Top CVE List for Q1 2021

The Threat Intelligence team at Fidelis Cybersecurity^® is in a continuous ARR (Anticipate, Research, Respond) loop. Our Real-Time Vulnerability Alerting Engine harnesses public data and applies proprietary data analytics to cut through the noise and get real-time alerts for highly seismic cloud vulnerability exposures and misconfigurations—making vulnerability fatigue a thing of the past. Since its first launch at BSidesSF we have made enormous improvements in our real-time vulnerability alerting engine. It has been humming and churning data ever since. Here is the most recent vulnerability report, including the top CVE list for the first quarter of 2021.

The X-axis for the CloudPassage Vulnerability Report graph represents each day of the first quarter from 1 Jan to 31 March 2021. The Y-axis represents the vulnerability trending quotient calculated by the engine (see the BSides presentation for more info). For simplicity, the Y-axis has been divided into four colors—Red, Orange, Yellow, and Green—which represent the criticality of each vulnerability. Each blue dot represents a vulnerability. Its placement on the X-axis represents the date on the timeline and placement on the Y-axis represents criticality (i.e., the vulnerability trending quotient). It’s possible for the same vulnerability to appear on multiple days, especially vulnerabilities with a high X-axis value.

Top CVE List for Q1

#1 CVE-2021-3156: Sudo Privilege Escalation to Root

The ‘sudo’ command allows users to run programs with the security privileges of another user. Due to this vulnerability, when running sudoedit with the flags -s or -i, the command will not result in an exit with an error, and the sudoers policy plugin will not remove the escape characters. This will result in it reading beyond the last character of a string and may allow attackers to run random commands.

#2 CVE-2021-21972: vSphere Remote Code Execution Vulnerability in Server Plugin

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. A proof-of-concept exploit is available that demonstrates the use of this vulnerability.

#3 CVE-2021-22986: BIG-IP iControl REST Interface Unauthenticated Remote Command Execution

This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. A proof-of-concept code is available that demonstrates exploitations of this vulnerability.

#4 CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability

On March 2, Microsoft released an out-of-band patch for an Exchange zero-day vulnerability that was exploited in the wild. In a blog post, Microsoft attributes the exploitation of these flaws to a state-sponsored group HAFNIUM. Volexity, one of the groups credited with discovering CVE-2021-26855, wrote in their blog post that it observed an attacker leverage this vulnerability to – steal the full contents of several user mailboxes. CVE-2021-26855 opens the door to the other three vulnerabilities that are chained together (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable Exchange Server over port 443.

The complete top CVE list for the first quarter 2021 are below:

How CloudPassage Halo Can Help

CloudPassage Halo Customers can use Halo’s Server Secure or Container Secure service, our software vulnerability manager, to identify and prioritize vulnerabilities lurking in their environments from the top CVE list.

Customers can also create custom reports to view details on the Q1 vulnerabilities for 2021.

Learn more about Fidelis CloudPassage Halo Server Secure.