Get patching: US, UK, and Australia issue joint advisory on top 30 exploited vulnerabilities

Majority of top vulnerabilities targeted last year were disclosed in the past two years, agencies from the United States, United Kingdom, and Australia have said, with Microsoft Office CVE dating from 2017.
Written by Chris Duckett, Contributor
Image: Shutterstock

At the end of almost seven months in 2021, one of the 30 most exploited vulnerabilities dates from 2017, according to the US Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom's National Cyber Security Centre (NCSC), and the US FBI.

CVE-2017-11882 is the holder of the dubious honour, and it is due to a stack buffer overflow in the equation editor of Microsoft Office, which can lead to remote code execution (RCE). It is an exploit that vendors have been banging on about for years already.

The quartet of agencies said on Wednesday that the easiest way to fix this hole, and the 29 others listed, would be to patch systems.

"Cyber actors continue to exploit publicly known -- and often dated -- software vulnerabilities against broad target sets, including public and private sector organisations worldwide. However, entities worldwide can mitigate the vulnerabilities ... by applying the available patches to their systems and implementing a centralised patch management system," the quartet stated.

"Malicious cyber actors will most likely continue to use older known vulnerabilities, such as CVE-2017-11882 affecting Microsoft Office, as long as they remain effective and systems remain unpatched. Adversaries' use of known vulnerabilities complicates attribution, reduces costs, and minimises risk because they are not investing in developing a zero-day exploit for their exclusive use, which they risk losing if it becomes known."

The top 30 list is broken down into 14 historical CVEs from 2020 and earlier, and 16 from the current year.

The list of historical vulnerabilities is led by four CVEs related to cloud, remote work, or VPNs.

"Many VPN gateway devices remained unpatched during 2020, with the growth of remote work options challenging the ability of organisation to conduct rigorous patch management," the agencies said.

As well as patching, the agencies said best practice involved adhering to Australia's Essential Eight mitigation strategies.

Historical vulnerabilities

Citrix: CVE-2019-19781
Topping the historical list is the Citrix NetScaler RCE that appeared over Christmas in 2019. This one should hit close to home for Australia as it was used to access a Defence recruitment database.

Pulse: CVE-2019-11510
Taking the silver medal is a directory traversal vulnerability in Pulse Secure Connect that can result in arbitrary file disclosure and leaks of admin credentials.

"Once compromised, an attacker can run arbitrary scripts on any host that connects to the VPN. This could lead to anyone connecting to the VPN as a potential target to compromise," the agencies said.

"The CVE-2019-11510 vulnerability in Pulse Connect Secure VPN was also frequently targeted by nation-state APTs. Actors can exploit the vulnerability to steal the unencrypted credentials for all users on a compromised Pulse VPN server and retain unauthorised credentials for all users on a compromised Pulse VPN server and can retain unauthorised access after the system is patched unless all compromised credentials are changed."

That sounds nice.

Fortinet: CVE-2018-13379
Fresh from a May warning is Fortinet's version of a directory traversal bug that can lead to an attacker gaining usernames and passwords.

"Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo)," the agencies warned.

F5- Big IP: CVE-2020-5902
When it was announced, this CVE scored a perfect 10 -- so it is a big deal. It involved the traffic management user interface allowing any old user gain access; they didn't need to be authenticated to execute arbitrary commands, create or delete files, disable services, or run arbitrary Java.

"This vulnerability may result in complete system compromise," is how the agencies understated the threat.

MobileIron: CVE-2020-15505
Getting sick of unprivileged attackers remotely executing code on your MobileIron kit? Well, you were warned in November.

Microsoft Exchange: CVE-2020-0688
Welcome to the list Microsoft Exchange -- we've been expecting you. This vulnerability from early 2020 occurred because Exchange servers failed to create a unique cryptographic key for the Exchange control panel at install time, which resulted in attackers being able to use malformed requests to run code under the SYSTEM context. Small solace could be found in knowing authentication was needed to run this exploit.

Atlassian Confluence: CVE-2019-3396
If you are getting flashbacks from many vulnerabilities on this list, that's because the NSA tried to warn people last October.

Not to be left out of path traversal, and remote code execution antics of other vendors, this old Atlassian Confluence vulnerability adds a touch of server-side template injection.

