CISA Releases a Directive Asking Organizations to Patch Known Exploited Vulnerabilities
Posted on Nov 22, 2021 | By Surojoy Gupta
On November 3, 2021, CISA issued a directive for all organizations encouraging them to prioritize patching for a list of known exploited vulnerabilities (KEV). On November 18, 2021, CISA added five more vulnerabilities to the list. Our analysis includes these new vulnerabilities as well.
The document, titled BOD-22-01, puts out a clear message to all organizations across the United States and third parties to concentrate on fixing the 291 listed issues at hand before prioritizing other vulnerabilities.
Our analysis of the 291 CVEs highlighted by CISA shows that these include 107 remote code execution and privilege escalation vulnerabilities of which 29 are actively trending in the wild. Demonstrating the importance of this list further, it is interesting to note that of the 291 CISA CVEs, 57 have APT group associations, 54 are actively exploited by ransomware families, and 35 CVEs have been prioritized by CSW experts for further in-depth research.
CSW Has Called Out More Than 50% of Vulnerabilities Listed by CISA
CSW’s researchers have called out 190 of the 291 vulnerabilities in the past through detailed blogs, exhaustive coverage of patch watch news items, and comprehensive reports.
The detailed Ransomware Spotlight Report 2021 and its subsequent index updates, Q1 to Q3, have warned about 53 of 54 vulnerabilities that have ransomware associations and are highlighted to be patched on priority.
CVEs That Should Be Patched in 2021
Here is a list of CVEs that have been highlighted by the CISA directive to be patched before 2022:
Top 10 Critical CVEs
There are a total of 103 critical vulnerabilities in the list published by CISA. Our researchers took an in-depth look at some of the major vulnerabilities that were mentioned. Here is the analysis:
The Most Affected Vendors—Top Five
Our security analysts made a tally of the most affected vendors and the products that stood out as the most vulnerable out of the total count of CVEs. Take a look at our analysis.
With 82 CVEs, Microsoft dominates the list with 55% of the total, with Microsoft Exchange Server being the product having the most number of vulnerabilities.
Apple and Google share almost equal slices of the pie at 15.6 and 15.0 percent. Apple’s most affected product is iOS, while it is Chrome for Google.
With 11 CVEs, mostly in the IOS XR product, Cisco fetches a nifty 7.5 percent and ranks in as the fourth most affected vendor, with Apache clocking in last with Struts becoming their most affected product.
Products with the Most Vulnerabilities—Top Five
Here is our analysis of the top five products that are associated with the most number of vulnerabilities.
Google Chrome and Microsoft Exchange Servers dominate the list of products affected by the most number of vulnerabilities, with 10 CVEs each. Apple iOS has 9 CVEs that affect iOS versions. Chromium V8 and Windows Win32k find a place on the Top 5 list with 8 and 7 CVEs respectively.
The Most Vulnerable Product Categories—Top Five
Our analysts carried out detailed research of the product categories that are the most vulnerable with the highest count of CVEs associated with them. Here is their analysis:
A Mixed Bag of Old and New
When we analyzed the CISA Known Exploited Vulnerabilities (KEV) list, we found that CISA has called out a total of 111 new vulnerabilities discovered in 2021, compared to 93 in 2020 and 42 in 2019. The oldest vulnerability in the list dates back to 2010.
The Grey-Bearded Vulnerability
The oldest vulnerability that CISA has called out in the directive goes back to 2010. The remote code execution vulnerability identified as CVE-2010-5326 lies in the SAP NetWeaver Application Server Java platforms. The vulnerability does not require authentication and allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. It has a CVSS v3 score of 10.0 and is tagged as a critical vulnerability.
Deadly Young Thing
AtomSilo is the newest ransomware to be added to the list dominated by infamous groups such as REvil and Conti. Here is a brief look at the vulnerability that is associated with CVE-2021-26084:
CVE-2021-26084 is an arbitrary code execution vulnerability affecting certain Atlassian Confluence Server versions.
The vulnerability has the weakness enumeration CWE 74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) and carries a CVSS v3 score of 9.8 (critical).
It is associated with the AtomSilo ransomware group.
It is also one of the vulnerabilities that CISA has prioritized for urgent patching by November 2021.
The Ransomware Magnets
Two vulnerabilities have the highest number of ransomware associated with them. However, CVE-2018-4878 takes the cake by associating with a whopping 41 ransomware families. CVE-2019-19781 comes in second with 11 ransomware family associations.
Here is more information about the two vulnerabilities:
CVE-2018-4878 is an arbitrary code execution vulnerability discovered in the Adobe Flash Player v18.104.22.168.
The vulnerability occurs due to a dangling pointer in the Primetime SDK that handles listener objects in the media player.
The critical severity CVE is categorized under the CWE 416 (use-after-free) weakness enumeration and carries a CVSS v3 score of 9.8.
CWE 416 is one of the Top 10 Most Dangerous Software Weaknesses listed by MITRE.
