The most critical vulnerabilities right now – November 2021

From SolarWinds to the first of many Microsoft 0-days, the first half of 2021 saw thousands of critical CVEs impact software and solutions from some of the world’s leading and most reputable vendors (as highlighted in our previous CVE analysis blog here). In the months since, Blueliv has observed over 13,000 critical CVEs, many of which have had similarly devastating impacts as those listed above.

Compared to the National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management data, Blueliv’s own threat score methodology has an added value as it not only assesses CVEs and their potential risk to an organization but also how they evolve ‘in the wild’.

As a result, Blueliv’s risk score is far more dynamic and evolves in line with CVE developments in real-time to ensure that security teams can respond to such vulnerabilities swiftly and securely. Below are the most critical CVEs currently being observed by Blueliv:

 

 CVE-2021-41773

  • Blueliv score: 7.8
  • CVSS score: 7.5
  • Vendor: Apache

In October 2021, The Apache HTTP Server Project, a collaborative software development project dedicated to creating a free source code implementation of an HTTP server, disclosed a vulnerability introduced on Apache HTTP Server 2.4.49.

The vulnerability, known as CVE-2021-41773 and affecting both Linux and Windows servers, allows an attacker to bypass path traversal protections and read arbitrary files on the webserver’s file system. Although it was quickly patched with update 2.4.50, it was soon discovered that this fix was not successful, and a new vulnerability, CVE-2021-42013, was identified.

 

CVE-2021-42013

  • Blueliv score: 9.1
  • CVSS score: 9.8
  • Vendor: Apache

A day after Apache released patch 2.4.50 for CVE-2021-41773, it was discovered that CVE-2021-42013 could be used to access a remote code execution if the “mod_cgi” module was loaded and the configuration “require all denied” was absent. Apache swiftly issued a further round of emergency updates which eventually addressed both CVEs.

 

CVE-2021-26084

  • Blueliv score: 9.5
  • CVSS score: 9.8
  • Vendor: Atlassian

In August 2021, Atlassian alerted customers that its enterprise collaboration solution Confluence was affected by CVE-2021-26084, a vulnerability that allowed attackers to run arbitrary code on the impacted server and across data center instances. In some cases, attackers were able to exploit the vulnerability without authentication.

In the months since, multiple exploitation attempts, including internet scans aimed at identifying vulnerable systems, have been detected targeting yet-to-be-patched Confluence users. CVE-2021-26084 affects version 6.13.23 and prior versions, version 6.14.0 to 7.4.11, from version 7.5.0 to 7.11.6, and from version 7.12.0  to 7.12.5.

 

 CVE-2021-22005

  • Blueliv score: 8.7
  • CVSS score: 9.8
  • Vendor: VMware

In September 2021, it was discovered that VMware’s vCenter 6.7 and 7.0 servers were affected by CVE-2021-22005, a vulnerability that allowed unauthenticated attackers  to remotely exploit the flaw, with no user interaction, in low complexity attacks.

This is the latest in a series of scans from actors looking to exploit vulnerable VMware servers in 2021. In February, the first example, CVE-2021-21972, saw attackers scan vCenter appliances after a proof-of-concept (PoC) exploit code for the flaw was released, impacting all default vCenter installs. Later, in June, attackers scanned for Internet-exposed VMware vCenter servers vulnerable to CVE-2021-21985 RCE exploits, once again after the exploit code was initially published online.

 

CVE-2021-40444

  • Blueliv score: 7.7
  • CVSS score: 7.8
  • Vendor: Microsoft

Microsoft has once again found itself at the mercy of several dangerous CVEs (Blueliv reported CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in its last deep dive into the CVE landscape in May 2021). In September 2021, Microsoft announced the discovery of CVE-2021-40444, a vulnerability that allowed attackers to exploit MSHTML (a.k.a. Trident), a browser engine for Microsoft Windows’ version of Internet Explorer, in the wild. Attackers were believed to be using custom Microsoft Office documents hosting the browser rendering engine to exploit this vulnerability.

Explaining the potential threat to its customers, Microsoft reported that “The attacker would have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights”. Following this, Microsoft swiftly unveiled security updates to combat the vulnerability and urged its customers to update their anti-malware software as a precaution.

 

CVE-2021-34527

  • Blueliv score: 8.4
  • CVSS score: 8.8
  • Vendor: Microsoft

Throughout June and July, a series of vulnerabilities were discovered that affected the print spooler service on Windows. These critical vulnerabilities allowed remote code execution and privilege escalation. The first vulnerability to be discovered was CVE 2021-1675, which was quickly patched by Microsoft but had quite an impact since a public PoC had already been published. It was also discovered that the remediation was not entirely effective as CVE 2021-34527 was then discovered, which also attacked the same printing service. A week later, Microsoft finally released a patch which fully mitigated the vulnerability

The information security community nicknamed these events as the “PrintNightmare”, due to the high impact, easy exploitable vulnerabilities and the time it took Microsoft to publish an effective remediation.

 

Conclusion

From VMware to the series of potentially dangerous Microsoft CVEs being discovered in 2021, it’s clear that even the biggest companies fall victim to security flaws, and  that cybercriminals are all too ready to exploit them. While Microsoft has always been a major target, the speed and the scale of security incidents it has faced since March signals it will only get worse.

To protect against such vulnerabilities and ensure your business is in the best possible position, Blueliv recommends organizations to step up security hygiene with continuous vulnerability assessments to ensure that security is being taken seriously at every organizational level. Combining that with a real-time threat intelligence solution capable of monitoring and detecting CVE-related incidents will further enhance organizations’ ability to prioritize vulnerability remediation and make the biggest improvement with limited resources.

Blueliv’s Threat Compass is one such tool and can be utilized by organizations looking to benefit from deep, contextual threat intelligence as well as powerful insights into today’s CVEs to supercharge organizations’ vulnerability management programs.

Not saying that BL was the first to report this, simply that we already have noted Microsoft’s CVE issues in our last CVE landscape blog.

What is Threat Intelligence and why is it important?

Learn more
Demo Free Trial MSSP
Program