The Top 10 Most Severe Vulnerabilities In 2021

Uploaded on 2022-01-04 in NEWS-News Analysis, FREE TO VIEW

Brought to you by SOCPrime

The past few years spelled a radical shift to online. The global trend toward digital processes’ acceleration inevitably set the grounds for the growing number of cyber threats and their evergrowing sophistication. So as to back up this statement with supporting evidence, it is worth looking back on the top cybersecurity exploits and incidents of 2020, tapping into all the valuable insights and lessons the past year brought to the industry, put together in the SOC Prime report.

As for the year 2021, here are disturbing cybersecurity stats for 2021: security experts report about 18,582 vulnerabilities (CVEs) caught so far this year, compared to 17,041 detected in 2020. Moreover, 2021 was marked with a significant increase in reported zero-days. At least 66 zero-day issues have been publicly revealed this year, doubling the total number of those identified in 2020.

Those numbers are putting more strain on security practitioners, already keeping pace with timely threat detection and software patching. The savviest ones are turning to the world’s largest Threat Detection Marketplace powered by SOC Prime that delivers over 130K curated Sigma-based content items to identify critical threats challenging businesses, including detection algorithms for all high-severity CVEs mentioned above. Security performers can easily convert them from the generic Sigma standard to 20+ SIEM, EDR & XDR formats using the platform's inbuilt automated capabilities or with the help of Uncoder.io, a free online tool for on-the-fly content translations.

In the aforementioned circumstances, cybersecurity awareness is raising the stakes. This report, based on CISA findings & recommendations as well as SOC Prime research, highlights the ten most severe vulnerabilities and exposures of 2021 that affected a broad spectrum of products from VMware, Microsoft, Apache, Pulse Secure, and F5 Big IP, helping to make sure you have not missed on anything.

1.    Critical Unauthorized Remote Code Execution in VMware vCenter (CVE-2021-21972)

On February 23, it was announced that the vSphere Client (HTML5) contained an RCE vulnerability in a vCenter Server plugin.

●    The bug, if unpatched, allows unauthorized hackers (with access to port 443) to issue a specific request and execute arbitrary commands on the targeted server. 
●    Attackers gain access to compromised environments and sensitive data.

2.    Microsoft Exchange ProxyLogon Attack (CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065)

On March 2, Microsoft released security updates for a number of critical vulnerabilities that compromise MS Exchange servers: CVE-2021-26857, CVE-2021-26855, CVE-2021-26858, and CVE-2021-27065. Today, this chain, commonly referred to as ProxyLogon, is the most well-known and impactful Exchange exploit.

●    If exploited, it enables a threat actor to bypass the authentication requirements and obtain admin privileges.
●    The majority of attacks were aimed at uploading the initial web shell to the server for future malicious actions.

3.    Critical Vulnerabilities in F5 BIG-IP, BIG-IQ (CVE-2021-22986, CVE-2021-22987, CVE-2021-22991, CVE-2021-22992)

On March 10, 2021, F5 addressed four critical vulnerabilities in BIG-IP and BIG-IQ products.

-    CVE-2021-22986, an unauthenticated RCE vulnerability in the iControl REST interface. Unauthenticated users could exploit it through the BIG-IP management interface and self IP addresses to carry out arbitrary system commands, manage files, and disable services.
-    CVE-2021-22987, the most severe out of the four, is a remote code execution vulnerability that stems from a misconfiguration in the Traffic Management User Interface. In the wrong hands, it leads to authenticated RCE in undisclosed pages if running in application mode.
-    CVE-2021-22991 is a buffer overflow issue, resulting in remote code execution and denial-of-service (DoS) on the impacted installations.
-    CVE-2021-22992— much like the previous one, this critical security hole allows for DoS and RCE, with a potential of a complete system compromise.

4.    Multiple FortiOS Vulnerabilities (CVE-2018-13379, CVE-2019-5591, CVE-2020-12812)

In April, CISA and the FBI published an advisory on the vulnerabilities in FortiOS used in Fortinet SSL VPN. These vulnerabilities present the following threats:

-    CVE-2018-13379 — a path traversal vulnerability. Allows an unauthenticated attacker to get hold of FortiOS system files via specially crafted HTTP resource requests.
-    CVE-2019-5591 — a default-configuration bug. Enables a ransomware actor on the same subnet to intercept sensitive information by impersonating the LDAP server.
-    CVE-2020-12812 — an improper-authentication flaw. Grants a successful log-in without the second factor of authentication (FortiToken), given the changed case of the username in question.

5.    Critical VMware vCenter Vulnerability (CVE-2021-21985)

On May 25, it was reported that the vSphere Client (HTML5) has a remote code execution vulnerability due to a lack of input validation in the Virtual SAN Health Check plugin, enabled by default in vCenter Server.

●    When exploited, the vulnerability allows adversaries with network access to port 443 to execute arbitrary commands with unrestricted privileges on the underlying vCenter host.

6.    Ivanti Patches Critical Pulse Connect Secure Flaws (CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900)

Since June 2020, for almost a year, at least several major hacking groups deployed numerous malware families to exploit flaws in Ivanti Pulse Connect Secure suite of VPNs to access government agencies, critical infrastructure objects, and private firms across the U.S.

●    Threat actors are using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence.
●    The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

7.    Patch Bypass Vulnerability in Pulse Connect Secure (CVE-2021-22937)

This is a post-authentication RCE vulnerability in Pulse Connect Secure virtual private network (VPN) appliances. This flaw was exploited in June 2021, bypassing the patch issued in October 2020 that addressed the CVE-2020-8260 — a notorious bug that allowed for RCE with root privileges.

