Failing to Patch Vulnerabilities can lead you Open to Attack

Software vulnerabilities are weaknesses in computer programs that are exploited by cyber attackers to gain unauthorised access to systems. Attackers can take advantage of these vulnerabilities to run malicious codes, bypass security measures, and access sensitive information. In the last year, several vulnerabilities have been identified, and some have been exploited in attacks on organisations. The most commonly exploited vulnerabilities are discussed below.

CVE-2021-44228 (Log4Shell) is a vulnerability in the Apache Java logging library, Log4j. Attackers can use this vulnerability to execute code remotely, and it is widespread in web applications. Despite the existence of patches for the vulnerability, many organizations have not taken action to protect their systems.

CVE-2021-40539 (Zoho ManageEngine ADSelfService Plus) is a vulnerability that was patched in September 2021. It allows attackers to bypass authentication and execute remote code by exploiting a flaw in the software’s REST API.

CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 (ProxyShell) are a set of three vulnerabilities in Microsoft Exchange email server. These vulnerabilities allow attackers to bypass security measures, execute code remotely, and elevate privileges. When combined, the vulnerabilities can give attackers full control over vulnerable systems.

CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 (ProxyLogon) are a set of four vulnerabilities in Microsoft Exchange 2013, 2016, and 2019. These vulnerabilities allow attackers to bypass authentication, read emails, and deploy malware. They can be exploited without user interaction, and attackers can use automated tools to scan for and identify unpatched servers.

CVE-2021-26084 (Atlassian Confluence Server & Data Center) is a vulnerability that allows an attacker to execute arbitrary code on a Confluence Server or Data Center instance. It is widely deployed in enterprise environments, and the vulnerability can be exploited by unauthenticated users regardless of configuration. Public exploit code exists for this vulnerability.

CVE-2021-21972 (VMware vSphere Client) allows attackers with network access to port 443 to execute commands with unrestricted privileges on the host operating system. Hackers have already started scanning vulnerable VMware vCenter servers and there is even proof of concept code available online. VMware vSphere is a virtualisation software commonly used by businesses.

CVE-2020-1472 (ZeroLogon) is one of the top vulnerabilities being exploited, even though there have been mitigations available for a while. This bug is related to a flaw in Microsoft’s Active Directory Netlogon Remote Protocol (MS-NRPC) that allows an attacker to log in to servers using NT LAN Manager (NTLM). The bug is caused by a mistake made by Microsoft when implementing a custom encryption algorithm, resulting in the initialisation vector (IV) being set to all zeros instead of a random number. This vulnerability can be exploited by attackers to forge an authentication token and set the computer password of the domain controller to a known value, which can be used to compromise other devices on the network. Zerologon has been used by ransomware actors like Ryuk, and several public POC exploits are available.

CVE-2020-0688 is a remote code execution vulnerability in Microsoft Exchange Server. It was revealed in 2020 and occurs when the server fails to create unique keys at install time. An authenticated user with a mailbox can pass arbitrary objects to be deserialised by the web application, which runs as SYSTEM, if they have knowledge of the validation key. Chinese-affiliated actors exploited it in 2020, while Russian-affiliated threat actors exploited it in 2021 and 2022 to escalate privileges and gain remote code execution on vulnerable Microsoft Exchange servers.



CVE-2019-11510 is a flaw in Pulse Secure VPN that lets attackers read files and access networks. Chinese and Russian hackers have exploited it to target COVID-19 research. Although patches were released in 2019, compromised credentials have been used in attacks months later. The US government and businesses have also reported incidents involving this vulnerability.



CVE-2018-13379 is a path traversal vulnerability found in Fortinet FortiOS and FortiProxy SSL VPN web portal. It has been exploited for 4 years and is one of the top 15 vulnerabilities. Exploiting the bug can allow attackers to download FortiProxy system files. It has been used by Russian and Iranian state actors for ransomware and data theft. In February 2022, TunnelVision, an Iranian-aligned threat actor, used this vulnerability to target organisations along with Log4Shell and ProxyShell vulnerabilities.

Conclusion
These vulnerabilities highlight the importance of keeping software up-to-date with the latest patches and security measures. Businesses that fail to properly inventory and patch their systems are at risk of being exploited by threat actors who actively seek out and exploit vulnerable systems. As part of One2Call’s Complete Cyber Security & IT Support solutions, we can ensure that all of your equipment always have the latest updates and are secure against the latest vulnerabilities.

Latest News Stories