Endpoint Security , Governance & Risk Management , Government

Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List

Ensure You've Fixed These 12 Most Exploited Flaws, Cybersecurity Officials Urge
Patching Conundrum: 5-Year-Old Flaw Again Tops Most-Hit List

A five-year old vulnerability in Fortinet SSL VPNs remains one of the most widely exploited flaws in enterprise networks, despite repeat patch warnings.

See Also: Cybersecurity in Public Sector: 5 Insights You Need to Know

So say cybersecurity officials across the U.S. and its Five Eyes intelligence alliance partners in a new joint security advisory detailing the 12 most common vulnerabilities and exposures that were most "routinely and frequently exploited by malicious actors" in 2022.

The advisory from Australia, Canada, New Zealand, the U.K. and the U.S. also details 30 vulnerabilities that attackers frequently use to compromise organizations, as well as vulnerabilities' Common Weakness Enumeration, or CWE, referring to an encyclopedia of more than 600 types of software weaknesses.

Of the top 12 vulnerabilities detailed for 2022, four involve Microsoft software, two tie to VMware software, two to Atlassian software, and one each to F5 Networks and Zoho ManageEngine. The flaws also include Log4Shell, a vulnerability in the open-source logging utility Log4j, maintained by Apache.

"Every organization should be using this list to patch their systems and use it to guide their vulnerability management strategy," said Abigail Bradshaw, who heads the Australian Cyber Security Center.

Officials warn that by failing to patch these flaws in particular, network defenders are making life easier for attackers, be they advanced persistent threat groups backed by unfriendly governments, cybercriminals, self-proclaimed hacktivists or anyone else intent on causing mischief.

"Organizations continue using unpatched software and systems, leaving easily discovered openings for cyber actors to target," said Neal Ziring, the technical director for the U.S. National Security Agency's Cybersecurity Directorate. "Older vulnerabilities can provide low-cost and hig- impact means for these actors to access sensitive data."

Vulnerability Management Challenges

Experts say organizations need to run vulnerability management programs that can properly identify all software being used in an enterprise, cross-index this with known vulnerabilities in the software and the actual risk they might pose, and set patch prioritizations accordingly. Such programs also need to take into account zero-day vulnerabilities that may already be getting exploited but for which no patch is yet available, and attempt to mitigate them via other means.

The disconnect between patch availability and organizations running software that's fully patched highlights just how challenging this discipline continues to be (see: The Decade in Vulnerabilities and Why They Persist).

Take the Fortinet SSL VPN flaw, designated CVE-2018-13379. The path traversal flaw, which researchers say is easy to exploit, was discovered in July 2018 and patched by Fortinet in May 2019. Attackers continued to target and successfully exploit it, leading the NSA in 2019 to issue a then-rare public alert urging users to patch the software. The same year, experts warned the software was being exploited by Chinese nation-state hackers and by 2020, ransomware-wielding attackers had joined the fray. The vulnerability has also appeared on every annual list of top threats issued by Five Eyes partners.

Hence more than four years after Fortinet pushed a patch for its SSL VPN devices to fix the flaw, exploiting the vulnerability remains a reliable tactic for attackers to access many corporate networks. "The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors," the advisory says.

Officials are also using the joint advisory to urge software developers not just to rapidly identify flaws and issue security fixes, but also to pursue more "secure by design" development practices so that fewer bugs end up in their software.

Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, called for "every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design."

Top 12 Routinely Exploited Vulnerabilities in 2022

CVE

Vendor

Product

Type

CWE

CVE-2018-13379

Fortinet

FortiOS and FortiProxy

SSL VPN credential exposure

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2021-34473 (Proxy Shell)

Microsoft

Exchange Server

RCE

CWE-918 Server-Side Request Forgery (SSRF)

CVE-2021-31207 (Proxy Shell)

Microsoft

Exchange Server

Security Feature Bypass

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVE-2021-34523 (Proxy Shell)

Microsoft

Exchange Server

Elevation of Privilege

CWE-287 Improper Authentication

CVE-2021-40539

Zoho ManageEngine

ADSelfService Plus

RCE/Authentication Bypass

CWE-287 Improper Authentication

CVE-2021-26084

Atlassian

Confluence Server and Data Center

Arbitrary code execution

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CVE-2021- 44228 (Log4Shell)

Apache

Log4j2

RCE

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-20 Improper Input Validation

CWE-400 Uncontrolled Resource Consumption

CWE-502 Deserialization of Untrusted Data

CVE-2022-22954

VMware

Workspace ONE Access and Identity Manager

RCE

CWE-94 Improper Control of Generation of Code ('Code Injection')

CVE-2022-22960

VMware

Workspace ONE Access, Identity Manager, and vRealize Automation

Improper Privilege Management

CWE-269 Improper Privilege Management

CVE-2022-1388

F5 Networks

BIG-IP

Missing Authentication Vulnerability

CWE-306 Missing Authentication for Critical Function

CVE-2022-30190

Microsoft

Multiple Products

RCE

None Listed

CVE-2022-26134

Atlassian

Confluence Server and Data Center

RCE

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Source: Five Eyes joint advisory


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.