At Fidelis Cybersecurity®, our threat research team provides coverage and vigilance on the most threatening vulnerabilities through continuous monitoring of the current threat landscape. The third quarter of 2021 introduced 5,438 new vulnerabilities, including 907 vulnerabilities rated with a high or critical CVSS score. While the CVSS scoring mechanism is valuable, our threat research team also applies expert analysis to identify the most critical issues.
Our real-time vulnerability alert engine cuts the noise by leveraging public data and applying proprietary data analytics to get real-time alerts for highly seismic vulnerability exposures and misconfigurations, causing fatigue. vulnerability a thing of the past. Since its first launch at BSidesSF, we have continuously improved our real-time vulnerability alert engine, allowing us to deliver this quarterly vulnerability and trend report to keep you ahead of the most common threats. urgent. Here is the most recent vulnerability report, including the list of top CVEs for Q3 2021.
Figure 1: All 2021 vulnerabilities with Q3 vulnerabilities highlighted in blue
In Figure 1, the X axis represents each day of the year from January 1 to September 30, 2021. The Y axis represents the vulnerability trend quotient calculated by the engine (see the BSides presentation for more information). This quotient is calculated each day for each CVE. For simplicity, the Y axis is divided into four colors (red, orange, yellow and green) which represent the criticality of each vulnerability. Each blue dot represents a vulnerability. It is possible that the same vulnerability will appear over multiple days, especially those with a high value on the X axis. Third quarter vulnerabilities are highlighted by the light blue box on the timeline.
The number of high severity vulnerabilities quadrupled in the third quarter of 2021
As you can see, the PrintNightmare second quarter criticality CVE-2021-1675 is higher than the third quarter highest vulnerability – CVE-2021-40444. However, the total number of high and critical vulnerabilities (as indicated by the number of dots on the graph) is very high in the third quarter. In fact, the number of high severity vulnerabilities quadrupled in the third quarter compared to the second quarter total.
Figure 2 below shows the number of high and critical vulnerabilities for the three quarters.
Figure 2: Quarterly Comparison of High and Critical Vulnerabilities
Now let’s zoom in on the vulnerabilities in the Q3 blue zone of Figure 1. The chart below shows all the vulnerabilities in the third quarter. The X axis represents each vulnerability while the Y axis represents the sum of the vulnerability quotient for each CVE. If a vulnerability is detected multiple times during a week or month, the Y axis represents the sum of the quotients for that CVE. For example, the Windows Spooler PrintNightmare vulnerability has presented itself several times in the third quarter, so the y-axis is the sum of all quotients for that CVE in the third quarter.
Figure 3: Vulnerabilities in the third quarter of 2021
The Dirty Dozen CVE for the third quarter of 2021
1. Microsoft MSHTML remote code execution: CVE-2021-40444
On September 7, Microsoft issued an out-of-band advisory recognizing targeted attacks that attempt to exploit CVE-2021-40444 using specially crafted Microsoft Office documents. Once the victim opens the malicious Word, Excel or PowerPoint document, the attacker can take full control of the victim’s machine. There are many PoCs available on the internet like this one located on github here. Microsoft has released mitigation measures and workarounds to address this issue.
2. Windows Print Spooler – PrintNightmare: CVE-2021-34527
CVE-2021-34527 is a sister vulnerability to CVE-2021-1675, which was at the top of our list of Q2 2021 vulnerabilities. You can read more about it here. Both vulnerabilities belong to the PrintNightmare family of problems. This is a remote code execution vulnerability that exists when the Windows Print Spooler service incorrectly performs privileged file operations. An attacker who successfully exploits this vulnerability can execute arbitrary code with SYSTEM privileges. An attacker can use this exploit to install programs, view, modify or delete data, or create new accounts with full user rights.
3. Remote execution of the OGNL Webwork code from the Confluence server: CVE-2021-26084
Confluence is a widely used collaboration tool app that organizes and centralizes work sharing. CVE-2021-26084 is an actively exploited vulnerability in the wild that allows attackers (regardless of configuration) to take complete control of the affected Confluence server or data center. Initially, around 12,000 indicated a vulnerable state on the publicly accessible Internet, but the number of affected sites has declined. If you are unable to upgrade Confluence immediately, you can mitigate the problem by running a vendor-provided workaround script. To detect this attack, administrators should monitor all requests for HTTP traffic where the path component of the Request URI contains certain IOC strings.
4. vCenter Server File Download Vulnerability – CVE-2021-22005
VMware has confirmed active exploits of this vulnerability in the wild. VCenter Server contains an arbitrary file upload vulnerability in the Analytics service. A malicious actor with network access to port 443 on vCenter Server can exploit this issue to execute code by downloading a specially crafted file. An attacker who can reach affected software on the network (in this case vCenter Server) can execute commands and bypass the security controls in place.
The rest of the top vulnerabilities that made our list are in the table below.
|5||CVE-2021-30860||Apple macOS, iOS, watchOS PDF code execution|
|6||CVE-2021-36934||Microsoft Windows SAM elevation of overly permissive access control lists (ACLs)|
|7||CVE-2021-33909||Linux kernel write out of bounds flaw seq_file|
|8||CVE-2021-38647||Microsoft OMI remote code execution|
|9||CVE-2021-35211||SolarWinds Serv-U memory escape vulnerability|
|ten||CVE-2021-30807||Apple macOS, running iOS kernel extension code|
|11||CVE-2021-34473||Microsoft Exchange Server Remote Code Execution|
|12||CVE-2021-33035||Apache OpenOffice opens remote code execution of dBase / DBF documents|
Our goal with the Quarterly Vulnerabilities and Trends Report is to identify trends, reduce vulnerability noise, and provide the most accurate, fastest and broadest coverage.
Protecting against vulnerabilities begins with proactive defense. Fidelis’ Halo CloudPassage® The unified cloud security platform provides continuous monitoring and management of vulnerabilities across IaaS, PaaS, servers and containers for public, private, hybrid and multi-cloud environments. With Fidelis Halo, you receive high-fidelity alerts on vulnerabilities, including high, critical, and zero-day alerts, so you can secure your systems before the exploit.
Learn more about Fidelis Halo and start your 15-day free trial.