Vulnerabilities can be found in just about any type of software—and even some pieces of hardware. Threat actors are all too eager to take advantage of these vulnerabilities, leveraging them to gain access to or escalate privileges in an organization’s IT infrastructure. When these vulnerabilities are discovered before the vendor is aware, these are known as zero-day threats. Since these are vulnerabilities that don’t yet have workarounds or patches, anyone who uses an affected device can be attacked, making zero-day threats incredibly dangerous.
However, just because a vulnerability is known, doesn’t mean it isn’t hazardous. Even if a patch is available, users may not have applied it successfully, if they applied it at all. With thousands of vulnerabilities of varying severity levels out in the wild, which ones are keeping cybersecurity professionals up at night? While the answer to this question is often changing as new threats emerge, the following list highlights the current most worrisome vulnerabilities:
1. Windows Print Spooler: CVE-2021-34527, CVE-2021-1675
Nicknamed PrintNightmare, CVE-2021-34527 is a critical zero-day vulnerability that poses such a threat that CISA released an alert to increase awareness. This remote code execution vulnerability enables an attacker to remotely gain system-level access. The Print Spooler service has a flaw that allows a remote authenticated account with low privileges to obtain access from a single shared computer. From there, an attacker can run arbitrary code, deploy malware, make new user accounts, as well as steal, alter, or delete any data. Microsoft recently released an out-of-band security update, which all users are advised to apply as soon as possible.
CVE-2021-1675 is a similar remote code execution vulnerability for the Print Spooler service that has a local attack vector. While Windows has released a patch, this update doesn’t protect against public exploits.
2. Microsoft Exchange Vulnerabilities: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065
Easily one of the most popular cybersecurity topics in the news this spring, these vulnerabilities began as zero-day, though Microsoft quickly came out with patches. However, in the following weeks, attacks continued to surge, meaning that far too many users had yet to implement the patches. This was particularly concerning given the severity of the vulnerabilities. CVE-2021-26855 could give an attacker access to mailboxes, while CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 all allow for remote code execution.
In their April Security Update, Microsoft disclosed and patched another series of remote code execution vulnerabilities that affect Exchange Server 2013, 2016, and 2019, making updating all the more critical.
3. Fortinet FortiGate SSL VPN: CVE-2018-13379, CVE-2020-12812, CVE-2019-5591
Multiple government agencies have released official warnings of these vulnerabilities, including the United Kingdom’s National Cyber Security Centre (NCSC) as well as the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). These alerts detailed how Advanced Persistent Threat (APT) actors and cyber criminals were scanning for and using these vulnerabilities for cyber-espionage purposes against government services, as well as in ransomware attacks against commercial enterprises. Patches for all of these vulnerabilities were released almost two years ago, but in November of 2020, attackers published a list of over 50,000 IPs related to devices which remain unpatched.
4. Synacor Zimbra Collaboration Suite (XXE): CVE-2019-9670
In a joint statement by the National Security Agency (NSA), CISA, and the FBI, these agencies warned that the Russian Foreign Intelligence Service (SVR) had exploited five known vulnerabilities on multiple occasions, targeting “U.S. and allied networks, including national security and government related systems.” Any government agency, as well as anyone with government contracts, was urged to check if any of these vulnerabilities apply to their IT environments, and if so, to take measures to mitigate the vulnerabilities.
The mailbox feature of the Synacor Zimbra Collaboration Suite has an XML Eternal Entity Injection which can be exploited to gain access to credentials. In addition to being listed in the joint statement, the NCSC also listed it in an earlier advisory about vulnerabilities being exploited in attacks targeting COVID-19 vaccine research and development. A patch for this vulnerability came out with the 8.7.11 release.
5. Pulse Secure Pulse Connect Secure VPN: CVE-2019-11510
This vulnerability was another one of the five known vulnerabilities being used by the SVR. In certain versions of this Pulse VPN, a path traversal vulnerability can be exploited to enable unauthenticated remote attackers to gain access to sensitive information. This vulnerability was part of a previous advisory from CISA in 2020, which noted seeing wide use of the exploitation, despite a patch being released in April 2019.
6. Citrix Application Delivery Controller and Gateway: CVE-2019-19781
Similar to the Pulse VPN, this path traversal vulnerability was also being exploited by the SVR. First discovered as a zero-day, it allowed unauthenticated attackers to access sensitive information, including configuration files. Attackers could also use the vulnerability for DoS attacks, phishing and remote code execution. Despite multiple instances of this exploit being used by threat actors and being known for how easy it was to exploit, 19 percent of the 80,000 affected companies had yet to make the recommended fixes months later.
7. VMware Workspace ONE Access: CVE-2020-4006
This command injection vulnerability was also on the list of those being exploited by the SVR, and can be used by attackers to execute commands on systems in order to access protected data. A December 2020 advisory by the NSA warned of the vulnerability, and advised strengthening passwords, since the vulnerability still required authenticated access in order to be used. Additionally, a patch was already available and linked to in the advisory, but appears to not yet be widely implemented, since it’s being actively used in further attacks.
