The Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint cybersecurity advisory that lists the top 15 exploited software vulnerabilities used by cyber-criminals in 2021.
The advisory was compiled by cybersecurity agencies from the “Five Eyes” nations (Australia, Canada, New Zealand, the U.K., and U.S.). Its purpose is to encourage organizations to apply things like patches to impacted systems and develop a centralized patch management system in order to reduce future threats.
The Top 15 Exploited Software Vulnerabilities in 2021:
| CVE | Vulnerability Name | Vendor and Product | Type |
| CVE-2021-44228 | Log4Shell | Apache Log4j | Remote code execution (RCE) |
| CVE-2021-40539 | Zoho Manage Engine AD SelfService Plus | RCE | |
| CVE-2021-34523 | ProxyShell | Microsoft Exchange Server | Elevation of privilege |
| CVE-2021-34473 | Proxy Shell | Microsoft Exchange Server | RCE |
| CVE-2021-31207 | ProxyShell | Microsoft Exchange Server | Security feature bypass |
| CVE-2021-27065 | ProxyLogon | Microsoft Exchange Server | RCE |
| CVE-2021-26858 | ProxyLogon | Microsoft Exchange Server | RCE |
| CVE-2021-26857 | ProxyLogon | Microsoft Exchange Server | RCE |
| CVE-2021-26855 | ProxyLogon | Microsoft Exchange Server | RCE |
| CVE-2021-26084 | Atlassian Confluence Server and Data Center | Arbitrary code execution | |
| CVE-2021-21972 | VMware vSphere Client | RCE | |
| CVE-2021-1472 | ZeroLogon | Microsoft Netlogon Remote Protocol (MS-NRPC) | Elevation of privilege |
| CVE-2021-0688 | Microsoft Exchange Server | RCE | |
| CVE-2019-11510 | Pulse Secure Pulse Connect Secure |
Arbitrary file reading |
|
| CVE-2018-13379 | Fortinet FortiOS and FortiProxy | Path traversal |
Mitigation:
Vulnerability and Configuration Management
- Update software, operating systems, applications, and firmware on IT network assets in a timely manner. Prioritize patching known exploited vulnerabilities, especially those CVEs identified in this CSA, and then critical and high vulnerabilities that allow for remote code execution or denial-of-service on internet-facing equipment. For patch information on CVEs identified in this CSA, refer to the appendix.
- If a patch for a known exploited or critical vulnerability cannot be quickly applied, implement vendor-approved workarounds.
- Use a centralized patch management system.
- Replace end-of-life software, i.e., software that is no longer supported by the vendor. For example, Accellion FTA was retired in April 2021.
- Organizations that are unable to perform rapid scanning and patching of internet-facing systems should consider moving these services to mature, reputable cloud service providers (CSPs) or other managed service providers (MSPs). Reputable MSPs can patch applications—such as webmail, file storage, file sharing, and chat and other employee collaboration tools—for their customers. However, as MSPs and CSPs expand their client organization’s attack surface and may introduce unanticipated risks, organizations should proactively collaborate with their MSPs and CSPs to jointly reduce that risk.
Identity and Access Management:
- Enforce multi-factor authentication (MFA) for all users, without exception.
- Enforce MFA on all VPN connections. If MFA is unavailable, require employees engaging in remote work to use strong passwords.
- Regularly review, validate, or remove privileged accounts (annually at a minimum).
- Configure access control under the concept of least privilege principle.
- Ensure software service accounts only provide necessary permissions (least privilege) to perform intended functions (non-administrative privileges).
Protective Controls and Architecture
- Properly configure and secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices. o Harden commonly exploited enterprise network services, including Link-Local Multicast Name Resolution (LLMNR) protocol, Remote Desktop Protocol (RDP), Common Internet File System (CIFS), Active Directory, and OpenLDAP. o Manage Windows Key Distribution Center (KDC) accounts (e.g., KRBTGT) to minimize Golden Ticket attacks and Kerberoasting. o Strictly control the use of native scripting applications, such as command-line, PowerShell, WinRM, Windows Management Instrumentation (WMI), and Distributed Component Object Model (DCOM).
- Segment networks to limit or block lateral movement by controlling access to applications, devices, and databases. Use private virtual local area networks.
- Continuously monitor the attack surface and investigate abnormal activity that may indicate lateral movement of a threat actor or malware.
- Use security tools, such as endpoint detection and response (EDR) and security information and event management (SIEM) tools. Consider using an information technology asset management (ITAM) solution to ensure your EDR, SIEM, vulnerability scanner, etc., are reporting the same number of assets.
- Monitor the environment for potentially unwanted programs.
- Reduce third-party applications and unique system/application builds; provide exceptions only if required to support business-critical functions.
- Implement application allowlisting.
