The NSA’s Top 25 Most Exploited Vulnerabilities
Principal Security Architect
December 23, 2020
The National Security Agency published a list of 25 CVEs (Common Vulnerabilities and Exposures) that were most exploited by threat actors in recent times. Some of these CVE’s were used to deliver malicious software that allowed monitoring remote networks, maintaining continued access to remote networks, and, in some cases, using these CVEs to pivot to other systems within the internal network. For example, CVE-2019-11510 was used to gain access to sensitive VPN information of user accounts and then use the credentials to deliver ransomware like Sodinokibi. Similarly, CVE-2019-0803 was used to establish a backdoor to gain and maintain access to computers on affected networks.
Analyzing the Criticality of These Top Vulnerabilities
The Versa Security and Threat Research Team investigated these 25 vulnerabilities and in our analysis found that all of them are critical and can wreak havoc on organizations. Most of the vulnerabilities affect products that are positioned at the edge of the network and control access to and from the network. These products that sit at the edge of the network are accessible from the internet, making them directly vulnerable to outside attackers. A few examples are CVE-2020-3118: which affects Cisco’s IOS XR devices, and CVE-2020-1350: which affects the DNS service in Microsoft Windows servers. These software or services are accessible from a public network and directly exposed to threats. Furthermore, even in cases like CVE-2020-0601 where the affected machine may not be directly exposed to the internet, the vulnerability is serious enough to warrant the immediate attention of security administrators. More concerning is that these exploits are publicly available and can be replicated by copycat hackers and even script-kiddies.
Along with analyzing these CVEs, Versa’s Security and Threat Research Team analyzed malware and ransomware samples like Sodinokibi that were distributed by the malicious actors. Through our analysis, we found that Versa Networks customers are protected against exploits developed in these identified CVEs because our security remediation capabilities prevent the download of any malware samples triggered via these exploits. For example, the malware samples like Sodinokibi were analyzed in isolation from these CVEs and the next-generation threat detection and prevention engine in Versa Secure SD-WAN was able to detect the exploit sample. We analyzed these malware identifiers and signatures in these 25 top vulnerabilities listed by the NSA and used our machine learning and forensics to identify similar malware patterns thus extending protection to Versa customers against malware in the wild beyond just the top list of 25. At the minimum, Versa customers can rest assured that they are protected from the following list of 25 top vulnerabilities.
List of NSA’s Top 25 CVEs Exploited
CVE-2019-11510: Pulse Secure SSL VPN Directory Traversal Vulnerability and Arbitrary File Access – this vulnerability allows attackers to traverse directories on affected VPN devices and access arbitrary files. In attacks seen in the wild, attackers used the vulnerability to gain access to files containing user credentials.
CVE-2020-5902: Remote Code Execution Vulnerability in F5 Big-IP Traffic Management User Interface Configuration Pages
CVE-2019-19781: Citrix Application Delivery Controller and Gateway Directory Traversal Vulnerability
CVE-2020-8193, CVE-2020-8195, CVE-2020-8196: Citrix ADC And Gateway Directory Traversal and Information Disclosure Vulnerability – these three CVEs are used to identify information disclosure bugs in the Citrix Application Delivery Controller and Citrix Gateway products. These and a couple of other CVEs are targeted by attackers and actively exploited.
CVE-2019-0708: Microsoft Windows Remote Desktop Services Remote Code Execution – popularly known as the “BlueKeep” vulnerability, the vulnerability described in this CVE has been targeted by malware authors distributing cryptocurrency mining botnet. Though the reference mentions that an exploit is not publicly available, it should be noted that this statement is based on data available at the time the blog was released. Since then exploits have been released into the public domain.
CVE-2020-15505: Mobile Iron MDM Vulnerability – this CVE identifies a critical remote code execution vulnerability in MobileIron’s Mobile Device Management servers. According to this news report, this CVE is actively being exploited.
CVE-2020-1350: Microsoft Windows DNS Server Integer Overflow – popularly known as the “SIGRed” vulnerability, exploits an integer overflow bug in Microsoft DNS Service when processing malformed DNS requests.
