Top 10 Most Exploited Vulnerabilities
CISA partnered with other national agencies to produce a list of the most exploited vulnerabilities. What's at the top of the charts?
Top of the Vulnerability Charts
No one wants to be number one this chart: The US Cybersecurity and Infrastructure Security Agency’s (CISA) list of the most exploited vulnerabilities. CISA partnered with other national agencies to produce what could be considered a global alert of the worst vulnerabilities: the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI) were all involved in the list’s compilation.
What made the list?
One item on the list of Common Vulnerabilities and Exposures (CVEs) dates back as far as 2017. Known by the catchy moniker CVE-2017-11882, it is caused by a stack buffer overflow in Microsoft Office. It can be used by malicious actors for remote code execution (RCE). The alert noted that such vulnerabilities represented easy targets for cybercriminals if they remain unpatched. They make the hacker’s job easy as they represent a well-travelled channel into the enterprise, and don’t require innovation on the part of the criminals.
It’s akin to a bank or casino having money in a consumer-level safe and having no armed guards around – there is no need for brilliant, if warped, minds to devise complex Mission Impossible-like schemes to breach the defenses to get at the loot.
Many of the CVEs concern the cloud, remote work, and VPNs. It turns out that VPNs suffered badly from attacks over the past year or so.
“Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management,” said the alert.
The latest vulnerability chart topper may grab a lot of attention. But like music lovers everywhere, hackers always return to the golden oldies – tried and true exploits that have been around for years that no one in IT has bothered to patch As well as the Microsoft Office exploit noted above, other golden oldies on the list include:
CVE-2019-19781 about Citrix NetScaler from 2019 that has been used to compromise an Australian defense database.
CVE-2019-11510 relates to Pulse Secure Connect and can result in arbitrary file disclosure and leaks of admin credentials. This one has been used in attacks via VPNs and by nation-state actors.
CVE-2020-0688 for Microsoft Exchange dates back to early 2020 that left server data unencrypted and open to attack.
CVE-2020-15505 lets unprivileged attackers remotely execute code in MobileIron. It is almost a year old.
CVE-2019-3396 for Atlassian Confluence is another remote code execution bug reaching its one-year anniversary.
Other CVEs on the list come from vendors such as Fortinet, F5, Drupal, Telerik, Microsoft (SharePoint, Windows, and Netlogon), Accellion, and VMware. Some have the highest possible threat level yet remain unhandled and unpatched in many enterprises.
CISA Advice: Patch Your Systems
The advice from CISA is clear:
“Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries’ use of known vulnerabilities complicates attribution, reduces costs, and minimizes risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known.”
Later the security alert added:
“Cyber actors continue to exploit publicly known — and often dated — software vulnerabilities against broad target sets, including public and private sector organizations worldwide. However, entities worldwide can mitigate the vulnerabilities … by applying the available patches to their systems and implementing a centralized patch management system.”
Tuearis's offers Threat and Vulnerability management programs, including remediation, specifically to address issues such as those identified by CISA.