ATI Coverage for the CISA alert on 2022 Top Routinely Exploited Vulnerabilities
CISA, also known as the Cybersecurity and Infrastructure Security Agency, functions as the operational lead for federal cybersecurity and acts as the national coordinator for ensuring security and resilience in critical infrastructure.
CISA regularly publishes alerts to inform about emerging threats and vulnerabilities. These alerts enable organizations to take preventive steps to safeguard their systems and networks against cyber threats. In this blog, we will go over the joint Cybersecurity advisory released by CISA, listing the top routinely exploited vulnerabilities for 2022.
Figure 1: CISA Strike Lists in BreakingPoint
Alert (AA23-215A) 2022 Top Routinely Exploited Vulnerabilities
Alert issued on August 03, 2023, talks about the top 12 Common Vulnerabilities and Exposures (CVEs) routinely exploited by malicious actors in 2022 and the associated Common Weakness Enumeration(s) (CWE), as well as other CVEs frequently exploited. Furthermore, the advisory highlights that during 2022, the cyber attackers focused more on exploiting older software vulnerabilities than newly disclosed ones, primarily targeting unpatched systems that were accessible via the internet. In fact, in 2023, these vulnerabilities are still routinely exploited!
A significant number of software vulnerabilities and vulnerability chains have publicly accessible proof of concept (PoC) code, which has facilitated malicious actors in exploiting them. The advisory provides guidance to vendors and tech organizations on how to identify and mitigate their exposure by implementing secure-by-design principles and giving priority to patching known exploited vulnerabilities, thereby reducing the risk of compromise. At the time of writing this blog, ATI has coverage for all the top 12 routinely exploited vulnerabilities and 21 of the 30 additional routinely exploited vulnerabilities.
Let's look at some of the vulnerabilities that were routinely targeted in 2022:
-
CVE-2018-13397 - It is a high severity path traversal vulnerability that affects older versions of Fortinet, FortiOS, and FortiProxy under the SSL-VPN service. The vulnerability allows threat actors to access session files that contain plaintext credentials by downloading FortiOS system files using malformed resource requests. The vulnerability was first identified in 2018 and continues to be exploited in even 2023. The continued exploitation indicates that many organizations have failed to patch their software in a timely manner, leaving them susceptible to malicious cyber actors.
-
CVE-2021-34473, CVE-2021-31207, CVE-2021-34523 – ProxyShell encompasses these three vulnerabilities affecting unpatched, on-premises Microsoft Exchange servers. When combined, these vulnerabilities enable pre-authenticated remote code execution. They reside in the Microsoft Client Access Service (CAS) which runs on port 443 within the Microsoft Internet Information Services (IIS) web server, which is exposed to the Internet for mobile and web email access. This exposure facilitated attackers in remotely executing arbitrary code on compromised systems. To learn more about ProxyShell, this blog provides a great overview.
-
CVE-2021-40539 – This vulnerability allowed attackers to bypass the security filter in Zoho ManageEngine using specially crafted REST API endpoints due to an error in normalizing the URLs before validation. As a result, attackers gained access to REST API endpoints, which they then used to launch further attacks including arbitrary command execution. This vulnerability was initially exploited in late 2021 and continued throughout 2022.
-
CVE-2021-26084 – It is an OGNL injection vulnerability in Atlassian Confluence Server and Data Center (a web-based collaboration tool used by governments and private companies) that enables an unauthenticated attacker to run arbitrary code on the affected system. OGNL is a powerful expression language that allows developers to manipulate objects and data. In Confluence, OGNL is used to evaluate expressions in the context of a page or document. An attacker can exploit this vulnerability by sending a specially crafted request to the Confluence server. Shortly after its disclosure, when the proof-of-concept (PoC) was released, it became one of the most routinely exploited vulnerabilities.
