Feds list the top 30 most exploited vulnerabilities. Many are years old
Government officials in the US, UK and Australia urge public and private sector organizations to secure their networks by ensuring that firewalls, VPNs and other network perimeter devices are patched against exploits the most widespread.
In a joint notice published on Wednesday, the US FBI and the CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center and the UK’s National Cyber Security Center listed the 30 most exploited vulnerabilities . The vulnerabilities reside in a multitude of devices or software released by Citrix, Pulse Secure, Microsoft and Fortinet.
“Cyber actors continue to exploit publicly known – and often outdated – software vulnerabilities against broad target groups, including public and private sector organizations around the world,” the advisory said. “However, entities around the world can mitigate the vulnerabilities listed in this report by applying available patches to their systems and implementing a centralized patch management system.”
What, me patch?
Four of the most targeted vulnerabilities last year were in VPNs, cloud-based services and other devices that allow people to remotely access employer networks. Despite the explosion in the number of employees working from home due to the COVID-19 pandemic, many VPN gateway devices have not been patched in 2020.
The discovery dates for the top four vulnerabilities ranged from 2018 to 2020, showing how common it is for many organizations using affected devices to suspend the application of security patches. Security vulnerabilities include CVE-2019-19781, a remote code execution bug in Citrix’s Application Delivery Controller (which customers use to load balancing incoming application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the secure VPN Pulse Secure Pulse Connect; CVE 2018-13379, a routing weakness in VPNs created by Fortinet; and CVE 2020-5902, a code execution vulnerability in the BIG-IP Advanced Delivery Controller created by F5.
The 12 main flaws are:
|Citrix||CVE-2019-19781||execution of arbitrary code|
|Impulse||CVE 2019-11510||arbitrary file reading|
|Fortinet||CVE 2018-13379||path crossing|
|F5- Large IP||CVE 2020-5902||remote code execution (RCE)|
|Mobile iron||CVE 2020-15505||CER|
|Microsoft||CVE-2020-0787||elevation of privilege|
|Network connection||CVE-2020-1472||elevation of privilege|
Break the door
The vulnerabilities, all of which were patched by vendors, provided the vector to open up countless numbers of serious intrusions. For example, according to a notice released by the U.S. government in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.
In the same month, it emerged that another group of hackers were also exploiting CVE-2018-13379. In one case, hackers allowed ransomware operators to take control of two production facilities owned by a European manufacturer.
Wednesday’s notice went on to say:
The CISA, ACSC, NCSC and FBI believe that public and private organizations around the world remain vulnerable to compromise resulting from the exploitation of these VECs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems are not patched. Opponents’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they do not invest in developing a zero-day exploit for their exclusive use, which they risk losing. ‘he becomes known.
Officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE2021-27065
- Secure impulse: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899 and CVE-2021-22900
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
- VMware: CVE-2021-21985
The advisory provides technical details for each vulnerability, mitigation tips, and indicators of compromise to help organizations determine if they are vulnerable or have been hacked. The notice also provides advice for locking systems.