

4.    Multiple FortiOS Vulnerabilities (CVE-2018-13379, CVE-2019-5591, CVE-2020-12812)

In April, CISA and the FBI published an advisory on the vulnerabilities in FortiOS used in Fortinet SSL VPN. These vulnerabilities present the following threats:

-    CVE-2018-13379 — a path traversal vulnerability. Allows an unauthenticated attacker to get hold of FortiOS system files via specially crafted HTTP resource requests.
-    CVE-2019-5591 — a default-configuration bug. Enables a ransomware actor on the same subnet to intercept sensitive information by impersonating the LDAP server.
-    CVE-2020-12812 — an improper-authentication flaw. Grants a successful log-in without the second factor of authentication (FortiToken), given the changed case of the username in question.

5.    Critical VMware vCenter Vulnerability (CVE-2021-21985)

On May 25, it was reported that the vSphere Client (HTML5) has a remote code execution vulnerability due to a lack of input validation in the Virtual SAN Health Check plugin, enabled by default in vCenter Server.

●    When exploited, the vulnerability allows adversaries with network access to port 443 to execute arbitrary commands with unrestricted privileges on the underlying vCenter host.

6.    Ivanti Patches Critical Pulse Connect Secure Flaws (CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900)

Since June 2020, for almost a year, at least several major hacking groups deployed numerous malware families to exploit flaws in Ivanti Pulse Connect Secure suite of VPNs to access government agencies, critical infrastructure objects, and private firms across the U.S.

●    Threat actors are using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence.
●    The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

7.    Patch Bypass Vulnerability in Pulse Connect Secure (CVE-2021-22937)

This is a post-authentication RCE vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. This flaw was exploited in June 2021, bypassing the patch issued in October 2020 that addressed the CVE-2020-8260 — a notorious bug that allowed for RCE with root privileges.

●    If exploited, the vulnerability allows an authenticated user with administrator rights to overwrite arbitrary files via an archive, uploaded in the administrator web interface.
●    The bug introduces a persistent backdoor that compromises VPN clients.

8.    PrintNightmare Vulnerabilities (CVE-2021-1675/CVE-2021-34527)

In June 2021, Windows’ PrintNightmare RCE vulnerability got in the public eye. It has been around since the beginning of 2021, but there was not much fuss about it from the start since it did not present, allegedly, much of a threat to users’ security. However, after a careful re-accession in the summer of 2021, the vulnerability was stamped critical, passing its credentials to a different security issue — CVE-2021-34527.

●    The vulnerability allowed an attacker with a regular, unprivileged user account to remotely take control of a server running the Windows Print Spooler service.
●    Successful exploitation empowers authenticated adversaries to perform privileged file operation abuse.

Now that the dust has settled, there are two official patches available for installation to mitigate each of the PrintNightmare flaws —  CVE 2021-1675 and CVE-2021-34527.

9.    Microsoft Exchange ProxyShell Attack (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

In August 2021, security researchers revealed another notorious Microsoft vulnerability —   ProxyShell. This is an umbrella term covering three severe bugs:

-    CVE-2021-34473 — a pre-auth patch confusion issue that results in ACL bypass
-    CVE-2021-34523 — an elevation of privilege flaw on the Exchange PowerShell backend
-    CVE-2021-31207 — a post-auth arbitrary-file-write misconfiguration

●    The flaws work in tandem, providing the grounds for threat actors to execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port.
●    As of today, the flaws are patched with the official security updates released by Microsoft in May and July; however, over 30,000 Exchange servers remain vulnerable to date, motivating attackers to leverage those vulnerabilities.

10.    Critical vulnerability in Apache Log4j library aka Log4Shell or LogJam (CVE-2021-44228)

The Apache Log4j Java-based logging library vulnerability was revealed on December 1 and is posing a critical risk to affected systems, scoring 10 in CVSS.

●    If successfully exploited on one of the servers, it gives a threat actor the ability to load and execute arbitrary code from an attacker-controlled domain and, in particular cases, gain unrestricted control of the whole system.
●    Adversaries leverage this flaw to install coin miners, DDoS bots, and Cobalt Strike implants to recruit vulnerable devices into a botnet and export data from the compromised machines.
●    Thousands of apps and services globally leverage the vulnerable log4j library for its operational routines.
●    Log4Shell might be weaponized to reach the WannaCry scenario.

At the risk of sounding like a broken record, let’s conclude by saying that keeping one’s finger on a pulse of attacks’ development presents an opportunity to better understand the latest trends in the cyber threat landscape, boosting your cyber defence skills. First of all, make sure all of the relevant vulnerabilities listed above are patched. Second, a shout-out to cyber researchers and enthusiasts - regularly monitor and consider contributing to threat detection platforms.

You Might Also Read: 

Log4j Cyber Security Flaw Seriously Concerns Experts:

 

« Disinformation Is A Prevalent Threat
Pegasus Spyware & Not-For-Profit Cyber Security - What Are The Risks? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

SailPoint

SailPoint

SailPoint provides identity governance solutions with on-premises and cloud-based identity management software for the most complex challenges.

ECS

ECS

ECS is a leading information technology provider delivering cloud, cybersecurity, software development, IT modernization, and advanced science and engineering services.

BlueFiles

BlueFiles

BlueFiles enables users to send encrypted files securely while maintaining full control over recipients, access periods, downloads, and printing.

LUCY Security

LUCY Security

LUCY is the answer when you want to increase your IT security, maintain your cyber security awareness, or test your IT defenses.

Swiss Accreditation Service (SAS)

Swiss Accreditation Service (SAS)

SAS is the national accreditation body for Switzerland. The directory of members provides details of organisations offering certification services for ISO 27001.

Outsource UK

Outsource UK

Outsource UK is an independent recruitment company supplying highly-skilled technology, change and engineering talent to clients within a range of specialist sectors including Cyber Security.

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center

Texas A&M Cybersecurity Center is dedicated to combating adversaries who desire to harm our citizens, our government, and our industry through cyber-attacks.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Start Left® Security

Start Left® Security

Great security culture doesn't just happen; you ENGINEER it.

BIG Cyber

BIG Cyber

BIG Cyber is a specialized Managed Security Service Provider (MSSP) dedicated to bringing military grade cyber security technology to the gaming industry.

Xiarch Solutions

Xiarch Solutions

Xiarch Security is an global security firm that educates clients, identifies security risks, informs intelligent business decisions, and enables you to reduce your attack surface.

WithSecure

WithSecure

WithSecure (formerly F-Secure Business) is your reliable cyber security partner, providing outcome-based cyber security that protects and enables operations.

Lavabit

Lavabit

Lavabit's Dark Internet Mail Environment is a secure, open-source, secure end-to-end communications platform for asynchronous messaging across the internet.

Advent One

Advent One

Advent One are recognised for solving intricate dilemmas, not only making technology work but building foundations that customers can grow upon in an effective and secure way.

at-yet (@-yet)

at-yet (@-yet)

at-yet are an interdisciplinary team of experts. We are all about achieving results, whatever the situation – an acute incident, risk minimisation, safeguarding or data protection.

ITConnexion

ITConnexion

ITConnexion is an Australian-based Managed IT Service with over 20 years of experience. We offer a complete IT management service for non-profits, SMEs, and enterprises.