Though CISA’s directive is a catalog of Known Exploited Vulnerabilities (KEV) that affect multiple products and vendors across the United States, there are several notable vendors who stand out amidst the sea of numbers.
Vendor Density Map
In our primary CISA blog, we had a brief look at the top vendors where Microsoft dominates the list with 82 CVEs, Apple and Google getting almost equal shares with 23 and 22 vulnerabilities each, followed by Cisco with 11 and Apache with 10. In this blog, our research analysts have done a deep dive into the vendors that have the highest number of vulnerabilities associated with their products.
Microsoft
Microsoft leads the tally of most affected vendors with a total of 82 unique CVEs affecting a variety of products.
Most Affected Microsoft Product
The Exchange Server has been the most badly affected product for Microsoft with 10 CVEs called out by CISA that are directly associated with it. The product has also been plagued by ransomware attacks in the last couple of months. A detailed analysis of the 10 CVEs is attached at the end of this article.
Patching Microsoft Exchange Servers should be the Top Priority
With MS Exchange being the primary target for most vulnerabilities, it should be noted that the vulnerabilities have multiple ransomware families and APT group associations. Vulnerabilities like CVE-2021-26855 are associated with the highest number of APT groups (10) which include Hafnium, APT 41, and APT 29 among others. CVE-2017-0143 is associated with the highest number of ransomware families with ten major families and includes infamous ones such as Conti, Petya, Ryuk, and WannaCry. The CVE also has a CVSS v3 score of 10, making it extremely critical to patch.
Other major ransomware families that have been associated with MS Exchange vulnerabilities include Conti, Lockfile, Magniber, and Vice Society.
The other critical CVEs that organizations should consider patching on priority are listed below.
Apple
Although the number of vulnerabilities affecting Apple is far lesser than that of Microsoft, Apple still takes the position as the second worst-hit vendor with a total of 23 vulnerabilities across its products.
Most Affected Apple Product
Apple’s most affected product is iOS which makes up almost 40 percent of the 23 vulnerabilities. A detailed analysis of the vulnerabilities is listed at the end of the article.
CISA has Prioritized Patching of 16 of 23 Vulnerabilities
Unusually, and perhaps fortunately for Apple, most of the vulnerabilities do not have ransomware associations yet and do not lead to either remote code execution or privileged execution attacks. However, there are some vulnerabilities of interest.
CVE-2021-1879, for example, is the only medium severity vulnerability associated with APT 29 (Cozy Bear) and lies in Apple’s iOS Webkit Browser Engine.
Two high severity vulnerabilities—CVE-2021-30858 and CVE-2021-30860—were found trending in the wild over the last month. Interestingly, both the vulnerabilities have been linked to the infamous Pegasus Spyware zero-click iMessages attack.
CISA also prioritized 16 vulnerabilities for immediate patching. Other than the ones belonging to iOS products listed above, here are the remaining vulnerabilities that had to be patched by November 2021. Since the deadline of November 2021 has already passed, it is recommended that the following CVEs be patched immediately.
Google takes up a close third place, just below Apple, with 22 vulnerabilities. Of the 22 vulnerabilities, CISA has prioritized 17 for immediate patching.
Most Affected Google Product
Out of the 22 CVEs, 10 CVEs or about 45 percent of the vulnerabilities plague Google’s web browser, Chrome. Here is a deeper insight into the vulnerabilities.
CISA Prioritized 17 CVEs for Patching
Since the deadline of November 2021 has already passed, it is recommended that the following CVEs be patched immediately.
Two vulnerabilities—CVE-2020-16010 and CVE-2021-37973—were found trending in the wild in the last month. CVE-2020-16010, a heap buffer overflow vulnerability affecting Chrome, has a high severity (CVSS v3 8.8) and is tagged under the weakness enumeration CWE-787, the most dangerous software weakness of all, according to MITRE’s latest Top 25 list. CVE-2021-37973, also affecting Chrome, is a critical use-after-free vulnerability categorized under CWE-416 and carries a CVSS v3 score of 9.6. CVE-2021-37973 should be patched on priority by updating the browser since the deadline has already passed.
Cisco
A total of 11 CVEs associated with Cisco products have been identified by CISA in their list of vulnerabilities.