-
CVE-2021-44228 – This vulnerability, also known as Log4Shell, impacts the Apache Log4j a popular logging library used by many Java applications. The vulnerability exists in Apache Log4j versions earlier than 2.15.0, where the system is unprotected against attacker-controlled LDAP and other JNDI-related endpoints. The vulnerability is exploited by sending manipulated log messages containing specially crafted LDAP URLs to the Log4j library. This flaw grants attackers control over servers, enabling them to execute code, establish backdoors, and conduct post-exploitation activities. After the vulnerability was made known to the public in December 2021, malicious cyber actors began exploiting the vulnerability and continued to show high interest throughout the first half of 2022. For further insights into Log4Shell, kindly refer to this blog.
-
CVE-2022-22954, CVE-2022-22960 – CVE-2022-22954 is a critical remote code execution vulnerability in VMware Workspace ONE Access and Identity Manager. It is specifically a server-side template injection flaw which allows attackers to manipulate web app templates, triggering arbitrary code execution due to insufficient input sanitization. Once the request is processed by the server, it triggers the template injection, resulting in the execution of arbitrary shell commands with VMware user privileges. This is a critical vulnerability because it doesn't require authentication and can be initiated remotely. Subsequently, this vulnerability was combined with CVE-2022-22960, a local privilege escalation vulnerability that allows remote execution of commands with root privileges. Exploitation of these VMware vulnerabilities commenced in early 2022 and persisted throughout the rest of the year.
-
CVE-2022-1388 – This vulnerability was discovered in various versions of the BIG-IP product line, enabling undisclosed requests to bypass the iControl REST authentication. If exploited, an unauthenticated attacker with network access could execute arbitrary system commands, add or remove files, or disable services on the vulnerable BIG-IP server. CVE-2022-1388 was a very popular vulnerability in 2022. It was mentioned in over 140 security advisories and is being actively exploited. The vulnerability was disclosed in May 2022, which gave attackers plenty of time to exploit it before patches were released.
-
CVE-2022-30190 – It is a Microsoft Office Word vulnerability, nicknamed "Follina," that was discovered in various versions of Microsoft Windows Server. The Microsoft Support Diagnostic Tool (MSDT) in Windows is affected by this vulnerability. A malicious Word document can use the Microsoft Support Diagnostic Tool (ms-msdt) to run PowerShell commands from an external HTML file. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, create new accounts, or view, change, or delete data in the context allowed by the user’s rights. To learn more about Follina, this blog provides a great overview.
-
CVE-2022-26134 – It is a critical remote code execution vulnerability that impacts Atlassian Confluence and Data Center. The vulnerability can be exploited by sending a specially crafted HTTP request containing an Object-Graph Navigation Language (OGNL) expression in the Uniform Resource Identifier (URI) of the HTTP request, leading to remote code execution (RCE) on the victim server. Prior to its public disclosure in June 2022, the vulnerability was exploited as zero-day. It is connected to an earlier Confluence vulnerability (CVE-2021-26084) that cyber actors also exploited in 2022.
Table 1: Top 12 Routinely Exploited CVEs in 2022
Table 2: Additional Routinely Exploited CVEs in 2022
How can BreakingPoint Application help You?
Both the Top 12 Routinely Exploited Vulnerabilities in 2022 and Additional Routinely Exploited Vulnerabilities in 2022 are available as strike lists to facilitate an easy testing.
Figure 2: “CISA 2022 Top Routinely Exploited Vulnerabilities” Strike List
Figure 3: “CISA 2022 Additional Routinely Exploited Vulnerabilities” Strike List
Call to Action
Knowing which vulnerabilities are presently being exploited in the wild and protecting against those threats provides real value to any organization, looking to secure their infrastructure. Strike lists which are released as part of the bi-weekly Strike Packs provide a great way to test against the latest threats and attacks as we see them. To know more about the latest in the wild attacks you can read this blog. To know more about Strike Lists and what is a good default test cases to run, this blog provides a great overview.
LEVERAGE SUBSCRIPTION SERVICE TO STAY AHEAD OF ATTACKS
The Keysight BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.