Cyberwar Bulletin: Iran and Albania

Top 5 Affected Products in CISA’s Catalog of Known Exploited Vulnerabilities (KEV)  

Posted on Jan 4, 2022 | By Surojoy Gupta

A deep dive into CISA’s catalog of 311 known exploited vulnerabilities reveals a plethora of vendors who have multiple products affected by several vulnerabilities. We looked into the products with the most vulnerabilities and the maximum CVEs associated with them. Let us take a closer look at the Top 5 worst-affected products. 

 

Product Density Map

CISA Product Density Map


We have already looked at the top vendors affected, where Microsoft, Apple, and Google share the top three positions with the most vulnerabilities. When we look at the product density map, however, Google and Microsoft take pole positions, appearing twice in the same list, but for different products. Ruling the roost, Chrome and Exchange Servers share 10 vulnerabilities each. Apple creates a neat divide to the table with 9 vulnerabilities affecting iOS. Chromium V8 and Windows Win32K take up 9 and 7 pieces each to make it the fourth and fifth worst affected products by number of associated vulnerabilities.


A detailed list of product versions affected is listed at the end of this article as a ready-reckoner that can be referred to during remediation. 

 

Google Chrome


Google Chrome has the highest number of vulnerabilities affecting it. With a total of 10 unique CVEs, it stands atop the product density list, alongside Microsoft Exchange Server.

 

CVE ID

CVSS v3 Score | Severity

APT Associations

Ransomware

Associations

CWE Enumeration

CISA Patch Deadline

CVE-2021-30633​

9.6 | CRITICAL

n/a

n/a

CWE-416

November 2021

CVE-2021-37973​

9.6 | CRITICAL

n/a

n/a

CWE-416

November 2021

CVE-2020-16017

9.6 | CRITICAL

n/a

n/a

CWE-416

May 2022

CVE-2021-21166​

8.8 | HIGH

n/a

n/a

CWE-119

November 2021

CVE-2021-30554​

8.8 | HIGH

n/a

n/a

CWE-416

November 2021

CVE-2021-30563​

8.8 | HIGH

n/a

n/a

CWE-843

November 2021

CVE-2021-30632

8.8 | HIGH

n/a

n/a

CWE-787

November 2021

CVE-2021-37975​

8.8 | HIGH

n/a

n/a

CWE-416

November 2021

CVE-2020-15999

6.5 | MEDIUM

n/a

n/a

CWE-787

November 2021

CVE-2021-37976

6.5 | MEDIUM

n/a

n/a

N/A

November 2021

 

Some Google Chrome vulnerabilities that are worthy of mention are:
 

  1. CVE-2021-37973, a use after free zero-day vulnerability that leads to remote code execution and affects the portals in Google Chrome versions prior to v94.0.4606.61.
     

  2. Most of the vulnerabilities associated with Chrome in 2021 were zero-day flaws that require immediate remediation to avoid exploitation attacks.

 

Microsoft Exchange Server


Microsoft Exchange Server leads the product tally with a total of 10 unique CVEs affecting a variety of products. 

The Exchange Server has also been plagued by ransomware attacks in the last couple of months. Here is a detailed analysis of the 10 CVEs. 

 

CVE ID

CVSS v3 Score | Severity

APT Associations

Ransomware Associations

CWE Enumeration

CISA Patch Deadline

CVE-2021-26855

9.8 | Critical

10

3

N/A

April 2021

CVE-2021-34473

9.8 | Critical

1

3

N/A

November 2021

CVE-2021-34523

9.8 | Critical

1

2

CWE-269

November 2021

CVE-2020-0688

8.8 | High

1

2

CWE-798

May 2022

CVE-2021-42321

8.8 | High

-

-

N/A

December 2021

CVE-2020-17144

8.4 | High

-

-

N/A

May 2022

CVE-2021-26857

7.8 | High

9

2

N/A

April 2021

CVE-2021-27065

7.8 | High

9

4

N/A

April 2021

CVE-2021-26858

7.8 | High

9

2

N/A

April 2021

CVE-2021-31207

7.2 | High

1

2

N/A

November 2021


MS Exchange vulnerabilities that are worthy of mention are:
 

  1. The ProxyLogon vulnerabilities comprise four flaws - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 - each being crucial for organizations to fix since multiple ransomware and APT groups have exploited them in the wild. 
     