CVE-2020-1472: Microsoft Windows Domain Controller Netlogon Authentication Bypass – popularly known as the “Zerologon” vulnerability, exploits a privilege escalation bug in Microsoft Windows arising from the insecure use of AES cipher by the Netlogon service.
CVE-2019-1040: Microsoft Windows NTLM Message Integrity Check Tampering – the bug described in this CVE permits attackers to bypass Message Integrity Check done by NTLM during authentication. Combining an attack against this CVE with a few other CVE’s for which exploits are available, an attacker would be able to completely compromise a remote host.
CVE-2018-6789: Exim SMTP Server Base64 Decode Function Buffer Overflow Vulnerability.
CVE-2020-0688: Microsoft Exchange Server Memory Corruption Vulnerability – According to this report from Rapid7, a large number of exchange servers are still unpatched and vulnerable to an exploit leveraging this bug.
CVE-2018-4939: Adobe ColdFusion Object Deserialization Vulnerability.
CVE-2015-4852: Java Library Commons.Collection.jar Object Deserialization Vulnerability.
CVE-2020-10189: Zoho ManageEngine Desktop Central FileStorage getChartImage Insecure Object Deserialization.
CVE-2020-2555: Oracle Weblogic’s Coherence Library Object Deserialization Vulnerability – this and the previous three vulnerabilities occur because of how objects in memory are packed (serialized) by a software for transfer to a remote software where it is unpacked (deserialized) and processed. If adequate input validation is not performed on the packed data and its source before deserialization, an attacker could tamper with it while it’s in transit or in memory and affect the remote software execution logic. In most cases, this leads to remote code execution. This class of vulnerabilities has frequently appeared on the OWASP Top 10 list.
CVE-2019-3396: Confluence Widget Connector Remote Code Execution – the widget connector macro in the Atlassian confluence server has a path traversal and code injection bug. This bug was used by threat actors to deliver malware like the GandCrab ransomware and crypto-mining malware on exploited networks.
CVE-2019-11580: Atlassian Crowd and Crowd Data Center CVE-2019-11580 Remote Code Execution.
CVE-2019-18935: Progress Telerik UI for ASP.NET AJAX File Upload Exploit.
CVE-2020-0601: Microsoft Windows CryptoAPI ECC Spoofing Vulnerability – Popularly known as the “CurveBall” vulnerability, this CVE identifies a bug in Microsoft Windows which attackers can leverage to spoof digital certificates and sign malicious executables to make it appear as legitimate software originating from trusted sources.
CVE-2019-0803: Microsoft Windows GDI component use after free attempt – this CVE identifies a privilege escalation bug in the win32k component of Microsoft Windows. This vulnerability was used by attackers to install a PowerShell-based backdoor on affected systems.
CVE-2020-8515: Draytek Vigor Command Injection – this CVE identifies a code injection bug in Draytek Vigor devices. A successful command injection has code executing with root privileges. This bug was leveraged by the HoaxCalls DDOS Bot.
CVE-2017-6327: Remote Command Execution in Symantec Messaging Gateway Web Interface.
CVE-2020-3118: Cisco IOS XR Cisco Discovery Protocol Stack Overflow Vulnerability.
How To Remediate Risks Associated With These CVEs
Versa Secure SD-WAN detects exploits taking advantage of these top vulnerabilities identified by the NSA. In addition, the Versa threat detection and response engine is able to identify malware samples associated with these CVEs and apply pattern recognition to other active malware used in the wild. We urge our customers and the public to install fixes recommended by their respective vendors and to investigate reports generated by their SOC team when an incident is reported that mentions any of the CVE’s discussed in this blog. We believe that attackers will continue to exploit these CVEs listed by NSA as these vulnerabilities are just recently public and attackers know that many organizations are slow to patch software. We recommend that you take immediate action on protecting your organization against these 25 vulnerabilities in order to keep both employees and critical data safe.