It has associations with the highest number of ransomware families, including infamous groups such as Locky, BitPaymer, STOP, GandCrab, and Nemty.
CVE-2019-19781 is a remote code execution vulnerability that allows directory traversal in Citrix Application Delivery Controller (ADC) and Gateway versions 10.5, 11.1, 12.0, 12.1, and 13.0.
Categorized under CWE 22 (Improper Limitation of a Pathname to a Restricted Directory (Path Traversal), this critical vulnerability has a CVSS v3 score of 9.8.
CWE 22 is one of the Top 10 Most Dangerous Software Weaknesses listed by MITRE.
This vulnerability has been associated with 11 ransomware families, including DoppelPaymer, Maze, Pay2Key, Ragnarok, and Sodinokibi.
Read more about the vulnerabilities called out by CISA that are associated with ransomware here.
Threat Group Favourites
Threat groups seem to have favorites as well!
Here is an analysis of the top two vulnerabilities:
CVE-2012-0158 is a remote code execution vulnerability in Microsoft’s Windows Common Controls (MSCOMCTL.OCX).
The vulnerability allows remote attackers to execute arbitrary code that triggers "system state" corruption, as exploited in the wild in April 2012, via a crafted
(b) Office document, or
(c) .rtf file.
Categorized under the weakness enumeration CWE 94 (Improper Control of Generation of Code (Code Injection), the severity has a CVSS v2 of 9.3 (critical).
CVE-2012-0158 has the highest APT group associations, with a total count of 23 threat groups.
The CVE is associated with three ransomware groups.
CVE-2017-11882 is a remote code execution vulnerability that exists in Microsoft Office versions 2007 to 2016.
The vulnerability allows an attacker to run arbitrary code in the context of the current user by failing to handle objects in memory properly.
Classified under the weakness enumeration CWE 119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), this high severity CVE has a CVSS v3 score of 7.8.
CWE 119 is one of the Top 20 Most Dangerous Software Weaknesses listed by MITRE.
Ransomware groups such as Locky, Lokibot, and OnyxLocker, amongst others, are associated with this vulnerability.
CVE-2017-11882 has the second-highest APT group associations, with a total count of 22 threat groups.
Top Weakness Enumerations to Watch Out For
The majority of the top weakness enumerations that our researchers have listed below make it to the top 10 CWEs in MITRE’s latest Top 25 Most Dangerous Software Weaknesses list as well as the OWASP Top 10 list.
The CWE that dominates the count with a sturdy 33 CVEs is CWE-787, followed by CWE-269 with 24 CVEs. Although CWE-269 was demoted from the top 25 list to the 29th position in the latest version, one must take note that it is still as dangerous. CWE-269 also appears in the OWASP 2021 list as a weakness relating to insecure design, one to watch out for.
The Improper Input Validation (CWE-20) and Use-After-Free (CWE-416) weakness enumerations clock in with 22 and 21 counts, respectively. CWE-20 is the fourth most dangerous software weakness according to MITRE and is listed under the injection category (A3) in OWASP 2021, a popularly found weakness enumeration. CWE-416 follows in at a close seventh position followed by the Path Traversal weakness (CWE-22) at the eighth position.
Two CVEs—CVE-2021-38000 and CVE-2021-38003—have latencies on the NVD since the vendor published the CVE on October 28, 2021.
Our analysts studied the exploit latency details and listed out 13 CVEs that were exploited before being published to the National Vulnerabilities Database (NVD).
Five vulnerabilities were published on the day the exploit was made public.
Major Vulnerabilities Called Out by CSW in 2021
CSW’s researchers have called out several vulnerabilities listed in CISA’s directive in blogs and patch watch posts in the past year. Here are some CVEs that are worth mentioning:
Name of the Blog
How to Detect CVE-2021-34527? (Get a Free Script to Detect)
Our experts can help your remediation efforts with our vulnerability management, assessments, and prioritization capabilities.
CISA’s initiative of reducing risk through the Known Exploited Vulnerabilities (KEV) catalog is a remediation drive with strict timelines. We have already crossed the first of these deadlines on November 17, 2021, when public and private sector companies should have remediated 98 CVEs that were prioritized as dangerous. The next deadline is on Dec 01, 2021; a total of 117 vulnerabilities need to be fixed by then.
This remediation drive is definitely the need of the hour, as it forces the hand of federal entities and critical organizations to take immediate action to improve their cyber hygiene.
For the past year, CSW’s vulnerability researchers have warned its customers about these weaknesses and their imminent threat. Our team of experts can help you drive this remediation and gain cyber resilience through our Vulnerability Management services.
CSW’s Vulnerability Management as a Service (VMaaS) offers full coverage encompassing your entire IT landscape and detects, prioritizes,
and fixes vulnerabilities on your organizational infrastructure.
To know more about CSW’s Vulnerability Management as a Service (VMaaS),
please click here.