Amol Sarwate heads Fidelis and CloudPassage worldwide threat and security research lab responsible for Network, Endpoint and Cloud. He has devoted his career to protecting, securing, and educating... Read More
April 15, 2021
Top CVE List for Q1 2021
The Threat Intelligence team at Fidelis Cybersecurity® is in a continuous ARR (Anticipate, Research, Respond) loop. Our Real-Time Vulnerability Alerting Engine harnesses public data and applies proprietary data analytics to cut through the noise and get real-time alerts for highly seismic cloud vulnerability exposures and misconfigurations—making vulnerability fatigue a thing of the past. Since its first launch at BSidesSF we have made enormous improvements in our real-time vulnerability alerting engine. It has been humming and churning data ever since. Here is the most recent vulnerability report, including the top CVE list for the first quarter of 2021.
Figure 1: CloudPassage Vulnerability Report from the Real-Time Vulnerability Alerting Engine
The X-axis for the CloudPassage Vulnerability Report graph represents each day of the first quarter from 1 Jan to 31 March 2021. The Y-axis represents the vulnerability trending quotient calculated by the engine (see the BSides presentation for more info). For simplicity, the Y-axis has been divided into four colors—Red, Orange, Yellow, and Green—which represent the criticality of each vulnerability. Each blue dot represents a vulnerability. Its placement on the X-axis represents the date on the timeline and placement on the Y-axis represents criticality (i.e., the vulnerability trending quotient). It’s possible for the same vulnerability to appear on multiple days, especially vulnerabilities with a high X-axis value.
Top CVE List for Q1
#1 CVE-2021-3156: Sudo Privilege Escalation to Root
The ‘sudo’ command allows users to run programs with the security privileges of another user. Due to this vulnerability, when running sudoedit with the flags -s or -i, the command will not result in an exit with an error, and the sudoers policy plugin will not remove the escape characters. This will result in it reading beyond the last character of a string and may allow attackers to run random commands.
#2 CVE-2021-21972: vSphere Remote Code Execution Vulnerability in Server Plugin
A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. A proof-of-concept exploit is available that demonstrates the use of this vulnerability.
This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. A proof-of-concept code is available that demonstrates exploitations of this vulnerability.
#4 CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability
On March 2, Microsoft released an out-of-band patch for an Exchange zero-day vulnerability that was exploited in the wild. In a blog post, Microsoft attributes the exploitation of these flaws to a state-sponsored group HAFNIUM. Volexity, one of the groups credited with discovering CVE-2021-26855, wrote in their blog post that it observed an attacker leverage this vulnerability to – steal the full contents of several user mailboxes. CVE-2021-26855 opens the door to the other three vulnerabilities that are chained together (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable Exchange Server over port 443.
The complete top CVE list for the first quarter 2021 are below:
Sudo privilege escalation to root
vSphere remote code execution vulnerability in a vCenter Server plugin
Microsoft Exchange Server Remote Code Execution Vulnerability
MacOS race condition and privilege escalation
Windows Win32k Elevation of Privilege Vulnerability
Microsoft Defender Remote Code Execution Vulnerability
Apache Flink JobManager process file read
TLSv1.2 renegotiation ClientHello DoS
Oracle WebLogic Server remote code execution
Google Chrome use after free vulnerability
OpenSSL non-CA certificates check bypass
How CloudPassage Halo Can Help
CloudPassage Halo Customers can use Halo’s Server Secure or Container Secure service, our software vulnerability manager, to identify and prioritize vulnerabilities lurking in their environments from the top CVE list.
Figure 2: Use the Halo software vulnerability manager to identify and prioritize vulnerabilities
Customers can also create custom reports to view details on the Q1 vulnerabilities for 2021.
Figure 3: Use Halo to create custom vulnerability reports and view CVE details
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.