Endpoint Security , Governance & Risk Management , Government
Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List
Ensure You've Fixed These 12 Most Exploited Flaws, Cybersecurity Officials UrgeA five-year old vulnerability in Fortinet SSL VPNs remains one of the most widely exploited flaws in enterprise networks, despite repeat patch warnings.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
So say cybersecurity officials across the U.S. and its Five Eyes intelligence alliance partners in a new joint security advisory detailing the 12 most common vulnerabilities and exposures that were most "routinely and frequently exploited by malicious actors" in 2022.
The advisory from Australia, Canada, New Zealand, the U.K. and the U.S. also details 30 vulnerabilities that attackers frequently use to compromise organizations, as well as vulnerabilities' Common Weakness Enumeration, or CWE, referring to an encyclopedia of more than 600 types of software weaknesses.
Of the top 12 vulnerabilities detailed for 2022, four involve Microsoft software, two tie to VMware software, two to Atlassian software, and one each to F5 Networks and Zoho ManageEngine. The flaws also include Log4Shell, a vulnerability in the open-source logging utility Log4j, maintained by Apache.
"Every organization should be using this list to patch their systems and use it to guide their vulnerability management strategy," said Abigail Bradshaw, who heads the Australian Cyber Security Center.
Officials warn that by failing to patch these flaws in particular, network defenders are making life easier for attackers, be they advanced persistent threat groups backed by unfriendly governments, cybercriminals, self-proclaimed hacktivists or anyone else intent on causing mischief.
"Organizations continue using unpatched software and systems, leaving easily discovered openings for cyber actors to target," said Neal Ziring, the technical director for the U.S. National Security Agency's Cybersecurity Directorate. "Older vulnerabilities can provide low-cost and hig- impact means for these actors to access sensitive data."
Vulnerability Management Challenges
Experts say organizations need to run vulnerability management programs that can properly identify all software being used in an enterprise, cross-index this with known vulnerabilities in the software and the actual risk they might pose, and set patch prioritizations accordingly. Such programs also need to take into account zero-day vulnerabilities that may already be getting exploited but for which no patch is yet available, and attempt to mitigate them via other means.
The disconnect between patch availability and organizations running software that's fully patched highlights just how challenging this discipline continues to be (see: The Decade in Vulnerabilities and Why They Persist).
Take the Fortinet SSL VPN flaw, designated CVE-2018-13379. The path traversal flaw, which researchers say is easy to exploit, was discovered in July 2018 and patched by Fortinet in May 2019. Attackers continued to target and successfully exploit it, leading the NSA in 2019 to issue a then-rare public alert urging users to patch the software. The same year, experts warned the software was being exploited by Chinese nation-state hackers and by 2020, ransomware-wielding attackers had joined the fray. The vulnerability has also appeared on every annual list of top threats issued by Five Eyes partners.
Hence more than four years after Fortinet pushed a patch for its SSL VPN devices to fix the flaw, exploiting the vulnerability remains a reliable tactic for attackers to access many corporate networks. "The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors," the advisory says.
Officials are also using the joint advisory to urge software developers not just to rapidly identify flaws and issue security fixes, but also to pursue more "secure by design" development practices so that fewer bugs end up in their software.
Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, called for "every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design."
Top 12 Routinely Exploited Vulnerabilities in 2022
CVE |
Vendor |
Product |
Type |
CWE |
Fortinet |
FortiOS and FortiProxy |
SSL VPN credential exposure |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
CVE-2021-34473 (Proxy Shell) |
Microsoft |
Exchange Server |
RCE |
|
CVE-2021-31207 (Proxy Shell) |
Microsoft |
Exchange Server |
Security Feature Bypass |
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
CVE-2021-34523 (Proxy Shell) |
Microsoft |
Exchange Server |
Elevation of Privilege |
|
Zoho ManageEngine |
ADSelfService Plus |
RCE/Authentication Bypass |
||
Atlassian |
Confluence Server and Data Center |
Arbitrary code execution |
||
CVE-2021- 44228 (Log4Shell) |
Apache |
Log4j2 |
RCE |
CWE-20 Improper Input Validation
CWE-400 Uncontrolled Resource Consumption
|
VMware |
Workspace ONE Access and Identity Manager |
RCE |
CWE-94 Improper Control of Generation of Code ('Code Injection') |
|
VMware |
Workspace ONE Access, Identity Manager, and vRealize Automation |
Improper Privilege Management |
||
F5 Networks |
BIG-IP |
Missing Authentication Vulnerability |
||
Microsoft |
Multiple Products |
RCE |
None Listed |
|
Atlassian |
Confluence Server and Data Center |
RCE |
Source: Five Eyes joint advisory