AA23-215A: 2022’s Top Routinely Exploited Vulnerabilities


AA23-215A: 2022’s Top Routinely Exploited Vulnerabilities

A joint Cybersecurity Advisory collaborated on by multiple international agencies highlights the top routinely exploited vulnerabilities of 2022

Background

On August 3, a joint Cybersecurity Advisory (CSA) AA23-215A coauthored by multiple U.S. and international agencies was released to highlight the top routinely exploited vulnerabilities of 2022. The list contains 42 Common Vulnerabilities and Exposures (CVEs) known to be exploited by malicious actors. The alert urges organizations to patch these known and exploitable vulnerabilities as soon as possible and provides some mitigation recommendations as well. For CVEs that remain unpatched, the CSA encourages organizations to begin investigating for indicators of compromise on unpatched devices.

As we’ve explored in our 2022 Threat Landscape Report (TLR), known and exploitable vulnerabilities remain one of the most persistent threats to organizations. Known vulnerabilities took the top spot in our list of the top five vulnerabilities of 2022 because of the prevalence with which attackers have successfully exploited these unpatched flaws. The joint CSA recognizes this as well, adding that these malicious attackers have targeted “older software vulnerabilities rather than recently disclosed vulnerabilities,” while also highlighting the significance of vulnerabilities in internet-facing systems.

Analysis

As we examined the list of 42 CVEs in the CSA, many have been featured in past blogs and alerts from Tenable Research as well as included in our 2020, 2021 and 2022 TLR. In the tables below, we have split up the vulnerabilities into sections based on vendor or product types.

Microsoft Exchange Server

Vulnerabilities in Microsoft Exchange Server, frequently leading to privilege escalation (elevation of privilege or EoP) or remote code execution (RCE), are particularly useful for initial access into targeted networks and have been leveraged by multiple unique ransomware groups/strains and numerous advanced persistent threat (APT) actors. In fact, CVE-2021-26855 (ProxyLogon) was the number one vulnerability in the top five vulnerabilities in our 2021 TLR while CVE-2021-34473 (ProxyShell) took fifth place in the 2022 TLR.

CVE Description CVSSv3 VPR
CVE-2021-26855 Microsoft Exchange Server Server-Side Request Forgery (SSRF) Vulnerability (ProxyLogon) 9.8 9.8
CVE-2021-26857 Microsoft Exchange Server RCE (ProxyLogon) 7.8 7.4
CVE-2021-26858 Microsoft Exchange Server RCE (Arbitrary File Write) 7.8 7.4
CVE-2021-27065 Microsoft Exchange Server RCE (Arbitrary File Write) 7.8 9.8
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability (Part of ProxyShell) 6.6 9
CVE-2021-34473 Microsoft Exchange Server RCE (ProxyShell) 9.8 9
CVE-2021-34523 Microsoft Exchange Server EoP (Part of ProxyShell) 9.8 8.4
CVE-2022-41082 Microsoft Exchange Server RCE (ProxyNotShell) 8.8 9.4

*Please note: Tenable’sVulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 3 and reflects VPR at that time.

Microsoft Office

Vulnerabilities in Microsoft Office products are frequently used by threat actors to gain a foothold into a target network by attaching malicious documents to phishing or spear phishing emails. While CVE-2017-0199 and CVE-2017-11882 are some of the oldest vulnerabilities in the alert (discovered five years ago), attackers are still attempting to exploit them, as many organizations have not patched these flaws despite patches being available for years.

CVE Description CVSSv3 VPR
CVE-2017-0199 Microsoft Office/WordPad RCE 7.8 9.8
CVE-2017-11882 Microsoft Office Memory Corruption Vulnerability 7.8 9.8

Additional Microsoft Vulnerabilities

The other Microsoft CVEs on this list includes some of the most well known “named” vulnerabilities in recent years. CVE-2020-1472 (ZeroLogon) was the number one vulnerability in the top five vulnerabilities in our 2020 TLR and it also took fifth place in our 2021 TLR. CVE-2019-0708 (BlueKeep) had an honorable mention in our 2020 TLR while CVE-2022-30190 (Follina) took the third spot in the top 5 vulnerabilities in our 2022 TLR.

CVE Description CVSSv3 VPR
CVE-2019-0708 Microsoft’s Remote Desktop Services RCE (BlueKeep) 9.8 9.7
CVE-2020-1472 EoP vulnerability in Windows Netlogon (Zerologon) 10 10
CVE-2022-30190 Microsoft Windows Support Diagnostic Tool (MSDT) RCE (Follina) 7.8 9.8
CVE-2022-22047 Windows Client Server Run-time Subsystem (CSRSS) EoP 7.8 9.2

Apache Products

The CSA features five CVEs in Apache products, three of which were in Apache HTTP Server while the remaining two were vulnerabilities in the now infamous Log4j 2 logging library. While there’s much to be said about Log4j, for brevity we recommend visiting the Tenable Log4j page to view the blogs and resources associated with Log4Shell and its related vulnerabilities.

