- Vulnerable U
- Posts
- These 15 Bugs Are Attackers' Favorites Right Now
These 15 Bugs Are Attackers' Favorites Right Now
It should come as no surprise that some of the more serious ones are in edge security devices
There is no shortage of critical vulnerabilities in major products for attackers to take advantage of, and they don’t let the opportunity pass by. In a new advisory from CISA and partners in Australia, Canada, New Zealand, and the U.K., the agencies detail the 15 most commonly exploited vulnerabilities.
It should come as no surprise that some of the more serious ones are in edge security devices.
The advisory, co-authored by the signals intelligence and cybersecurity agencies in various countries, paints a rather bleak picture of the security of enterprise software.
Among the 15 vulnerabilities listed, two are in Cisco’s IOS XE software, one is in the Fortinet FortiOS and FortiProxy SSL-VPN, and one is in the Barracuda Email Security Gateway.
Some of the remaining flaws will be familiar to any defender: the Apache Log4Shell bug and the Progress MOVEit Transfer vulnerability, both of which have become major problems for thousands of organizations.
CVEs:
CVE-2023-3519 - Citrix - NetScaler ADC - Unauthenticated remote code execution
CVE-2023-4966 - Citrix - NetScaler ADC - Unauthenticated sensitive information disclosure
CVE-2023-20198 - Cisco - IOS XE - Privilege Escalation Vulnerability
CVE-2023-20273 - Cisco - IOS XE - OS Command Injection
CVE-2023-27997 - Fortinet - FortiOS-6K7K - Execute unauthorized code or commands
CVE-2023-34362 - Progress MOVEit Transfer - SQL Injection
CVE-2023-22515 - Atlassian Confluence Data Center and Server Broken Access Control
CVE-2021-44228 - Apache Log4j2 - Remote Code Execution
CVE-2023-2868 - Barracuda Networks - ESG Appliance - Improper Input Validation
CVE-2022-47966 - Zoho ManageEngine - Multiple Products - Remote Code Execution
CVE-2023-27350 - PaperCut - MF/NG - Improper Access Control
CVE-2020-1472 - Microsoft - Netlogon - Privilege Escalation
CVE-2023-42793 - JetBrains - TeamCity - Authentication Bypass
CVE-2023-23397 - Microsoft - Office Outlook Privilege Escalation
CVE-2023-49103 - ownCloud - graphapi - Information Disclosure
Why It Matters: All of these vulnerabilities are known publicly and the details are available and some of them are several years old.
For example, the Log4Shell bug is from 2021 and another of the flaws, in Microsoft Netlogon, is from 2020.
The fact that attackers are still having success exploiting these vulnerabilities is not a good sign for the state of patch management at the moment. Many of these vulnerabilities also were exploited as zero days.
“In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day,” the advisory says.
“Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.”
What to Do Now: Patch these vulnerabilities as soon as possible. Attackers obviously are focusing their efforts on these bugs and having plenty of success. Many of these vulnerabilities were disclosed two or more years ago, so there has been more than enough time to apply the updates.