on

The most critical vulnerabilities right now

We may not yet be at the halfway point of 2021 but, over the course of the past 4 and a half months, Blueliv has already observed over 4,900 critical CVEs spanning widely used products from global vendors such as Panasonic, Cisco, Microsoft, and of course SolarWinds. It is clear that threat actors are still capitalizing on scattered, remote workforces, as evidenced in the platforms they are exploiting (Cisco Small Business, SAP Commerce Cloud).

Compared to the National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management data, Blueliv’s own threat score is often significantly different. This is due to Blueliv’s commitment to not only evaluate standard CVEs and their potential risk to an organization in theory but also how they are developing ‘in the wild’. As a result, Blueliv’s risk score is far more dynamic and evolves in line with CVE developments in real time to ensure that security teams can respond to such vulnerabilities swiftly and securely.

With that in mind, here are the most critical CVEs observed by Blueliv throughout the first half of 2021:

 

CVE-2021-22986

  • Blueliv score: 9.5
  • CVSS score: 9.8
  • Vendor: F5

 

This remote command execution vulnerability allows unauthenticated attackers to access the iControl REST interface via the BIG-IP management interface and self IP addresses. From here they can execute arbitrary system commands, create or delete files, and disable services.

This CVE applies to BIG-IP versions 16.0.x before 16.0.1.1, 15.1.x before 15.1.2.1, 14.1.x before 14.1.4, 13.1.x before 13.1.3.6, and 12.1.x before 12.1.5.3 and BIG-IQ 7.1.0.x before 7.1.0.3 and 7.0.0.x before 7.0.0.2. Software versions which have reached End of Software Development were not evaluated.

 

CVE-2021-21972

  • Blueliv score: 9.5
  • CVSS score: 9.8
  • Vendor: Vmware

 

A critical remote code execution vulnerability (alongside CVE-2021-21973, outlined below) was discovered in a vCenter Server plugin that could allow threat actors with network access to port 443 to issue commands with unrestricted privileges on the underlying operating system that hosts vCenter Server.

This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).

 

CVE-2021-21973

  • Blueliv score: 5.6
  • CVSS score: 5.3
  • Vendor: VMware

 

 

CVE-2021-26855

  • Blueliv score: 9.1
  • CVSS score: 9.8
  • Vendor: Microsoft

 

This vulnerability is part of an attack chain, with the initial attack establishing an untrusted connection to Exchange server port 443. ProxyLogon, the collection of Microsoft Exchange vulnerabilities which consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) can be chained together to create a pre-authentication remote code execution (RCE) exploit that in turn allows attackers to control servers without the necessary account credentials. From here they are able to install a web shell for further exploitation within the environment.

This CVE can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access, though Microsoft has recommended installing external-facing updates on Exchange Servers.

The remaining vulnerabilities and their scores are outlined as follows.

 

CVE-2021-26857

  • Blueliv score: 7.3
  • CVSS score: 7.8
  • Vendor: Microsoft

 

 

CVE-2021-26858

  • Blueliv score: 7.3
  • CVSS score: 7.8
  • Vendor: Microsoft

 

 

CVE-2021-27065

  • Blueliv score: 7.7
  • CVSS score: 7.8
  • Vendor: Microsoft

 

 

CVE-2021-22893

  • Blueliv score: 8.8
  • CVSS score: 10
  • Vendor: Pulse Secure

 

Pulse Connect Secure 9.0R3/9.1R1 and higher is vulnerable to this CVE, a significant security flaw that can allow an unauthenticated user to perform remote arbitrary code execution on the Pulse Connect Secure gateway or upload malicious archives via the administrative web interface.

Pulse Secure has fixed this CVE with the release of Pulse Connect Secure 9.1R11.4.

 

Conclusion

As prolific vendor products continue to suffer critical vulnerabilities that opportunistic threat actors are all too quick to exploit, Blueliv recommends c-suites practice robust security hygiene from the ground up, and ensure they are following the advice of affected vendors to patch or overcome known vulnerabilities.

Blueliv strongly recommends a full threat intelligence solution, such as Blueliv’s Threat Compass, that can monitor, detect, prevent, and remediate incidents that stem from exploited vulnerabilities. Harnessing Blueliv’s deep contextual threat intelligence, organizations can benefit from rare insights and actionable data on the many vulnerabilities facing their perimeter.

Demo Free Trial MSSP
Program