Most Exploited Vulnerabilities in 2021

There are more devices connected to the internet than ever before. This is music to an attacker’s ears, as they make good use of machines like printers and cameras which were never designed to ward off sophisticated invasions. It’s led companies and individuals alike to rethink how safe their networks are.

As the amount of these incidents rises, so does the way we need to classify the dangers they pose to businesses and consumers alike. Three of the most common terms thrown around when discussing cyber risks are vulnerabilities, exploits, and threats. Here’s a breakdown of most exploited vulnerabilities in 2021

Accellion

The FTA server mentioned here is primarily used for transferring very large files. The program itself has been updated over 20 years and has been in sunset status since 2018. It is now considered End-of-Life as of April 30, 2021, with their Kite works software taking over. All the four mentioned vulnerabilities were announced in the same package, each a different vulnerability type. Qualys was one of the higher-profile organizations to be impacted by this vulnerability, with an FTA server in their DMZ compromised.

 Atlassian

Confluence server is a wiki-style collaboration environment. By leveraging a “widget connector macro” in a vulnerable version of the software, malicious users would be able to explore directories on the server, deploy templates and achieve remote code execution. This vulnerability has been used to deploy both cryptocurrency mining software and ransomware.

Crowd and Crowd Data Center are both identity management systems providing single-sign-on services, which can assist with authentication across multiple platforms through a central provider. The production versions of these programs had a development plugin known as pdkinstall enabled incorrectly by default. Through this vulnerability, malicious users could install their plugins, creating the remote code execution scenario.

 Apache

Apache Log4j 2 is an upgrade to Log4j that provides significant improvements over its predecessor, Log4j 1.x, and provides many of the improvements available in Logback while fixing some inherent problems in Logback architecture. Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack where an attacker with permission to modify the logging configuration file can construct a malicious configuration using a JDBC Appender with a data source referencing a JNDI URI which can execute remote code. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Citrix

During the COVID-19 pandemic, the shift to remote work was swift and, in many cases, unplanned. This meant that many organizations were deploying potentially untested remote access systems in an incompletely configured state. As such, this vulnerability was the most exploited flaw in 2020.

Researchers at Carnegie Mellon University were able to show that the software did not restrict access to a particular section of scripts in a directory called “vpns”’ which was made accessible via directory traversal. Once they were in this directory, they could perform remote code execution of their designs.

Drupal

Drupal is used by many as a content management system (CMS) for websites and wikis. The vulnerability involves the way that Drupal requests parameters A malicious user can use this to deploy payloads to the system without input sterilization because it accepts parameters in arrays. It is potentially possible to exploit both the application and the Host OS. Despite the severity of the issue, there are still many unpatched systems, even though patches have been available since mid-2018.

F5

BIG-IP provides load balancing, firewall functions and DNS services. Through this vulnerability, malicious users would be able to access config functions of he applications, along with running code of their choosing. Like many other config utilities, however, allowing access to upper-level controls only from IPs provides a quick workaround. At the same time, permanent fixes are enabled this takeaway is very important across multiple vendors.

 Fortinet

For similar reasons as those reported above with Citrix, Fortinet’s SSL VPN offerings exploded in use during 2020 making it a very tempting target for attackers. All three of these issues revolve around that Remote Access offering, each with a very different effect.

The 2018 vulnerability permitted malicious users to move to directories containing system files from the FortiOS web portal but not necessarily upload their own. While that may not necessarily sound as bad as some other vulnerabilities, The 2019 vulnerability could allow users on the same local subnet to impersonate the LDAP authentication server and potentially obtain sensitive data

The 2020 vulnerability could allow users to bypass 2 Factor Authentication requirements if they changed their username’s case (uppercase/lowercase). If, for example, a malicious user leveraged the 2018 vulnerability to obtain credentials, they could then use this vulnerability to gain full access without requiring a 2FA token.

Microsoft

Microsoft’s Windows Operating Systems, Office productivity software, Sharepoint Content Management System and Exchange Email server products power many enterprises. The 2017 Office vulnerability allows a malicious user to distribute a file to a legitimate user, which is then opened in the Office suite programs or the standalone Wordpad application. Once the user opens the file, whatever code the malicious user wishes will run with the logged-on user’s permissions.  This is very similar in concept to the 2019 Sharepoint vulnerability, where code could be run as the credentials of the Sharepoint app pool and server farm accounts.

The Background Intelligent Transfer Service (BITS) powers a great deal of the updating functionality for Windows. Using this vulnerability, a malicious user who already has access to the system could elevate their permissions to control the entire local computer.

Net logon allows for authentication of users and computers that are members of Microsoft’s Active Directory Domain structure. Exploiting the vulnerability could allow someone to impersonate a Domain Controller and potentially acquire Domain Administrator privileges.

The 2020 Exchange vulnerability is caused by an Exchange Control Panel web app issue in Exchange 2019. The problem revolves around cryptographic keys, specifically that it doesn’t make a new key at install time. If a malicious user has access to the default keys, they can cause Exchange to decrypt their data. This can create a Remote Code Execution as SYSTEM- the highest permission level on the server.

The 2021 Exchange vulnerabilities, on the other hand, are part of an attack chain. First, it would gain access to an Exchange Server either with stolen passwords or by using the previously undiscovered vulnerabilities to disguise itself as someone who would have access. Second, it would create what’s called a web shell to control the compromised server remotely. Third, it would use that remote access- run from the U.S.-based private servers to steal data from an organization’s network.

MobileIron

MobileIron provides many services dealing with Mobile Management. Researchers  discovered a vulnerability in the MobileIron Core product that could allow a malicious user to execute their code without authentication. After confirming the vulnerability, MobileIron expanded its review and discovered several other products that also had this issue.

Pulse Secure

Pulse Secure’s Connect Secure is a form of SSL VPN, as we’ve seen multiple times already on this list. The 2019 vulnerability could allow an unauthenticated user to read files traveling across the VPN, gain access to plain text credentials, and execute commands on clients as they connect to the VPN server. 2021 vulnerabilities potentially allow for unauthenticated users to run their code on the VPN Gateway itself with root-level access.

 Telerik

Telerik’s UI for ASP.NET AJAX allows for the rapid creation and deployment of web forms. This vulnerability is similar in concept to the Exchange decryption vulnerability. If the malicious user can access the encryption keys, either through another vulnerability or via other means, they can run their code on the server.

 VMWare

VMWare allows for the running of Virtual Machines on top of Host Operating Systems, with vSphere being their primary management interface. The first vulnerability is due to input validation not being present on a plugin enabled by default. Because of this, a user can run their code on the Host OS.  The second vulnerability also deals with plugins, but differently it would allow the user to perform whatever actions the affected plugins could normally do, but without authentication.