SSL VPN Devices

Vulnerabilities impacting SSL VPN devices continue to have a major impact, as they are routinely exploited by APTs and ransomware gangs against organizations around the world. Three of the top five vulnerabilities in the 2020 TLR were in SSL VPN devices. Many of these vulnerabilities have been included in multiple U.S. and international government agency alerts over the years, and because these devices are internet facing and critical to business operations, they are an ideal doorway into organizations. Therefore, patching these devices should be a top priority for any organization.

CVE Description CVSSv3 VPR
CVE-2018-13379 Fortinet FortiOS SSL VPN Web Portal Information Disclosure 9.8 9.4
CVE-2019-11510 Pulse Connect Secure Arbitrary File Disclosure 10 8.1
CVE-2019-19781 Citrix Application Delivery Controller (ADC) and Gateway Directory Traversal 9.8 9.4
CVE-2022-42475 Fortinet FortiOS SSL-VPN Heap-Based Buffer Overflow 9.8 9.5
CVE-2022-40684 Fortinet FortiOS Authentication Bypass Vulnerability 9.8 9.2

Many of the remaining flaws in the CSA are found in internet-facing devices, which make them more susceptible to attack. Therefore, organizations that utilize these products in their networks should prioritize remediating vulnerabilities in these products:

SonicWall Products

CVE Description CVSSv3 VPR
CVE-2021-20016 SQL injection vulnerability in SonicWall’s Secure Mobile Access (SMA) 100 9.8 7.4
CVE-2021-20021 SonicWall Email Security Improper Privilege Management Vulnerability 9.8 7.4
CVE-2021-20038 SonicWall Secure Mobile Access (SMA) 100 Unauthenticated Stack-Based Buffer Overflow 9.8 7.4

Atlassian Confluence Server and Data Center

CVE Description CVSSv3 VPR
CVE-2021-26084 Atlassian Confluence Server and Data Center Object-Graph Navigation Language (OGNL) Injection 9.8 9.7
CVE-2022-26134 Atlassian Confluence Server and Data Center OGNL Injection 9.8 9.7

VMware Products

CVE Description CVSSv3 VPR
CVE-2022-22963 VMware Tanzu Spring Cloud RCE 9.8 9.7
CVE-2022-22954 VMware Workspace ONE Access and Identity Manager RCE 9.8 9.6
CVE-2022-22960 VMware Workspace ONE Access and Identity Manager and vRealize Automation Privilege Escalation Vulnerability 7.8 7.4

Oracle WebLogic Server

CVE Description CVSSv3 VPR
CVE-2020-14882 Oracle Web Logic Server Console Component RCE 9.8 9.2
CVE-2020-14883 Oracle Web Logic Server Console Component RCE 7.2 8.4

Additional Vendors and Products

CVE Description CVSSv3 VPR
CVE-2020-5902 F5 BIG-IP Directory Traversal Vulnerability 9.8 9.2
CVE-2022-1388 F5 Networks F5 BIG-IP Authentication Bypass Vulnerability 9.8 9.5
CVE-2021-40539 ManageEngine ADSelfService Plus REST API Authentication Bypass 9.8 9.2
CVE-2022-29464 WSO2 RCE (Arbitrary File Upload) 9.8 9.6
CVE-2022-27593 QNAP NAS Externally Controlled Reference Vulnerability 9.1 6.7
CVE-2022-22536 SAP Internet Communication Manager (ICM) HTTP Request Smuggling Vulnerability 10 8.1
CVE-2022-24682 Zimbra Collaboration Suite Cross Site Scripting Vulnerability 6.1 4.6
CVE-2022-27924 Zimbra Collaboration Suite Command Injection Vulnerability 7.5 5.1

Solution

For all of the 42 CVEs featured in this CSA, patches are available from each of the respective vendors and patching all of the CVEs should be prioritized. In some instances, the CSA offers mitigation guidance when patching cannot be immediately performed as well as mitigation guidance for vendors and developers including recommendations and resources on how to secure your networks.

We recommend all organizations review the CSA and we emphasize the importance of prioritizing patching of all the vulnerabilities listed.

Identifying affected systems

A list of Tenable plugins to identify these vulnerabilities can be found here. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.

In addition to these plugins, many of these vulnerabilities have been featured in our annual TLR report. Our 2022 TLR scan template can be utilized to scan for all the vulnerabilities featured in our 2022 report:

While not all of these vulnerabilities listed in the CSA can be found in the scan template, for more targeted scanning, we recommend configuring a custom scan policy and enabling plugins specific to the devices on your respective networks to quickly identify those assets that remain unpatched.

