Amol Sarwate heads Fidelis and CloudPassage worldwide threat and security research lab responsible for Network, Endpoint and Cloud. He has devoted his career to protecting, securing, and educating... Read More
July 30, 2021
Fidelis Vulnerability Report – Q2 2021
At Fidelis Cybersecurity®, our Threat Research team continuously monitors the current threat landscape to provide coverage and vigilance on the most menacing vulnerabilities. Our Real-Time Vulnerability Alerting Engine harnesses public data and applies proprietary data analytics to cut through the noise and get real-time alerts for highly seismic cloud vulnerability exposures and misconfigurations—making vulnerability fatigue a thing of the past. Since its first launch at BSidesSF, we have made enormous improvements in our real-time vulnerability alerting engine, allowing us to provide a quarterly vulnerability and trends report to keep you ahead of the most pressing threats. It has been humming and churning data ever since. Here is the most recent vulnerability report, including the top CVE list for the second quarter of 2021.
Figure 1: Fidelis – Vulnerability Report from the Real-Time Vulnerability Alerting Engine
The X-axis above depicts all vulnerabilities found in the second quarter from 1 April to 30 June 2021. The Y-axis represents the vulnerability trending quotient calculated by the engine (see the BSides presentation for more info). For simplicity, the Y-axis has been divided into four colors—Red, Orange, Yellow, and Gray—which represent the criticality of each vulnerability. Each blue line represents a vulnerability, and they are sorted on the X-axis by their CVE numbers. All CVEs are not shown on the X-axis due to space constraints. In Q2 we collected a total of about 150,000 data points for 5026 vulnerabilities. Here are some findings along with details on the top vulnerabilities for Q2 – 2021:
The total number of vulnerabilities increased by 14%
Q2 saw a dramatic increase in the number of vulnerabilities as compared to Q1. In Q1, the vulnerability increased only by 0.3% (when compared to Q4 of 2020). But in Q2, the number of vulnerabilities increased by 14%. In total 5026 vulnerabilities were analyzed in this report.
Critical vulnerabilities increased by 20%
We did not see an increase in the total number of data points collected in Q2. But the number of critical vulnerabilities increased by about 20%. Also, in Q2 the vulnerability data points were more evenly divided between critical CVEs compared to Q1, in which a few numbers of vulnerabilities (like CVE-2021-3156 and CVE-2021-26855) dominated the landscape.
Web application exploits continue to dominate
The dominance of web application exploits has continued in this quarter. Web application exploits contributed to more than double all other types of exploits, including remote, local, and denial-of-service exploits. This comes as no surprise as the number of reported vulnerabilities for web applications far surpass other types of vulnerabilities, therefore, exploits for them are abundant.
Improper privilege management doubles
Vulnerabilities caused by improper assignment, modification, tracking or checking of privileges doubled as compared to this time last year. This included incorrect use of privileged APIs, dropping or lowering errors, privilege chaining, and context switching errors. Reflected, Stored and DOM-Based XSS still tops the root cause category, but the highest growth was seen in privilege management issues.
Older vulnerabilities continue to resurface
We have always seen older vulnerabilities resurface, typically at low rates. In the chart above, about 20% of the vulnerabilities originated prior to 2019 and their severity scores are mostly low to medium. Some exceptions and noteworthy older vulnerabilities that resurfaced include:
Fortinet SSL VPN vulnerability (CVE-2018-13379) resurfaced in Q2 due to ‘Cring’ ransomware being deployed via unpatched Fortinet VPNs.
Cisco ASA and FTD XSS vulnerability (CVE-2020-3580) resurfaced due to the availability of recent proof-of-concept exploit and some hacktivism activity.
Exim 4 use-after-free vulnerability (CVE-2020-28018) resurfaced due to the availability of exploit code and subsequent release of patches.
The CVE Dirty Dozen for Q2 2021
Although the number of web application vulnerabilities surpass other categories, the dirty dozen listed below are ranked by various factors, including severity, wormability, exploit, urgency and many other factors as described in the BSides presentation. None of the web application vulnerabilities made it into the vulnerability and trends report this quarter.
CVE-2021-1675 became public at the end of June, followed by its sister vulnerability, CVE-2021-34527. We’ll have more insight on 34527 next quarter. For 1675, the Microsoft Windows Print Spooler service fails to restrict access to functionality that allows users to add printers and related drivers. This vulnerability can allow a remote authenticated attacker to execute arbitrary code with SYSTEM privileges on a vulnerable system. Exploit for this vulnerability is available publicly.
The Windows HTTP protocol stack is used by IIS as well as many other services under windows. A remote, unauthenticated attacker can exploit this vulnerability by sending a crafted ‘Accept-Encoding’ HTTP header in a web request to the target system. Successful exploitation of this vulnerability can result in code execution with kernel privileges or denial-of-service. Exploit for this vulnerability is available publicly.
Remote code execution in the vSphere Client exists due to a lack of input validation in the Virtual SAN Health Check plug-in. This plug-in is enabled by default in the vCenter Server. If exploited, an attacker may execute commands with unrestricted privileges. A Showdan search reported thousands of vCenter Server exposed to the internet.
The rest of the top vulnerabilities that made our list are in the table below.
Our goal with the quarterly vulnerability and trends report is to identify trends, reduce vulnerability noise, and provide the most accurate, timely, and broad coverage. For additional information on the top vulnerabilities in your environment learn more about Fidelis Halo Cloud Server Secure®. You can also sign up to get a free vulnerability assessment of your infrastructure in minutes.
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.