  2. A Google Trends analysis of the aforementioned vulnerabilities finds the following trends in the past year. 
     

CVE-2021-26855

Google Search Trends for CVE-2021-26855 in 2021

CVE-2021-26857

Google Search Trends for CVE-2021-26857 in 2021

CVE-2021-26858

Google Search Trends for CVE-2021-26858 in 2021

CVE-2021-27065

Google Search Trends for CVE-2021-27065 in 2021

 

  1. The vulnerabilities tagged as CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 comprise what is popularly known as the ProxyShell vulnerabilities. CVE-2021-34473, which was recently exploited by Blackbyte ransomware, was noted trending in Australia, Germany, and India in the last 90 days.

CVE-2021-31207

Google Search Trends for CVE-2021-31207 in 2021

CVE-2021-34473

Google Search Trends for CVE-2021-34473 in 2021

CVE-2021-34523

Google Search Trends for CVE-2021-34523 in 2021

 

  1. MS Exchange vulnerabilities have been associated with major ransomware groups such as Conti, Petya, Ryuk, WannaCry, Lockfile, Magniber, Vice Society, and more recently, BlackByte. 

 

Apple iOS


Apple’s iOS has a total of nine vulnerabilities associated with it, giving Apple the third position on the products affected list. 

 

CVE ID

CVSS v3 Score | Severity

APT Associations

Ransomware Associations

CWE Enumeration

CISA Patch Deadline

CVE-2021-1870

9.8 | CRITICAL

n/a

n/a

N/A

November 2021

CVE-2021-1871​

9.8 | CRITICAL

n/a

n/a

N/A

November 2021

CVE-2021-30661

8.8 | HIGH

n/a

n/a

CWE-416

November 2021

CVE-2021-30666​

8.8 | HIGH

n/a

n/a

CWE-120

November 2021

CVE-2021-30761​

8.8 | HIGH

n/a

n/a

CWE-787

November 2021

CVE-2021-30762​

8.8 | HIGH

n/a

n/a

CWE-416

November 2021

CVE-2021-30860

7.8 | HIGH

n/a

n/a

CWE-190

November 2021

CVE-2021-1782

7.0 | HIGH

n/a

n/a

CWE-362 | CWE-269

November 2021

CVE-2021-1879​

6.1 | MEDIUM

1

n/a

CWE-79

November 2021


Here are some iOS vulnerabilities that are worthy of mention:
 

  1. Two high severity vulnerabilities which include CVE-2021-30860, the other being CVE-2021-30858, were found trending in the wild over the last month. Interestingly, both the vulnerabilities have been linked to the infamous Pegasus Spyware zero-click iMessages attack in September 2021.

CISA Apple iOS Pegasus Spyware iMessages Vulnerability

    2. CVE-2021-30860 was seen trending mostly in Canada, France, and Germany
        this year.

Google Search Trends for CVE-2021-30860 in 2021

  1. Two zero-day vulnerabilities of interest that affect the Webkit Storage in iOS devices are CVE-2021-30761 and CVE-2021-30762. Both vulnerabilities lead to arbitrary code execution attacks.
     

Google Chromium V8


Google appears twice in the list of Top products affected, with Chromium V8 affected by 8 vulnerabilities.