●    If exploited, the vulnerability allows an authenticated user with administrator rights to overwrite arbitrary files via an archive, uploaded in the administrator web interface.
●    The bug introduces a persistent backdoor that compromises VPN clients.

8.    PrintNightmare Vulnerabilities (CVE-2021-1675/CVE-2021-34527)

In June 2021, Windows’ PrintNightmare RCE vulnerability got in the public eye. It has been around since the beginning of 2021, but there was not much fuss about it from the start since it did not present, allegedly, much of a threat to users’ security. However, after a careful re-accession in the summer of 2021, the vulnerability was stamped critical, passing its credentials to a different security issue — CVE-2021-34527.

●    The vulnerability allowed an attacker with a regular, unprivileged user account to remotely take control of a server running the Windows Print Spooler service.
●    Successful exploitation empowers authenticated adversaries to perform privileged file operation abuse.

Now that the dust has settled, there are two official patches available for installation to mitigate each of the PrintNightmare flaws —  CVE 2021-1675 and CVE-2021-34527.

9.    Microsoft Exchange ProxyShell Attack (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207)

In August 2021, security researchers revealed another notorious Microsoft vulnerability —   ProxyShell. This is an umbrella term covering three severe bugs:

-    CVE-2021-34473 — a pre-auth patch confusion issue that results in ACL bypass
-    CVE-2021-34523 — an elevation of privilege flaw on the Exchange PowerShell backend
-    CVE-2021-31207 — a post-auth arbitrary-file-write misconfiguration

●    The flaws work in tandem, providing the grounds for threat actors to execute arbitrary commands on Microsoft Exchange Server through an exposed 443 port.
●    As of today, the flaws are patched with the official security updates released by Microsoft in May and July; however, over 30,000 Exchange servers remain vulnerable to date, motivating attackers to leverage those vulnerabilities.

10.    Critical vulnerability in Apache Log4j library aka Log4Shell or LogJam (CVE-2021-44228)

The Apache Log4j Java-based logging library vulnerability was revealed on December 1 and is posing a critical risk to affected systems, scoring 10 in CVSS.

●    If successfully exploited on one of the servers, it gives a threat actor the ability to load and execute arbitrary code from an attacker-controlled domain and, in particular cases, gain unrestricted control of the whole system.
●    Adversaries leverage this flaw to install coin miners, DDoS bots, and Cobalt Strike implants to recruit vulnerable devices into a botnet and export data from the compromised machines.
●    Thousands of apps and services globally leverage the vulnerable log4j library for its operational routines.
●    Log4Shell might be weaponized to reach the WannaCry scenario.

At the risk of sounding like a broken record, let’s conclude by saying that keeping one’s finger on a pulse of attacks’ development presents an opportunity to better understand the latest trends in the cyber threat landscape, boosting your cyber defence skills. First of all, make sure all of the relevant vulnerabilities listed above are patched. Second, a shout-out to cyber researchers and enthusiasts - regularly monitor and consider contributing to threat detection platforms.

You Might Also Read: 

Log4j Cyber Security Flaw Seriously Concerns Experts:

 

« Disinformation Is A Prevalent Threat
Pegasus Spyware & Not-For-Profit Cyber Security - What Are The Risks? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Nmap Project

Nmap Project

Nmap Project is a Free and open source tool for network discovery, administration, and security auditing.

CrowdStrike

CrowdStrike

CrowdStrike is a global provider of security technology and services focused on identifying advanced threats and targeted attacks.

Vera Security

Vera Security

Vera is a data security platform that provides 360-degree visibility and control over critical business data, anywhere it's shared or stored.

ecsec

ecsec

ecsec is a specialized vendor of security solutions including information security management, smart card technology, identity management, cloud computing and electronic signature technology.

Trinity Cyber

Trinity Cyber

Trinity Cyber’s patent-pending technology stops attacks before they reach internal networks,reducing risk and increasing cost to adversaries.

Cybersecurity Coalition

Cybersecurity Coalition

The mission of the Cybersecurity Coalition is to bring together leading companies to help policymakers develop consensus-driven policy solutions to achieve improvements in cybersecurity.

EuraTechnologies

EuraTechnologies

EuraTechnologies, the French incubator and accelerator, is a centre of excellence and innovation for startups and entrepreneurs with a focus on Digital, Data, Cybersecurity and IoT.

Shift5

Shift5

Shift5 focus on securing operational technology (OT) by building best-in-class, dual-use products serving military and commercial entities.

Defensity

Defensity

Defensity offer bespoke & pre packaged IT Security Solutions for Small business to help companies reduce overall IT related risk.

Vigilant Technology Solutions

Vigilant Technology Solutions

Vigilant is a global cyber security technology company offering solutions to manage entire IT & cyber security lifecycles.

Center for Infrastructure Assurance and Security (CIAS)

Center for Infrastructure Assurance and Security (CIAS)

CIAS is developing the world's foremost center for multidisciplinary education and development of operational capabilities in the areas of infrastructure assurance and security.

Switchfast Technologies

Switchfast Technologies

Switchfast Technologies is an IT consulting and managed services provider, offering IT support and consulting to Chicagoland small businesses.

Presidio Identity

Presidio Identity

Presidio Identity offers a digital-native approach that brings security, privacy, and simplicity to user authentication and digital interactions.

International College For Security Studies (ICSS)

International College For Security Studies (ICSS)

ICSS India offers technical education to students, clients and partners in IT Industry by our well qualified, certified and experienced trainers.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

Focus on Security

Focus on Security

Focus on Security are Cyber Security recruitment specialists. We’re dedicated to connecting you with the top Cyber Security talent across the globe. We focus on partnerships and results.