Get more information

Additional Tenable Blog Coverage

CVE(s) Tenable Blog Post(s)
CVE-2018-13379 CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild

CVE-2018-13379, CVE-2019-5591, CVE-2020-12812: Fortinet Vulnerabilities Targeted by APT Actors

CVE-2019-0708 Critical ‘BlueKeep’ Vulnerability CVE-2019-0708 Addressed in Patch Tuesday Updates

WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)

CVE-2019-0708: BlueKeep Exploits Could Be Around the Corner

CVE-2019-0708: BlueKeep Exploited in the Wild to Deliver Cryptocurrency Miner

CVE-2019-11510 CVE-2019-11510: Proof of Concept Available for Arbitrary File Disclosure in Pulse Connect Secure

CVE-2018-13379, CVE-2019-11510: FortiGate and Pulse Connect Secure Vulnerabilities Exploited In the Wild

CVE-2019-11510: Critical Pulse Connect Secure Vulnerability Used in Sodinokibi Ransomware Attacks

CVE-2019-19781 CVE-2019-19781: Exploit Scripts for Remote Code Execution Vulnerability in Citrix ADC and Gateway Available

CVE-2019-19781: Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available

CVE-2020-1472 CVE-2020-1472: ‘Zerologon’ Vulnerability in Netlogon Could Allow Attackers to Hijack Windows Domain Controller

CVE-2020-1472: Advanced Persistent Threat Actors Use Zerologon Vulnerability In Exploit Chain with Unpatched Vulnerabilities

CVE-2020-1472: Microsoft Finalizes Patch for Zerologon to Enable Enforcement Mode by Default

CVE-2020-14882 CVE-2020-14882: Oracle WebLogic Remote Code Execution Vulnerability Exploited in the Wild
CVE-2020-5902 CVE-2020-5902: Critical Vulnerability in F5 BIG-IP Traffic Management User Interface (TMUI) Actively Exploited
CVE-2021-20016 CVE-2021-20016: Zero-Day Vulnerability in SonicWall Secure Mobile Access (SMA) Exploited in the Wild
CVE-2021-20038 SonicWall Urges Users to Patch Several Vulnerabilities in Secure Mobile Access Products (CVE-2021-20038)
CVE-2021-26084 CVE-2021-26084: Atlassian Confluence OGNL Injection Vulnerability Exploited in the Wild
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065: Four Zero-Day Vulnerabilities in Microsoft Exchange Server Exploited in the Wild
CVE-2021-31207, CVE-2021-34473 and CVE-2021-34523 ProxyShell: Attackers Actively Scanning for Vulnerable Microsoft Exchange Servers (CVE-2021-34473)
CVE-2021-40539 CVE-2021-44515: ZoHo Patches ManageEngine Zero-Day Exploited in the Wild
CVE-2021-41773 CVE-2021-41773: Path Traversal Zero-Day in Apache HTTP Server Exploited
CVE-2021-44228 CVE-2021-44228: Proof-of-Concept for Critical Apache Log4j Remote Code Execution Vulnerability Available (Log4Shell)

CVE-2021-44228, CVE-2021-45046, CVE-2021-4104: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities

CVE-2021-45046 CVE-2021-44228, CVE-2021-45046, CVE-2021-4104: Frequently Asked Questions About Log4Shell and Associated Vulnerabilities
CVE-2022-1388 CVE-2022-1388: Authentication Bypass in F5 BIG-IP
CVE-2022-22047 Microsoft’s July 2022 Patch Tuesday Addresses 84 CVEs (CVE-2022-22047)
CVE-2022-22536 CVE-2022-22536: SAP Patches Internet Communication Manager Advanced Desync (ICMAD) Vulnerabilities
CVE-2022-22954, CVE-2022-22960 VMware Patches Multiple Vulnerabilities in Workspace ONE, Identity and Lifecycle Manager and vRealize (VMSA-2022-0011)
CVE-2022-26134 CVE-2022-26134: Zero-Day Vulnerability in Atlassian Confluence Server and Data Center Exploited in the Wild
CVE-2022-30190 CVE-2022-30190: Zero Click Zero Day in Microsoft Support Diagnostic Tool Exploited in the Wild

Microsoft’s June 2022 Patch Tuesday Addresses 55 CVEs (CVE-2022-30190)

CVE-2022-40684 CVE-2022-40684: Critical Authentication Bypass in FortiOS and FortiProxy
CVE-2022-41082 CVE-2022-41040 and CVE-2022-41082: ProxyShell Variant Exploited in the Wild
CVE-2022-42475 CVE-2022-42475: Fortinet Patches Zero Day in FortiOS SSL VPNs

Join Tenable’s Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.



Source link