Attackers are getting faster at exploiting recently disclosed software flaws, a new joint advisory from the UK's NCSC, US's CISA and Australia's ACSC notes, disclosing that of the 12 most exploited vulnerabilities in 2020, many were for bugs only patched by vendors that year. (By contrast, a similar list published in 2020 revealed that among the most exploited vulnerabilities of the past four years were an nine-year-old and a six-year-old bug.)
The single software vulnerability most exploited in the wild was a bug (CVE-2019-19781) in Citrix Application Delivery Controller (ADC) and Citrix Gateway -- first disclosed in an advisory on 17 December 2019, but with patches not available for all affected builds until 24 January 2020, the advisory notes.
See also: Millions of HP, Samsung, Xerox printers have a serious security flaw, unnoticed since 2005.
As the agencies noted in a joint advisory published July 28, 2021: "Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organization to conduct rigorous patch management." Exhortations from such agencies to patch regularly are increasingly vociferous and emphasise that they introduce "friction into foreign adversaries’ operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."
The 12 most exploited vulnerabilities in 2020
Citrix | CVE-2019-19781 | Arbitrary code execution | CVSS: 9.8 | Exploit |
Pulse Secure | CVE 2019-11510 | Arbitrary file reading | CVSS: 10 | Exploit |
Fortinet | CVE 2018-13379 | Path traversal | CVSS: 9.8 | Exploit |
F5- Big IP | CVE 2020-5902 | RCE | CVSS: 9.8 | Exploit |
MobileIron | CVE 2020-15505 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2017-11882 | RCE | CVSS: 9.3 | Exploit |
Atlassian | CVE-2019-11580 | RCE | CVSS: 9.4 | Exploit |
Drupal | CVE-2018-7600 | RCE | CVSS: 9.8 | Exploit |
Telerik | CVE 2019-18935 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2019-0604 | RCE | CVSS: 9.8 | Exploit |
Microsoft | CVE-2020-0787 | Elevation of privilege | CVSS: 7.8 | Exploit |
Netlogon | CVE-2020-1472 | Elevation of privilege | CVSS: 10 | Exploit |
"Focusing scarce cyber defense resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries’ operations. For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crow, a centralized identity management and application (CVE-2019-11580)," the advisory notes.
" A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set. Additionally, attackers commonly exploit weak authentication processes, particularly in external-facing devices. Organizations should require MFA to remotely access networks from external sources, especially for administrator accounts."
Follow The Stack on LinkedIn
In addition to the 2020 CVEs listed above, organizations should prioritize patching for the following CVEs known to be exploited the agencies said.
- Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. Mitigation details in this CISA’s alert.
- Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900. Mitigation details in this CISA alert.
- Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104. Mitigation details in this NCSC advisory.
- VMware: CVE-2021-21985. Guidance in this VMware post.
- Fortinet: CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591. Mitigations in this FBI advisory.
Ilia Kolochenko, Founder of ImmuniWeb and a member of Europol Data Protection Experts Network noted that among the 12 most exploited vulnerabilities in 2020 were "pretty old" bugs from 2020 or even 2019 are often still exploitable in 2021 "due to persistent shadow IT or poor IT asset inventory... [but] most... are not directly related to working from home (WFH) trend and are also perfectly exploitable in a cloud environment."
He added: "Worse, many organizations now migrate to the cloud in a rush and without proper training of their IT teams, leaving their infrastructure vulnerable to cloud-specific attack vectors (e.g. compromising instance metadata services). Many of the incidents caused by the top vulnerabilities could have been prevented by maintaining proper cybersecurity hygiene, such as implementing holistic asset inventory and attack surface monitoring programs, combined with an agile patch management process."