 

CVE ID

CVSS v3 Score | Severity

APT Associations

Ransomware Associations

CWE Enumeration

CISA Patch Deadline

CVE-2021-21148​

8.8 | HIGH

n/a

n/a

CWE-787

November 2021

CVE-2021-21193​

8.8 | HIGH

n/a

n/a

CWE-416

November 2021

CVE-2021-21220​

8.8 | HIGH

n/a

n/a

CWE-119|CWE-20

November 2021

CVE-2021-21224​

8.8 | HIGH

n/a

n/a

CWE-843

November 2021

CVE-2021-30551​

8.8 | HIGH

n/a

n/a

CWE-843

November 2021

CVE-2020-16009​

8.8 | HIGH

n/a

n/a

CWE-787|CWE-843

May 2022

CVE-2020-16013

8.8 | HIGH

n/a

n/a

CWE-787

May 2022

CVE-2020-6418​

6.5 | MEDIUM

n/a

n/a

CWE-787|CWE-843

May 2022

CVE-2021-4102

-

-

-

-

December 2021

 

Some Chromium V8 vulnerabilities of interest are as follows:
 

  1. CVE-2020-6418, is a remote code execution type confusion in Chromium V8 in Google Chrome versions prior to 80.0.3987.122. It allows an attacker to remotely exploit heap corruption via a maliciously crafted HTML page. It was exploited through vulnerability chaining by a threat actor in the past. The patch for the vulnerability was released in February 2020. 
     

  2. Our security analysts sensed malicious possibilities and advised users to address the following issue immediately. CVE-2021-30551, a trending zero-day vulnerability in Chrome’s Javascript engine which has privilege escalation capabilities. On June 10, 2021, CISA issued a warning alert to urge users to patch these Chrome vulnerabilities that could allow an attacker to hijack affected systems. 
     

  3. CVE-2021-30551 was seen trending primarily in Canada and the United States in 2021. 

Google Search Trends for CVE-2021-30551 in 2021


Microsoft Windows Win32K


Microsoft Windows Win32K, with 7 unique CVEs affecting its products tie Microsoft alongside Google with two products each in the top 5. 

 

CVE ID

CVSS v3 Score | Severity

APT Associations

Ransomware Associations

CWE Enumeration

CISA Patch Deadline

CVE-2021-1732​

7.8 | HIGH

1

n/a

CWE-269

November 2021

CVE-2021-28310​

7.8 | HIGH

1

n/a

CWE-269

November 2021

CVE-2019-0797​

7.8 | HIGH

n/a

n/a

N/A

May 2022

CVE-2019-0803​

7.8 | HIGH

n/a

n/a

N/A

May 2022

CVE-2019-0808​

7.8 | HIGH

n/a

2

N/A

May 2022

CVE-2019-0859​

7.8 | HIGH

1

1

N/A

May 2022

CVE-2020-1054

7.8 | HIGH

n/a

n/a

CWE-787

May 2022

 

It is interesting to note that the vulnerabilities affecting Windows Win32K are all escalation of privileges vulnerabilities.

 

CSW Vendor-specific Patch Watch notifications are a lifeline for organizations looking for product-specific information.


CSW security experts and researchers have provided Vendor-specific patch watch notifications and have called out more than 198 of the 311 vulnerabilities detailed by CISA in their Known Exploited Vulnerabilities (KEV) catalog.


It is a priority for organizations to take immediate action towards patching these exploited vulnerabilities. At CSW, our expert pentesters and security researchers can help prioritize the patching of the vulnerabilities and conduct monthly or quarterly assessments to improve your cyber hygiene, thereby enhancing your organization’s security posture. 


A list of the vulnerabilities mentioned in the blog having ransomware and threat group associations is detailed below. These vulnerabilities should be given special importance since some of them are trending and are being actively exploited by these attackers.
 


For a more comprehensive list of CVEs connected to ransomware, please visit our blog

 

Our security researchers have also put together a list of product versions affected by the vulnerabilities covered in this blog. The list can be used as a ready-reckoner by organizations to help remediate the mentioned vulnerabilities.

 

 

 

CSW’s Vulnerability Management as a Service (VMaaS) offers full coverage encompassing your entire IT landscape and detects, prioritizes,
and fixes vulnerabilities on your organizational infrastructure. 

 

To know more about CSW’s Vulnerability Management as a Service (VMaaS),
please click here.

 

Never miss a patch or an update with CSW's Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito