The Top 10 Most Severe Vulnerabilities In 2021

Uploaded on 2022-01-04 in NEWS-Cybersecurity News, FREE TO VIEW

Brought to you by SOCPrime

The past few years spelled a radical shift to online. The global trend toward digital processes’ acceleration inevitably set the grounds for the growing number of cyber threats and their evergrowing sophistication. So as to back up this statement with supporting evidence, it is worth looking back on the top cybersecurity exploits and incidents of 2020, tapping into all the valuable insights and lessons the past year brought to the industry, put together in the SOC Prime report.

As for the year 2021, here are disturbing cybersecurity stats for 2021: security experts report about 18,582 vulnerabilities (CVEs) caught so far this year, compared to 17,041 detected in 2020. Moreover, 2021 was marked with a significant increase in reported zero-days. At least 66 zero-day issues have been publicly revealed this year, doubling the total number of those identified in 2020.

Those numbers are putting more strain on security practitioners, already keeping pace with timely threat detection and software patching. The savviest ones are turning to the world’s largest Threat Detection Marketplace powered by SOC Prime that delivers over 130K curated Sigma-based content items to identify critical threats challenging businesses, including detection algorithms for all high-severity CVEs mentioned above. Security performers can easily convert them from the generic Sigma standard to 20+ SIEM, EDR & XDR formats using the platform's inbuilt automated capabilities or with the help of Uncoder.io, a free online tool for on-the-fly content translations.

In the aforementioned circumstances, cybersecurity awareness is raising the stakes. This report, based on CISA findings & recommendations as well as SOC Prime research, highlights the ten most severe vulnerabilities and exposures of 2021 that affected a broad spectrum of products from VMware, Microsoft, Apache, Pulse Secure, and F5 Big IP, helping to make sure you have not missed on anything.

1.    Critical Unauthorized Remote Code Execution in VMware vCenter (CVE-2021-21972)

On February 23, it was announced that the vSphere Client (HTML5) contained an RCE vulnerability in a vCenter Server plugin.

●    The bug, if unpatched, allows unauthorized hackers (with access to port 443) to issue a specific request and execute arbitrary commands on the targeted server. 
●    Attackers gain access to compromised environments and sensitive data.

2.    Microsoft Exchange ProxyLogon Attack (CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065)

On March 2, Microsoft released security updates for a number of critical vulnerabilities that compromise MS Exchange servers: CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065. Today, this chain, commonly referred to as ProxyLogon, is the most well-known and impactful Exchange exploit.

●    If exploited, it enables a threat actor to bypass the authentication requirements and obtain admin privileges.
●    The majority of attacks were aimed at uploading the initial web shell to the server for future malicious actions.

3.    Critical Vulnerabilities in F5 BIG-IP, BIG-IQ (CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992)

On March 10, 2021, F5 addressed four critical vulnerabilities in BIG-IP and BIG-IQ products.

-    CVE-2021-22986, an unauthenticated RCE vulnerability in the iControl REST interface. Unauthenticated users could exploit it through the BIG-IP management interface and self IP addresses to carry out arbitrary system commands, manage files, and disable services.
-    CVE-2021-22987, the most severe out of the four, is a remote code execution vulnerability that stems from a misconfiguration in the Traffic Management User Interface. In the wrong hands, it leads to authenticated RCE in undisclosed pages if running in application mode.
-    CVE-2021-22991 is a buffer overflow issue, resulting in remote code execution and denial-of-service (DoS) on the impacted installations.
-    CVE-2021-22992— much like the previous one, this critical security hole allows for DoS and RCE, with a potential of a complete system compromise.

4.    Multiple FortiOS Vulnerabilities (CVE-2018-13379, CVE-2019-5591, CVE-2020-12812)

In April, CISA and the FBI published an advisory on the vulnerabilities in FortiOS used in Fortinet SSL VPN. These vulnerabilities present the following threats:

-    CVE-2018-13379 — a path traversal vulnerability. Allows an unauthenticated attacker to get hold of FortiOS system files via specially crafted HTTP resource requests.
-    CVE-2019-5591 — a default-configuration bug. Enables a ransomware actor on the same subnet to intercept sensitive information by impersonating the LDAP server.
-    CVE-2020-12812 — an improper-authentication flaw. Grants a successful log-in without the second factor of authentication (FortiToken), given the changed case of the username in question.

5.    Critical VMware vCenter Vulnerability (CVE-2021-21985)

On May 25, it was reported that the vSphere Client (HTML5) has a remote code execution vulnerability due to a lack of input validation in the Virtual SAN Health Check plugin, enabled by default in vCenter Server.

●    When exploited, the vulnerability allows adversaries with network access to port 443 to execute arbitrary commands with unrestricted privileges on the underlying vCenter host.

6.    Ivanti Patches Critical Pulse Connect Secure Flaws (CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900)

Since June 2020, for almost a year, at least several major hacking groups deployed numerous malware families to exploit flaws in Ivanti Pulse Connect Secure suite of VPNs to access government agencies, critical infrastructure objects, and private firms across the U.S.

●    Threat actors are using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence.
●    The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

7.    Patch Bypass Vulnerability in Pulse Connect Secure (CVE-2021-22937)

This is a post-authentication RCE vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. This flaw was exploited in June 2021, bypassing the patch issued in October 2020 that addressed the CVE-2020-8260 — a notorious bug that allowed for RCE with root privileges.

●    If exploited, the vulnerability allows an authenticated user with administrator rights to overwrite arbitrary files via an archive, uploaded in the administrator web interface.
●    The bug introduces a persistent backdoor that compromises VPN clients.

