The Top 10 Most Severe Vulnerabilities In 2021

Uploaded on 2022-01-04 in NEWS-Cybersecurity News, FREE TO VIEW

Brought to you by SOCPrime

The past few years spelled a radical shift to online. The global trend toward digital processes’ acceleration inevitably set the grounds for the growing number of cyber threats and their evergrowing sophistication. So as to back up this statement with supporting evidence, it is worth looking back on the top cybersecurity exploits and incidents of 2020, tapping into all the valuable insights and lessons the past year brought to the industry, put together in the SOC Prime report.

As for the year 2021, here are disturbing cybersecurity stats for 2021: security experts report about 18,582 vulnerabilities (CVEs) caught so far this year, compared to 17,041 detected in 2020. Moreover, 2021 was marked with a significant increase in reported zero-days. At least 66 zero-day issues have been publicly revealed this year, doubling the total number of those identified in 2020.

Those numbers are putting more strain on security practitioners, already keeping pace with timely threat detection and software patching. The savviest ones are turning to the world’s largest Threat Detection Marketplace powered by SOC Prime that delivers over 130K curated Sigma-based content items to identify critical threats challenging businesses, including detection algorithms for all high-severity CVEs mentioned above. Security performers can easily convert them from the generic Sigma standard to 20+ SIEM, EDR & XDR formats using the platform's inbuilt automated capabilities or with the help of Uncoder.io, a free online tool for on-the-fly content translations.

In the aforementioned circumstances, cybersecurity awareness is raising the stakes. This report, based on CISA findings & recommendations as well as SOC Prime research, highlights the ten most severe vulnerabilities and exposures of 2021 that affected a broad spectrum of products from VMware, Microsoft, Apache, Pulse Secure, and F5 Big IP, helping to make sure you have not missed on anything.

1.    Critical Unauthorized Remote Code Execution in VMware vCenter (CVE-2021-21972)

On February 23, it was announced that the vSphere Client (HTML5) contained an RCE vulnerability in a vCenter Server plugin.

●    The bug, if unpatched, allows unauthorized hackers (with access to port 443) to issue a specific request and execute arbitrary commands on the targeted server. 
●    Attackers gain access to compromised environments and sensitive data.

2.    Microsoft Exchange ProxyLogon Attack (CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065)

On March 2, Microsoft released security updates for a number of critical vulnerabilities that compromise MS Exchange servers: CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065. Today, this chain, commonly referred to as ProxyLogon, is the most well-known and impactful Exchange exploit.

●    If exploited, it enables a threat actor to bypass the authentication requirements and obtain admin privileges.
●    The majority of attacks were aimed at uploading the initial web shell to the server for future malicious actions.

3.    Critical Vulnerabilities in F5 BIG-IP, BIG-IQ (CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992)

On March 10, 2021, F5 addressed four critical vulnerabilities in BIG-IP and BIG-IQ products.

-    CVE-2021-22986, an unauthenticated RCE vulnerability in the iControl REST interface. Unauthenticated users could exploit it through the BIG-IP management interface and self IP addresses to carry out arbitrary system commands, manage files, and disable services.
-    CVE-2021-22987, the most severe out of the four, is a remote code execution vulnerability that stems from a misconfiguration in the Traffic Management User Interface. In the wrong hands, it leads to authenticated RCE in undisclosed pages if running in application mode.
-    CVE-2021-22991 is a buffer overflow issue, resulting in remote code execution and denial-of-service (DoS) on the impacted installations.
-    CVE-2021-22992— much like the previous one, this critical security hole allows for DoS and RCE, with a potential of a complete system compromise.

4.    Multiple FortiOS Vulnerabilities (CVE-2018-13379, CVE-2019-5591, CVE-2020-12812)

In April, CISA and the FBI published an advisory on the vulnerabilities in FortiOS used in Fortinet SSL VPN. These vulnerabilities present the following threats:

-    CVE-2018-13379 — a path traversal vulnerability. Allows an unauthenticated attacker to get hold of FortiOS system files via specially crafted HTTP resource requests.
-    CVE-2019-5591 — a default-configuration bug. Enables a ransomware actor on the same subnet to intercept sensitive information by impersonating the LDAP server.
-    CVE-2020-12812 — an improper-authentication flaw. Grants a successful log-in without the second factor of authentication (FortiToken), given the changed case of the username in question.

5.    Critical VMware vCenter Vulnerability (CVE-2021-21985)

On May 25, it was reported that the vSphere Client (HTML5) has a remote code execution vulnerability due to a lack of input validation in the Virtual SAN Health Check plugin, enabled by default in vCenter Server.

●    When exploited, the vulnerability allows adversaries with network access to port 443 to execute arbitrary commands with unrestricted privileges on the underlying vCenter host.

6.    Ivanti Patches Critical Pulse Connect Secure Flaws (CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900)

Since June 2020, for almost a year, at least several major hacking groups deployed numerous malware families to exploit flaws in Ivanti Pulse Connect Secure suite of VPNs to access government agencies, critical infrastructure objects, and private firms across the U.S.

●    Threat actors are using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence.
●    The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

7.    Patch Bypass Vulnerability in Pulse Connect Secure (CVE-2021-22937)

This is a post-authentication RCE vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. This flaw was exploited in June 2021, bypassing the patch issued in October 2020 that addressed the CVE-2020-8260 — a notorious bug that allowed for RCE with root privileges.

●    If exploited, the vulnerability allows an authenticated user with administrator rights to overwrite arbitrary files via an archive, uploaded in the administrator web interface.
●    The bug introduces a persistent backdoor that compromises VPN clients.

