Ensure You’ve Fixed These 12 Most Exploited Flaws, Cybersecurity Officials Urge
A five-year old vulnerability in Fortinet SSL VPNs remains one of the most widely exploited flaws in enterprise networks, despite repeat patch warnings.
So say cybersecurity officials across the U.S. and its Five Eyes intelligence alliance partners in a new joint security advisory detailing the 12 most common vulnerabilities and exposures that were most “routinely and frequently exploited by malicious actors” in 2022.
The advisory from Australia, Canada, New Zealand, U.K. and the U.S. also details a further 30 vulnerabilities that attackers frequently use to compromise organizations, as well as vulnerabilities’ Common Weakness Enumeration, or CWE, referring to an encyclopedia of more than 600 types of software weaknesses.
Of the top 12 vulnerabilities detailed for 2022, four involve Microsoft software, two tie to VMware software, two to Atlassian software, and one each to F5 Networks and Zoho ManageEngine. They also include Log4Shell, a vulnerability in the open-source logging utility Log4j maintained by Apache.
“Every organization should be using this list to patch their systems and use it to guide their vulnerability management strategy,” said Abigail Bradshaw, who heads the Australian Cyber Security Centre.
Officials warn that by failing to patch these flaws in particular, network defenders are making life easier for attackers, be they advanced persistent threat groups backed by unfriendly governments, cybercriminals, self-proclaimed hacktivists or anyone else intent on causing mischief.
“Organizations continue using unpatched software and systems, leaving easily discovered openings for cyber actors to target,” said Neal Ziring, the technical director for the U.S. National Security Agency’s Cybersecurity Directorate. “Older vulnerabilities can provide low-cost and high impact means for these actors to access sensitive data.”
Vulnerability Management Challenges
Experts say organizations need to run vulnerability management programs that can properly identify all software being used in an enterprise, cross-index this with known vulnerabilities in the software and the actual risk they might pose, and set patch prioritizations accordingly. Such programs also need to take into account zero-day vulnerabilities that may already be getting exploited, but for which no patch is yet available, and attempt to mitigate them via other means.
The disconnect between patch availability and organizations running software that’s fully patched highlights just how challenging this discipline continues to be (see: The Decade in Vulnerabilities and Why They Persist).
Take the Fortinet SSL VPN flaw, designated CVE-2018-13379. The path traversal flaw, which researchers say is easy to exploit, was discovered in July 2018 and patched by Fortinet in May 2019. Attackers continued to target and successfully exploit it, leading the NSA in 2019 to issue a then rare public alert urging users to patch the software. The same year, experts warned it was being exploited by Chinese nation-state hackers, and by 2020, ransomware-wielding attackers joined the fray. The vulnerability has also featured on every annual list of top threats issued by Five Eyes partners.
Hence more than four years after Fortinet pushed a patch for its SSL VPN devices to fix the flaw, exploiting the vulnerability remains a reliable tactic for attackers to access many a corporate network. “The continued exploitation indicates that many organizations failed to patch software in a timely manner and remain vulnerable to malicious cyber actors,” the advisory says.
Officials are also using the joint advisory to urge software developers not just to rapidly identify flaws and issue security fixes, but also to pursue more secure by design development practices so that fewer bugs end up in their software.
Eric Goldstein, executive assistant director for cybersecurity at the U.S. Cybersecurity and Infrastructure Security Agency, said “every technology provider to take accountability for the security outcomes of their customers by reducing the prevalence of these vulnerabilities by design.”
Top 12 Routinely Exploited Vulnerabilities in 2022
Source: Five Eyes joint advisory