8. Microsoft SMBGhost: CVE-2020-0796
Part of the worry over this remote code execution vulnerability is that it involves the Microsoft Server Message Block (SMB) protocol, which was the same protocol that was targeted by WannaCry ransomware. Since WannaCry affected over 100 countries with estimated damages of over one billion dollars, cybersecurity experts want to do whatever they can to avoid a repeat incident.
9. VMWare vCenter RCE: CVE-2021-21972
This remote code execution vulnerability is similar to the Citrix vulnerability listed earlier, in that it was publicized for being simple to exploit, since any unauthorized user can take advantage of it. Despite quickly posting patches, many threat actors were already working on posting Proof of Concepts for exploiting this vulnerability on Github, emphasizing how important it is for organizations to update vulnerable systems as soon as possible.
10. Google Chrome Browser: CVE-2021-21193, CVE-2021-21206, CVE-2021-21220
These three vulnerabilities were all released as zero-day threats. CVE-2021-21193 is a use after free vulnerability in Chrome’s browser engine, Blink, which could allow a remote attacker to exploit heap corruption. The latter two were announced in the same week, both of which can be used for remote code execution. Though Google quickly released new versions to fix these vulnerabilities, the real concern is over what is becoming a pattern of zero-day threats. Given Chrome’s popularity, a lingering vulnerability could cause damage on a global scale. The discovery of three zero-day threats in a such a short span of time has made some wary of its overall security approach, so experts may begin to keep a closer eye on the browser for the time-being.
11. Cisco AnyConnect Posture: CVE-2021-1366
Improper Access Control and Uncontrolled Search Path Element vulnerabilities were discovered in the in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows. These vulnerabilities could allow an authenticated, local user to elevate privileges and execute any application under the SYSTEM account. Cisco has released free software updates that address the vulnerability.
12. Google Chrome: CVE-2021-21166, CVE-20210-30551
These two zero-day vulnerabilities, discovered by Google, are remotely executable flaws in the Chromium renderer that attackers exploited using targeted spear-phishing emails sent to users in Armenia. These emails contained links that led to spoofed websites that the targeted users regularly utilized. These webpages would collect system data including screen resolution, time zone, languages, browser plugins, and available MIME types. This data was sent back to the attacker, who then determined if the system was worth exploiting further. Google has released patches for both of these vulnerabilities.
13. Internet Explorer: CVE-2021-33742
Similar to the Google Chrome zero-days listed above, this zero-day vulnerability was discovered by Google and also targeted Armenian users. Google speculated that both the Chrome vulnerabilities, as well as this Internet Explorer zero-day vulnerability were developed and sold by the same vendor, who is most likely selling surveillance capabilities on a global scale.
This vulnerability was being used to target users with malicious Office documents, which would load web content in Internet Explorer when opened. From there, similar data to the Google Chrome zero-days was collected and sent back to the attacker. Microsoft has released a patch for this vulnerability.
14. Safari: CVE-2021-1879
Yet another zero-day discovered by Google, this vulnerability targeted government officials from western European countries. This cross-site scripting vulnerability was discovered in a campaign that sent government officials LinkedIn messages containing malicious links. Ultimately, the exploit aimed to harvest authentication cookies from popular websites including Google, Microsoft, LinkedIn, Facebook, and Yahoo. Google speculated that this attack likely originated from a Russian government-backed actor. Apple has released a patch for this vulnerability.
A Way Forward: Discovery, Regular Updates, and Remediation Validation
The sooner a vulnerability is found and patched, the better. Luckily, there are multiple cybersecurity research groups, including Core Labs, constantly looking for vulnerabilities in order to catch them before a threat actor can execute a zero-day attack. Groups like Core Labs contact the vendors, working with them to release an advisory informing users as soon as possible, hopefully with an available patch at the ready.
As for organizations, the running thread through all of these vulnerabilities is clear: if a patch is available, apply it! Though regular updates can be time consuming and tedious, recovering from a breach takes even more time, patience, and money.
Penetration testing can also help determine if your organization is in danger. Just like attackers, pen testers use exploits—a piece of code, software, or a set of commands used to take advantage of vulnerabilities. Using tools like Core Impact, which comes with a robust exploit library written and tested by experts, pen testers can regularly test to see if the latest vulnerabilities are present in an IT environment, and what level of risk they pose.
Additionally, updates and patches are useless if they aren’t correctly applied—sometimes something as simple as failure to restart can mean that you’re still at risk. The best way to assess the state of your security is to regularly pen test your environment, both to uncover vulnerabilities you may not be aware of, but also to ensure that any remediation efforts have been implemented properly.
Are You Pen Testing for Vulnerabilities?
Identifying, classifying, remediating, and mitigating weaknesses in the IT infrastructure is no easy task. Find out how pen testing can elevate your strategy in our webinar, How to Take Your Vulnerability Management Program to the Next Level.