The big question though is do you have to log the patch to Confluence as a task in JIRA? It bears not thinking about.

Microsoft Office: CVE-2017-11882
This is the oldest bug on the list, related to the equation editor, mentioned at the start of this piece. Scroll up.

Atlassian Crowd: CVE-2019-11580
Attackers can use this vulnerability to install arbitrary plugins, which can lead to remote code execution. The agencies called out this vulnerability specifically.

"Focusing scarce cyber defence resources on patching those vulnerabilities that cyber actors most often use offers the potential of bolstering network security while impeding our adversaries' operations," they said.

"For example, nation-state APTs in 2020 extensively relied on a single RCE vulnerability discovered in the Atlassian Crowd, a centralised identity management and application (CVE-2019-11580) in its reported operations.

"A concerted focus on patching this vulnerability could have a relative broad impact by forcing the actors to find alternatives, which may not have the same broad applicability to their target set."

Drupal: CVE-2018-7600
Remember Drupalgeddon2? A lack of input sanitation from the hook-crazed Drupal codebase can lead to an unauthenticated attacker gaining remote code execution.

Naturally, malware campaigns including monero mining and having sites used as parts of botnets quickly followed.

Telerik: CVE-2019-18935
A hole in the sanitisation of serialized input in the Telerik framework used by ASP.NET apps can lead to RCE. Once again, cryptojacking was not far behind.

Microsoft Sharepoint: CVE-2019-0604
To keep with the recent theme, Sharepoint had a vulnerability when deserializing XML due to a lack of sanitisation, which could lead to remote code execution.

Microsoft Windows Background Intelligent Transfer Service: CVE-2020-0787
Due to improperly handling symbolic links, an attacker could use this vulnerability to execute arbitrary code with system-level privileges.

Microsoft Netlogon: CVE-2020-1472
When announced, it was reported as one of the most severe bugs ever, and with a CVSS score of 10, it was little wonder.

Also known as Zerologon, the vulnerability allows an unauthenticated attacker to impersonate a computer on a domain, with the potential to disable security features in the Netlogon authentication process, and gain domain administrator privileges.

"Threat actors were seen combining the MobileIron CVE-2020-15505 vulnerability for initial access, then using the Netlogon vulnerability to facilitate lateral movement and further compromise of target networks," the agencies said.

"A nation-state APT group has been observed exploiting this vulnerability."

The class of 2021

Compared to the vulnerabilities from years prior, the 2021 group are nicely grouped together and mostly related to a single product, so without any further ado.

Microsoft Exchange: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
These vulnerabilities are the ones that NATO, the United States, European Union, United Kingdom, Australia, Canada, New Zealand, and Japan recently said were attributed to China, and were the exploits where the FBI decided it needed to blast away web shells on US servers.

CVE-2021-26855 allowed an unauthenticated attacker, if they could connect to port 443, to exploit the Exchange control panel via a server-side request forgery that would allow them to send arbitrary HTTP requests, authenticate as the Exchange Server, and gain access to mailboxes.

CVE-2021-26857 used insecure deserialization to gain RCE, while the final two used a post-authentication arbitrary file write vulnerability that could lead to RCE.

Pulse Secure: CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, CVE-2021-22900
Appearing in March, the first CVE scored a full 10 marks for enabling a remote unauthenicated user to execute arbitrary code, while the second and third CVE were close behind on 9.9 and related to remote authenticated users being able to execute arbitrary code. In the case of CVE-2021-22894, this was as the root user.

CVE-2021-22900 scored a more modest 7.2, and related to an authenticated administrator to performing a file write thanks to a maliciously crafted archive uploaded via the administrator web interface.

Accellion: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104
The hacks that occurred via Accellion FTA file transfer service seem to keep coming, with victims including the Reserve Bank of New Zealand, the Australian Securities and Investments Commission, Singtel, and many other organisations around the world.

In February, Accellion said it would retire the vulnerable product.

VMware: CVE-2021-21985
The recent vulnerability hitting vCenter Server and Cloud Foundation that allows for RCE also made the cut. When announced, VMware warned that since the attacker only needs to be able to hit port 443 to conduct the attack, firewall controls are the last line of defence for users.

Fortinet: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591
That's right, CVE-2018-13379 made both lists. What an honour.

Related Coverage

Editorial standards