Fidelis Blog

Amol Sarwate

Amol Sarwate heads Fidelis and CloudPassage worldwide threat and security research lab responsible for Network, Endpoint and Cloud. He has devoted his career to protecting, securing, and educating... Read More


Top CVE List for Q1 2021

Broken safe door

The Threat Intelligence team at Fidelis Cybersecurity® is in a continuous ARR (Anticipate, Research, Respond) loop. Our Real-Time Vulnerability Alerting Engine harnesses public data and applies proprietary data analytics to cut through the noise and get real-time alerts for highly seismic cloud vulnerability exposures and misconfigurations—making vulnerability fatigue a thing of the past. Since its first launch at BSidesSF we have made enormous improvements in our real-time vulnerability alerting engine. It has been humming and churning data ever since. Here is the most recent vulnerability report, including the top CVE list for the first quarter of 2021.


Figure 1: CloudPassage Vulnerability Report from the Real-Time Vulnerability Alerting Engine

The X-axis for the CloudPassage Vulnerability Report graph represents each day of the first quarter from 1 Jan to 31 March 2021. The Y-axis represents the vulnerability trending quotient calculated by the engine (see the BSides presentation for more info). For simplicity, the Y-axis has been divided into four colors—Red, Orange, Yellow, and Green—which represent the criticality of each vulnerability. Each blue dot represents a vulnerability. Its placement on the X-axis represents the date on the timeline and placement on the Y-axis represents criticality (i.e., the vulnerability trending quotient). It’s possible for the same vulnerability to appear on multiple days, especially vulnerabilities with a high X-axis value.

Top CVE List for Q1

#1 CVE-2021-3156: Sudo Privilege Escalation to Root

The ‘sudo’ command allows users to run programs with the security privileges of another user. Due to this vulnerability, when running sudoedit with the flags -s or -i, the command will not result in an exit with an error, and the sudoers policy plugin will not remove the escape characters. This will result in it reading beyond the last character of a string and may allow attackers to run random commands.

#2 CVE-2021-21972: vSphere Remote Code Execution Vulnerability in Server Plugin

A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. A proof-of-concept exploit is available that demonstrates the use of this vulnerability.

#3 CVE-2021-22986: BIG-IP iControl REST Interface Unauthenticated Remote Command Execution

This vulnerability allows for unauthenticated attackers with network access to the iControl REST interface, through the BIG-IP management interface and self IP addresses, to execute arbitrary system commands, create or delete files, and disable services. A proof-of-concept code is available that demonstrates exploitations of this vulnerability.

#4 CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability

On March 2, Microsoft released an out-of-band patch for an Exchange zero-day vulnerability that was exploited in the wild. In a blog post, Microsoft attributes the exploitation of these flaws to a state-sponsored group HAFNIUM. Volexity, one of the groups credited with discovering CVE-2021-26855, wrote in their blog post that it observed an attacker leverage this vulnerability to – steal the full contents of several user mailboxes. CVE-2021-26855 opens the door to the other three vulnerabilities that are chained together (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). An unauthenticated, remote attacker could exploit this flaw by sending a specially crafted HTTP request to a vulnerable Exchange Server over port 443.

The complete top CVE list for the first quarter 2021 are below:

Number Vulnerability Description
1 CVE-2021-3156 Sudo privilege escalation to root
2 CVE-2021-21972 vSphere remote code execution vulnerability in a vCenter Server plugin
3 CVE-2021-22986 BIG-IP iControl REST interface unauthenticated remote command execution
4 CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability
5 CVE-2021-1782 MacOS race condition and privilege escalation
6 CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability
7 CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability
8 CVE-2020-17519 Apache Flink JobManager process file read
9 CVE-2021-3449 TLSv1.2 renegotiation ClientHello DoS
10 CVE-2021-2109 Oracle WebLogic Server remote code execution
11 CVE-2021-21193 Google Chrome use after free vulnerability
12 CVE-2021-3450 OpenSSL non-CA certificates check bypass


How CloudPassage Halo Can Help

CloudPassage Halo Customers can use Halo’s Server Secure or Container Secure service, our software vulnerability manager, to identify and prioritize vulnerabilities lurking in their environments from the top CVE list.

Servers Tab

Figure 2: Use the Halo software vulnerability manager to identify and prioritize vulnerabilities

Customers can also create custom reports to view details on the Q1 vulnerabilities for 2021.


Figure 3: Use Halo to create custom vulnerability reports and view CVE details

Learn more about Fidelis CloudPassage Halo Server Secure.

Stay up to date on all things security

Subscribe to the Threat Geek Blog