8.    PrintNightmare Vulnerabilities (CVE-2021-1675/CVE-2021-34527)

In June 2021, Windows’ PrintNightmare RCE vulnerability got in the public eye. It has been around since the beginning of 2021, but there was not much fuss about it from the start since it did not present, allegedly, much of a threat to users’ security. However, after a careful re-accession in the summer of 2021, the vulnerability was stamped critical, passing its credentials to a different security issue — CVE-2021-34527.

●    The vulnerability allowed an attacker with a regular, unprivileged user account to remotely take control of a server running the Windows Print Spooler service.
●    Successful exploitation empowers authenticated adversaries to perform privileged file operation abuse.

Now that the dust has settled, there are two official patches available for installation to mitigate each of the PrintNightmare flaws —  CVE 2021-1675 and CVE-2021-34527.

9.    Microsoft Exchange ProxyShell Attack (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

In August 2021, security researchers revealed another notorious Microsoft vulnerability —   ProxyShell. This is an umbrella term covering three severe bugs:

-    CVE-2021-34473 — a pre-auth patch confusion issue that results in ACL bypass
-    CVE-2021-34523 — an elevation of privilege flaw on the Exchange PowerShell backend
-    CVE-2021-31207 — a post-auth arbitrary-file-write misconfiguration

●    The flaws work in tandem, providing the grounds for threat actors to execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port.
●    As of today, the flaws are patched with the official security updates released by Microsoft in May and July; however, over 30,000 Exchange servers remain vulnerable to date, motivating attackers to leverage those vulnerabilities.

10.    Critical vulnerability in Apache Log4j library aka Log4Shell or LogJam (CVE-2021-44228)

The Apache Log4j Java-based logging library vulnerability was revealed on December 1 and is posing a critical risk to affected systems, scoring 10 in CVSS.

●    If successfully exploited on one of the servers, it gives a threat actor the ability to load and execute arbitrary code from an attacker-controlled domain and, in particular cases, gain unrestricted control of the whole system.
●    Adversaries leverage this flaw to install coin miners, DDoS bots, and Cobalt Strike implants to recruit vulnerable devices into a botnet and export data from the compromised machines.
●    Thousands of apps and services globally leverage the vulnerable log4j library for its operational routines.
●    Log4Shell might be weaponized to reach the WannaCry scenario.

At the risk of sounding like a broken record, let’s conclude by saying that keeping one’s finger on a pulse of attacks’ development presents an opportunity to better understand the latest trends in the cyber threat landscape, boosting your cyber defence skills. First of all, make sure all of the relevant vulnerabilities listed above are patched. Second, a shout-out to cyber researchers and enthusiasts - regularly monitor and consider contributing to threat detection platforms.

You Might Also Read: 

Log4j Cyber Security Flaw Seriously Concerns Experts:

 

« Disinformation Is A Prevalent Threat
Pegasus Spyware & Not-For-Profit Cyber Security - What Are The Risks? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Ixia

Ixia

Ixia provides testing, visibility, and security solutions to strengthen applications across physical and virtual networks.

CYBERPOL

CYBERPOL

CYBERPOL is the leading Public Utility Agency for investigating cyber crimes and cyber attacks by criminals, international adversaries.

Uniken

Uniken

Uniken REL-ID is a safe, simple, and scalable security platform that tightly integrates your identity, authentication, and channel security.

Sistem Integra (SISB)

Sistem Integra (SISB)

SISB provide IT Security Infrastructure & Development, Mechanical & Electrical Services, Fire Safety & Detection Services, Facilities Management & Application Development.

Spanish Network of Excellence on Cybersecurity Research (RENIC)

Spanish Network of Excellence on Cybersecurity Research (RENIC)

RENIC is a membership based sectoral association that includes research centers and other agents of the research cybersecurity ecosystem in Spain.

CyberHunter Solutions

CyberHunter Solutions

CyberHunter is a leading website security company that provides penetration testing, Network Vulnerability Assessments, cyber security consulting services to prevent cyber attacks.

Client Solution Architects (CSA)

Client Solution Architects (CSA)

Client Solution Architects (CSA) is a leading digital transformation consulting firm focused on the U.S. Defense Department and all U.S. Federal enterprise information technology service areas.

Swiss It Security Group

Swiss It Security Group

Swiss It Security Group offers clients complete IT security concepts based on innovative solutions and technology, with a focus on protection, detection and defence.

Xperience

Xperience

Xperience solves our clients’ toughest challenges by delivering business efficiency through digital transformation solutions across cloud, managed IT, CRM and ERP.

CyberQP

CyberQP

CyberQP (formerly Quickpass Cybersecurity) provide Privileged Access Management built for MSPs. Our system is designed to reduce ransomware and social engineering attack risks.

CloudWave

CloudWave

CloudWave, the expert in healthcare data security, provides cloud, cybersecurity, and managed services to healthcare organizations.

OneZero Solutions

OneZero Solutions

OneZero specialize in cybersecurity operations, information assurance, computer network operations, solutions engineering, and project management.

ZEUSS

ZEUSS

ZEUSS is a diversified data center, cybersecurity, and green energy company.

Mindgard

Mindgard

The Mindgard Security Copilot platform secures your Artificial Intelligence, GenAI and LLMs.

RightSec

RightSec

RightSec is an emerging market leader and solution provider for cybersecurity and digital resiliency. We provide end to end solutions to suit your specific business lifecycle.

Robust Intelligence

Robust Intelligence

Robust Intelligence enables enterprises to secure their AI transformation with an automated solution to protect against security and safety threats.