Amol Sarwate heads Fidelis and CloudPassage worldwide threat and security research lab responsible for Network, Endpoint and Cloud. He has devoted his career to protecting, securing, and educating... Read More
At Fidelis Cybersecurity®, our Threat Research team provides coverage and vigilance on the most menacing vulnerabilities through continuous monitoring of the current threat landscape. The third quarter of 2021 introduced 5438 new vulnerabilities, out of which, a staggering 907 vulnerabilities ranked with a CVSS score of high or critical. While the CVSS scoring mechanism holds value, our Threat Research team also applies expert analysis to identify the most critical issues.
Our Real-Time Vulnerability Alerting Engine cuts through the noise by harnessing public data and applying proprietary data analytics to get real-time alerts for highly seismic vulnerability exposures and misconfigurations—making vulnerability fatigue a thing of the past. Since its first launch at BSidesSF, we have continually improved our real-time vulnerability alerting engine, allowing us to provide this quarterly vulnerability and trends report to keep you ahead of the most pressing threats. Here is the most recent vulnerability report, including the top CVE list for the third quarter of 2021.
Figure1: All 2021 vulnerabilities with third quarter vulnerabilities highlighted in blue
In Figure 1, the X-axis represents each day of the year from 1 Jan to 30 September 2021. The Y-axis represents the vulnerability trending quotient calculated by the engine (see the BSides presentation for more info). This quotient is calculated every day for each CVE. For simplicity, the Y-axis is divided into four colors—Red, Orange, Yellow, and Green—which represent the criticality of each vulnerability. Each blue dot represents a vulnerability. It’s possible for the same vulnerability to appear on multiple days, especially those with a high X-axis value. The third quarter vulnerabilities are highlighted by the light blue box on the timeline.
As you can see, the criticality for the second quarter PrintNightmare CVE-2021-1675 is higher than the top vulnerability in the third quarter – CVE-2021-40444. However, the total number of high and critical vulnerabilities (as signified by the number of dots on the graph) is very high in the third quarter. In fact, the number of high-severity vulnerabilities quadrupled in the third quarter over the second quarter total.
Figure 2, below, shows the number of high and critical vulnerabilities for the three quarters.
Figure 2: Quarterly comparison of high and critical vulnerabilities
Now, let’s zoom in on the vulnerabilities in the blue Third Quarter box from Figure 1. The graph below shows all vulnerabilities from the third quarter. The X-axis represents each vulnerability while the Y-axis represents the sum of the vulnerability quotient for each CVE. If a vulnerability is seen multiple time in a week or month, then the Y-axis represents the sum of the quotients for that CVE. For example, the Windows Spooler PrintNightmare vulnerability presented multiple times in the third quarter, so the Y- axis represents the sum of all quotients for that CVE in Q3.
Figure 3: Vulnerabilities in third quarter 2021
1. Microsoft MSHTML Remote Code Execution: CVE-2021-40444
On September 7, Microsoft released an out-of-band advisory acknowledging targeted attacks that attempt to exploit CVE-2021-40444 by using specially crafted Microsoft Office documents. Once the victim opens the malicious Word, Excel, or PowerPoint document , the attacker can take full control of the victim’s machine. There are many PoC available on the internet, such as this one, located on github here. Microsoft released mitigations and workarounds to address this issue.
2. Windows Print Spooler – PrintNightmare: CVE-2021-34527
CVE-2021-34527 is a sister vulnerability for CVE-2021-1675, which topped our list of second quarter 2021 vulnerabilities. You can read more about that here. Both vulnerabilities belong to the PrintNightmare family of issues. This is a remote code execution vulnerability which exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploits this vulnerability can run arbitrary code with SYSTEM privileges. An attacker can use this exploit to install programs, view, change, or delete data, or create new accounts with full user rights.
3. Confluence Server Webwork OGNL Remote Code Execution: CVE-2021-26084
Confluence is a widely used collaboration tool application that organizes and centralizes shared work. CVE-2021-26084 is an actively exploited vulnerability in the wild that allows attackers (regardless of configuration) to take complete control of the affected Confluence server or data center. Initially, about 12,000 indicated a vulnerable state on the publicly accessible internet, but the number of affected sites has decreased. If you are unable to upgrade Confluence immediately, you can mitigate the issue by running a workaround script provided by the vendor. To detect this attack, administrators should monitor all HTTP traffic requests where the path component of the request-URI contains certain IOC strings.
4. vCenter Server File Upload Vulnerability – CVE-2021-22005
VMware confirmed active exploits of this vulnerability in the wild. The vCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server may exploit this issue to execute code by uploading a specially crafted file. An attacker who can reach the affected software over the network (in this case vCenter Server) can execute commands and bypass the security controls in place.
The rest of the top vulnerabilities that made our list are in the table below.
|5||CVE-2021-30860||Apple macOS, iOS, watchOS PDF code execution|
|6||CVE-2021-36934||Microsoft Windows SAM elevation of privilege overly permissive Access Control Lists (ACLs)|
|7||CVE-2021-33909||Linux kernel seq_file out-of-bounds write flaw|
|8||CVE-2021-38647||Microsoft OMI remote code execution|
|9||CVE-2021-35211||SolarWinds Serv-U memory escape vulnerability|
|10||CVE-2021-30807||Apple macOS, iOS kernel extension code execution|
|11||CVE-2021-34473||Microsoft Exchange Server Remote Code Execution
|12||CVE-2021-33035||Apache OpenOffice opens dBase/DBF documents remote code execution|
Our goal with the quarterly vulnerability and trends report is to identify trends, reduce vulnerability noise, and provide the most accurate, timely, and broad coverage.
Protection against vulnerabilities starts with a proactive defense. The Fidelis CloudPassage Halo® unified cloud security platform provides continuous vulnerability monitoring and management across IaaS, PaaS, servers, and containers for public, private, hybrid- and multi-cloud environments. With Fidelis Halo, you get high-fidelity alerts on vulnerabilities, including high, critical, and zero-day alerts, so you can secure your systems ahead of the exploit.
Learn more about Fidelis Halo and start your free 15-day trial.