Feds list the top 30 most exploited vulnerabilities. Many are years old.
Government officials in the US, UK, and Australia are urging public- and private-sector organizations to secure their networks by ensuring firewalls, VPNs, and other network-perimeter devices are patched against the most widespread exploits.
In a joint advisory published Wednesday, the US FBI and CISA (Cybersecurity and Infrastructure Security Agency), the Australian Cyber Security Center, and the UK’s National Cyber Security Center listed the top 30 or so most exploited vulnerabilities. The vulnerabilities reside in a host of devices or software marketed by the likes of Citrix, Pulse Secure, Microsoft, and Fortinet.
“Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide,” the advisory stated. “However, entities worldwide can mitigate the vulnerabilities listed in this report by applying the available patches to their systems and implementing a centralized patch management system.”
What, me patch?
Four of the most targeted vulnerabilities last year resided in VPNs, cloud-based services, and other devices that allow people to remotely access employer networks. Despite the explosion in the number of work-from-home employees driven by the COVID-19 pandemic, many VPN gateway devices remained unpatched during 2020.
Discovery dates of the top four vulnerabilities ranged from 2018 to 2020, an indication of how common it is for many organizations using the affected devices to withhold applying security patches. The security flaws include CVE-2019-19781, a remote code-execution bug in Citrix’s application delivery controller (which customers use to perform load balancing of inbound application traffic); CVE 2019-11510, which allows attackers to remotely read sensitive files stored by the Pulse Secure Pulse Connect Secure VPN; CVE 2018-13379, a path-traversal weakness in VPNs made by Fortinet; and CVE 2020-5902, a code-execution vulnerability in the BIG-IP advanced delivery controller made by F5.
The top 12 flaws are:
Vendor | CVE | Type
Citrix | CVE-2019-19781 | arbitrary code execution
Pulse | CVE-2019-11510 | arbitrary file reading
Fortinet | CVE-2018-13379 | path traversal
F5- Big IP | CVE-2020-5902 | remote code execution (RCE)
MobileIron | CVE-2020-15505 | RCE
Microsoft | CVE-2017-11882 | RCE
Atlassian | CVE-2019-11580 | RCE
Drupal | CVE-2018-7600 | RCE
Telerik | CVE 2019-18935 | RCE
Microsoft | CVE-2019-0604 | RCE
Microsoft | CVE-2020-0787 | elevation of privilege
Netlogon | CVE-2020-1472 | elevation of privilege
Breaching the gate
The vulnerabilities—all of which have received patches from vendors—have provided the opening vector from an untold number of serious intrusions. For instance, according to an advisory the US government issued in April, hackers working for the Russian government routinely exploited CVE-2018-13379, CVE-2019-11510, and CVE-2019-19781.
That same month, word emerged that a different set of hackers was also exploiting CVE-2018-13379. In one case, the hackers allowed ransomware operators to seize control of two production facilities belonging to a European manufacturer.
Wednesday’s advisory went on to say:
CISA, ACSC, the NCSC, and FBI assess that public and private organizations worldwide remain vulnerable to compromise from the exploitation of these CVEs. Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.
The officials also listed 13 vulnerabilities discovered this year that are also being exploited in large numbers. The vulnerabilities are:
Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE2021-27065
Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900
Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
The advisory provides technical details for each vulnerability, mitigation guidance, and indicators of compromise to help organizations determine if they’re vulnerable or have been hacked. The advisory also provides guidance for locking down systems.