The UK, the US, and Australia have together published a list of the top thirty vulnerabilities and exposures that are routinely exploited by cyber criminals to target organisations worldwide.
The list of vulnerabilities, including remote code execution, elevation of privilege, and arbitrary code execution vulnerabilities, was published this Wednesday by GCHQ’s National Cyber Security Centre, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), and the U.S. Federal Bureau of Investigation (FBI).
These vulnerabilities affect widely-used devices and software owned and sold by well-known companies, such as Microsoft, Citrix, Fortinet, Drupal, Atlassian, F5, and Pulse. This year, cyber criminals also targeted vulnerabilities in perimeter-type devices offered by the likes of Accellion, VMware, and Fortinet.
Even though security patches are available for all of these vulnerabilities, cyber attacks continue to succeed as many organisations fail to patch their devices and networks quickly enough. “Four of the most targeted vulnerabilities in 2020 affected remote work, VPNs, or cloud-based technologies. Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organisations to conduct rigorous patch management,” the joint advisory noted.
Here are the top thirty vulnerabilities identified by the agencies as the most-exploited ones since 2020:
|1||Netscaler Directory Traversal||Citrix||CVE-2019-19781||Critical||Remote code execution|
|2||Pulse Secure Connect VPN||Pulse||CVE 2019-11510||Critical||Arbitrary file reading|
|3||FortioOS Secure Socket Layer VPN||Fortinet||CVE 2018-13379||Critical||Path traversal|
|4||Big IP Traffic Management User Interface||F5- Big IP||CVE 2020-5902||Critical||Remote code execution|
|5||MobileIron Core & Connector||MobileIron||CVE 2020-15505||Critical||Remote code execution|
|6||Microsoft Exchange Memory Corruption||Microsoft||CVE-2020-0688||High||Remote code execution|
|7||Atlassian Confluence Server and Data Center Widget Connector||Atlassian||CVE-2019-3396||Critical||Server-side template injection|
|8||Microsoft Office||Microsoft||CVE 2017-11882||High||Arbitrary code execution|
|9||Atlassian Crowd and Crowd Data Center||Atlassian||CVE 2019-11580||Critical||Remote code execution|
|10||Drupal versions before 7.58||Drupal||CVE 2018-7600||Critical||Arbitrary code execution|
|11||Telerik User Interface (UI) for ASP.NET||Telerik||CVE 2019-18935||Critical||Remote code execution|
|12||Microsoft SharePoint||Microsoft||CVE-2019-0604||Critical||Arbitrary code execution|
|13||Windows Background Intelligent Transfer Service (BITS)||Microsoft||CVE-2020-0787||High||Arbitrary code execution|
|14||Windows Netlogon Remote Protocol (MS-NRPC)||Microsoft||CVE-2020-1472||Critical||Domain Impersonation|
|15||Microsoft Exchange||Microsoft||CVE-2021-26855||Critical||Remote code execution|
|16||Microsoft Exchange||Microsoft||CVE-2021-26857||High||Remote code execution|
|17||Microsoft Exchange||Microsoft||CVE-2021-26858||High||Remote code execution|
|18||Microsoft Exchange||Microsoft||CVE-2021-27065||High||Remote code execution|
|19||Pulse Connect Secure VPN||Pulse||CVE-2021-22893||Critical||Authentication bypass|
|20||Pulse Connect Secure VPN||Pulse||CVE-2021-22894||High||Buffer overflow vulnerability|
|21||Pulse Connect Secure VPN||Pulse||CVE-2021-22899||Critical||Remote code execution|
|22||Pulse Connect Secure VPN||Pulse||CVE-2021-22900||High||Unrestricted uploads|
|23||Accellion File Transfer Appliance||Accellion||CVE-2021-27101||Critical||SQL injection|
|24||Accellion File Transfer Appliance||Accellion||CVE-2021-27102||High||Command execution|
|25||Accellion File Transfer Appliance||Accellion||CVE-2021-27103||Critical||SSRF via a crafted POST|
|26||Accellion File Transfer Appliance||Accellion||CVE-2021-27104||Critical||Command execution|
|27||VMware vCenter Software||Vmware||CVE-2021-21985||Critical||Remote code execution|
|28||Fortinet FortiOS||Fortinet||CVE-2018-13379||Critical||Path traversal|
|29||Fortinet FortiOS||Fortinet||CVE-2020-12812||Critical||Improper authentication|
|30||Fortinet FortiOS||Fortinet||CVE-2019-5591||High||LDAP server impersonation|
Commenting on the list of the most-exploited vulnerabilities released this week, Jason Garbis, Chief Product Officer at Appgate, says that it’s unsurprising to see VPNs listed in the NCSC joint advisory as being some of the top, most targeted vulnerabilities of 2020 and 2021.
“VPN appliances have always been a security concern, and in the past year, these concerns have escalated. The COVID-19 pandemic dramatically increased VPN usage, with more employees having access to it and more systems newly exposed to remote access. Attackers are aware of that, so we have naturally observed an increase in attacks on VPNs.
“Organisations need to recognise that VPNs are remote access tools, not information security tools. They need to shift to a Zero Trust approach where all network resources (including remote access entry points) are hidden from unauthorised users, multi-factor authentication is enforced, and limiting user access to what a person needs to do their job is used across the company.
“We recommend replacing legacy VPNs with a Software-Defined Perimeter. This allows organisations to implement strong security policies for each system the employee tries to access, have different requirements depending on the employee’s role, the device used, and the system needed, and limits access to only what is needed to perform a job function,” he adds.