8.    PrintNightmare Vulnerabilities (CVE-2021-1675/CVE-2021-34527)

In June 2021, Windows’ PrintNightmare RCE vulnerability got in the public eye. It has been around since the beginning of 2021, but there was not much fuss about it from the start since it did not present, allegedly, much of a threat to users’ security. However, after a careful re-accession in the summer of 2021, the vulnerability was stamped critical, passing its credentials to a different security issue — CVE-2021-34527.

●    The vulnerability allowed an attacker with a regular, unprivileged user account to remotely take control of a server running the Windows Print Spooler service.
●    Successful exploitation empowers authenticated adversaries to perform privileged file operation abuse.

Now that the dust has settled, there are two official patches available for installation to mitigate each of the PrintNightmare flaws —  CVE 2021-1675 and CVE-2021-34527.

9.    Microsoft Exchange ProxyShell Attack (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

In August 2021, security researchers revealed another notorious Microsoft vulnerability —   ProxyShell. This is an umbrella term covering three severe bugs:

-    CVE-2021-34473 — a pre-auth patch confusion issue that results in ACL bypass
-    CVE-2021-34523 — an elevation of privilege flaw on the Exchange PowerShell backend
-    CVE-2021-31207 — a post-auth arbitrary-file-write misconfiguration

●    The flaws work in tandem, providing the grounds for threat actors to execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port.
●    As of today, the flaws are patched with the official security updates released by Microsoft in May and July; however, over 30,000 Exchange servers remain vulnerable to date, motivating attackers to leverage those vulnerabilities.

10.    Critical vulnerability in Apache Log4j library aka Log4Shell or LogJam (CVE-2021-44228)

The Apache Log4j Java-based logging library vulnerability was revealed on December 1 and is posing a critical risk to affected systems, scoring 10 in CVSS.

●    If successfully exploited on one of the servers, it gives a threat actor the ability to load and execute arbitrary code from an attacker-controlled domain and, in particular cases, gain unrestricted control of the whole system.
●    Adversaries leverage this flaw to install coin miners, DDoS bots, and Cobalt Strike implants to recruit vulnerable devices into a botnet and export data from the compromised machines.
●    Thousands of apps and services globally leverage the vulnerable log4j library for its operational routines.
●    Log4Shell might be weaponized to reach the WannaCry scenario.

At the risk of sounding like a broken record, let’s conclude by saying that keeping one’s finger on a pulse of attacks’ development presents an opportunity to better understand the latest trends in the cyber threat landscape, boosting your cyber defence skills. First of all, make sure all of the relevant vulnerabilities listed above are patched. Second, a shout-out to cyber researchers and enthusiasts - regularly monitor and consider contributing to threat detection platforms.

You Might Also Read: 

Log4j Cyber Security Flaw Seriously Concerns Experts:

 

« Disinformation Is A Prevalent Threat
Pegasus Spyware & Not-For-Profit Cyber Security - What Are The Risks? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

SK-CERT

SK-CERT

SK-CERT National Computer Computer Emergency Response Team of Slovakia.

CERT-UA

CERT-UA

CERT-UA is the national Computer Emergency Response Team for Ukraine.

ESG Elektroniksystem- und Logistik-GmbH

ESG Elektroniksystem- und Logistik-GmbH

ESG offer a comprehensive portfolio of cyber and IT services ranging from consulting, solutions and operations to testing, simulation and training.

Resolver

Resolver

Resolver’s Integrated Risk Management platform helps plan and prepare your organization to limit the likeliness or impact of security risk and compliance events from occurring.

Tessian

Tessian

Tessian (formerly CheckRecipient) is a next-generation email security platform that helps enterprises counteract human error and significantly reduce the risk of data loss.

IntaPeople

IntaPeople

IntaPeople are IT and engineering recruitment specialists. We have specialist teams for job sectors including Cybersecurity, IT infrastructure and DevOps.

Hold Security

Hold Security

Hold Security works with companies of all sizes to provide unparalleled Threat Intelligence services that actually make a difference.

Action1

Action1

Action1 is a Cloud-based lightweight endpoint security platform that discovers all of your endpoints in seconds and allows you to retrieve live security information from the entire network.

StrikeReady

StrikeReady

StrikeReady have developed CARA, an advanced technology solution that offers personalized and proactive assessment and remediation of future and current risk in real-time.

Maritime Cyber Threats Research Group - University of Plymouth

Maritime Cyber Threats Research Group - University of Plymouth

The Maritime Cyber Threats research group of the University of Plymouth is focused on investigating marine cyber threats and researching solutions.

Alkira

Alkira

Alkira has reinvented networking for the cloud era by delivering the network cloud, the first global unified network infrastructure with on-demand hybrid and multi-cloud connectivity.

ProCheckUp

ProCheckUp

ProCheckUp is a London-based independent provider of cyber security services, including IT Security, Assurance, Compliance and Incident Response.

WithSecure

WithSecure

WithSecure (formerly F-Secure Business) is your reliable cyber security partner, providing outcome-based cyber security that protects and enables operations.

Responsive Technology Partners

Responsive Technology Partners

Responsive Technology Partners provides superior IT support services including cybersecurity and compliance, telephony, cloud services, cabling, access control, and camera systems.

Sardine

Sardine

Sardine is a leader in financial crime prevention. Using unparalleled device intelligence and behavior biometrics, Sardine applies machine learning to detect and stop fraud before it happens.

Secur-Serv

Secur-Serv

Secur-Serv is a security-first managed services provider. We provides Managed IT, Managed Print, Managed Device, and Cybersecurity services to companies of every size.