Most Affected Cisco Product
The main product that is affected by the most number of CVEs (3) is IOS XR. The CVEs of concern, CVE-2020-3118, CVE-2020-3566, and CVE-2020-3569, are all high severity vulnerabilities that ought to be remediated by May 2022.
Other Interesting Vulnerabilities that Require Urgent Patching
CSW security analysts concluded that of the 11 exploited CVEs, only two of the vulnerabilities have APT associations while none have ransomware associations. A conclusive list of vulnerabilities that require immediate remediation is available at the end of the article.
CVE-2018-0296, a high severity denial of service vulnerability affecting Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software, has been found associated with the SeaTurtle APT group.
The other notable vulnerability with APT group associations is CVE-2019-1653. The improper access control vulnerability affecting Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN routers is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and carries a CVSS v3 score of 7.5 (high). The vulnerability is also associated with 2 APT groups, namely, APT41 (also known as Barium and Wicked Panda) and APT29 (Cozy Bear).
Cisco Hyperflex HX devices have been affected by two very critical command injection vulnerabilities, CVE-2021-1497 and CVE-2021-1498, which can allow unauthenticated remote attacks. Another critical remote code execution vulnerability that affects Cisco IP Phone products, CVE-2020-3161, is something organizations should add to their priority patching list.
Apache
Apache appears on the Top 5 Affected Vendors list with a total of 9 vulnerabilities of which 7 have remote code execution and privilege escalation capabilities, 5 are trending in the wild, and 3 have ransomware associations.
Most Affected Apache Product
Of all the 10 vulnerabilities in Apache products, Apache Struts has the largest number of Internet-facing products according to Shodan, with approximately 20 million devices, making Struts the worst affected Apache product.
There are four vulnerabilities listed by CISA that directly affect Struts products, of which three have ransomware.
The three vulnerabilities with ransomware associations (CVE-2017-5638, CVE-2017-9805, and CVE-2018-11776) have been covered in detail in our blog on CISA ransomware vulnerabilities.
Stave Ransomware Attacks by Prioritizing Patching
Ninety percent of Apache vulnerabilities have remote code execution or privilege escalation capabilities, making them all priority for patching. Among the vulnerabilities, there are five that are actively trending, of which two already have ransomware associations and have been mentioned before (CVE-2017-5638 and CVE-2018-11776). The other three trending vulnerabilities are CVE-2019-0211, CVE-2021-41773, and CVE-2021-42013. The latter vulnerabilities affect Apache HTTP Servers.
Interestingly, CVE-2017-5638 also is the only vulnerability with APT group associations. It is linked to the infamous Lazarus group.
On December 03, 2021, CISA added five more vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, of which CVE-2021-40438, affects Apache HTTPS Servers. The vulnerability has to be prioritized for patching by December 15, 2021.
Since most of the vulnerabilities in Apache’s kit are crucial to remediate, it is important for organizations to focus their efforts on immediate patching in order to stave off a potential ransomware attack.
CSW’s prioritization capabilities can help organizations focus on remediation efforts to fix the really critical vulnerabilities.
Over the last several months, CSW security experts and researchers have been able to provide Vendor-specific patch watch notifications and have been able to call out more than 190 of the 291 vulnerabilities detailed by CISA in their Known Exploited Vulnerabilities (KEV) catalog.
The first deadline on November 17, 2021, when 98 CVEs needed to be remediated, and the second deadline on December 01, 2021, when 117 vulnerabilities ought to have been fixed by public and private sector companies, have already been crossed.
On December 03, 2021, CISA added five more vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog, which has a set deadline of either December 15, 2021, or January 6, 2022.
It is now a priority for organizations that have not implemented the patches for the dangerous vulnerabilities to achieve their targets quickly before 2021 ends.
As federal entities and critical organizations take immediate action to improve their cyber hygiene, our expert pentesters and security researchers can help prioritize the patching of the vulnerabilities and conduct monthly or quarterly assessments to improve their security posture.
In order to help organizations with their remediation efforts, CSW researchers put together a consolidated list of all the major vulnerabilities affecting the top vendors. The following detailed perspective of all the vulnerabilities affecting the top vendors and their products can be downloaded to help prioritize remediation.
CSW’s Vulnerability Management as a Service (VMaaS) offers full coverage encompassing your entire IT landscape and detects, prioritizes,
and fixes vulnerabilities on your organizational infrastructure.
To know more about CSW’s Vulnerability Management as a Service (VMaaS),
please click here.