Christmas Background

12 Days of DHS Critical Vulnerabilities

Holiday season is upon us and there’s nary a drummer at BitSight. Not a single maid. Zero golden rings. French hens? Nope. We don’t even have a partridge over here. Dang.

However, BitSight does have visibility into many of the critical vulnerabilities recently highlighted in the U.S. Department of Homeland Security’s catalog of “Known Exploited Vulnerabilities.” We recently conducted a study to better understand remediation rates of these CVEs.

BitSight compared the number of entities with the presence of a known vulnerability at any time vs. the presence of a known vulnerability in the 60 day period between September and November 15th. The results indicate that remediation rates vary widely and many known vulnerabilities remain unremediated.

So, in lieu of lords a-leaping, here are 12 Days of DHS Critical Vulnerabilities. Happy Holidays!

DHS Ornament 1

Pulse Secure VPN Arbitrary File Reading Vulnerability (CVE-2019-11510)
Various versions of Pulse Connect Secure gateway include an authentication bypass vulnerability that allows attackers to perform remote arbitrary file access. BitSight observed that 5.91% of entities have unremediated instances of CVE-2019-11510. Not bad!
 

2 ornament

Microsoft OWA Exchange Control Panel (ECP) Exploit Chain (CVE-2021-26855)
This vulnerability exists within the Microsoft Exchange Server Autodiscover service and is part of an attack chain known as ProxyLogon. Attackers can leverage CVE-2021-26855 in conjunction with other vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) to execute arbitrary code in the context of SYSTEM. It was exploited as a zero-day by the threat group HAFNIUM. BitSight observed that 13% of entities still have unremediated instances of CVE-2021-26855. Ok, still looking pretty good.
 

3 ornament

Windows Server 2003 R2 IIS WEBDAV buffer overflow RCE vulnerability (CVE-2017-7269
A buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows attackers to execute arbitrary code via a modified header. BitSight observed that 14% of entities still have unremediated instances of CVE-2017-7269. Alright, still under 20%, nothing too crazy.
 

4 ornament
F5 BIG IP Traffic Management User Interface RCE (CVE-2020-5902​)
A vulnerability in various versions of the BIG-IP Traffic Management User Interface (TMUI), also referred to as the Configuration utility, enables attackers to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. BitSight observed that 20.69% of entities still have unremediated instances of CVE-2020-5902. Eesh, here we go. 
 
5 ornament
Fortinet FortiOS SSL VPN credential exposure vulnerability (CVE-2018-13379​)
An improper limitation of a pathname to a restricted directory in various versions of Fortinet FortiOS and FortiProxy under SSL VPN web portal allows attackers to download system files via HTTP resource requests. BitSight observed that 23% of entities still have unremediated instances of CVE-2018-13379. Ayyyy.
 
6 ornament
Windows Remote Desktop RCE Vulnerability "BlueKeep" (CVE-2019-0708)​ 
A remote code execution vulnerability in Remote Desktop Services that enables attackers to connect to and execute arbitrary code on the target system. This vulnerability is pre-authentication and requires no user interaction. BitSight observed that 24% of entities still have unremediated instances of CVE-2019-0708. Oh man, that’s almost a quarter unpatched.
 
7 ornament
SAP NetWeaver AS JAVA (LM Configuration Wizard) (CVE-2020-6287)
This vulnerability allows an attacker to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising confidentiality, integrity and availability of the system. BitSight observed that 26% of entities still have unremediated instances of CVE-2020-6287. A twisted NetWeb, indeed.
 
8 ornament
Kaseya VSA Remote Code Execution (CVE-2021-30116)
This vulnerability in Kaseya VSA, a tool used by managed service providers (MSPs) to remotely manage customer environments, allows credential disclosure and was exploited to distribute REvil ransomware in July 2021. BitSight observed that 32% of entities had unremediated instances of CVE-2021-30116. Yikes, RMM software touches everything!
 
9 ornament
Pulse Connect Secure (PCS) Remote Code Execution (CVE-2021-22893)
This authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure allows attackers to perform remote arbitrary code execution on the Pulse Connect Secure gateway. BitSight observed that 41% of entities still have unremediated instances of CVE-2021-22893. Ugh, no bueno.
 
10 ornament
VMware vCenter Server RCE (CVE-2021-21972)
A vulnerability in a vCenter Server plugin affecting various versions of VMware vCenter Server and VMware Cloud Foundation. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. BitSight observed that 46% of entities still have unremediated instances of CVE-2021-21972. C’mon, VM admins you can do better than this.
 
11 ornament
SolarWinds Orion API Authentication Bypass (CVE-2020-10148
This vulnerability can enable an authentication bypass that could allow a remote attacker to execute API commands and compromise a SolarWinds instance. SolarWinds has indicated that this vulnerability is likely to have been used to install the malware known as SUPERNOVA. BitSight observed that 55% of entities still have unremediated instances of CVE-2020-10148. Over 50%! SUPER NO-GO.
 
12 ornament
SonicWall Email Security Pre-Authentication Administrative Account Creation (CVE-2021-20021)
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. When chained with CVE-2021-20022 and CVE-2021-20023 it enables attackers to upload arbitrary files and read arbitrary files from the host. BitSight observed that 85% of entities still have unremediated instances of CVE-2021-20021. Oh dear.

Holiday season is upon us and there’s nary a drummer at BitSight. Not a single maid. Zero golden rings. French hens? Nope. We don’t even have a partridge over here. Dang.

However, BitSight does have visibility into many of the critical vulnerabilities recently highlighted in the U.S. Department of Homeland Security’s catalog of “Known Exploited Vulnerabilities.” We recently conducted a study to better understand remediation rates of these CVEs.

BitSight compared the number of entities with the presence of a known vulnerability at any time vs. the presence of a known vulnerability in the 60 day period between September and November 15th. The results indicate that remediation rates vary widely and many known vulnerabilities remain unremediated.

So, in lieu of lords a-leaping, here are 12 Days of DHS Critical Vulnerabilities. Happy Holidays!

DHS Ornament 1

Pulse Secure VPN Arbitrary File Reading Vulnerability (CVE-2019-11510)
Various versions of Pulse Connect Secure gateway include an authentication bypass vulnerability that allows attackers to perform remote arbitrary file access. BitSight observed that 5.91% of entities have unremediated instances of CVE-2019-11510. Not bad!
 

2 ornament

Microsoft OWA Exchange Control Panel (ECP) Exploit Chain (CVE-2021-26855)
This vulnerability exists within the Microsoft Exchange Server Autodiscover service and is part of an attack chain known as ProxyLogon. Attackers can leverage CVE-2021-26855 in conjunction with other vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) to execute arbitrary code in the context of SYSTEM. It was exploited as a zero-day by the threat group HAFNIUM. BitSight observed that 13% of entities still have unremediated instances of CVE-2021-26855. Ok, still looking pretty good.
 

3 ornament

Windows Server 2003 R2 IIS WEBDAV buffer overflow RCE vulnerability (CVE-2017-7269
A buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows attackers to execute arbitrary code via a modified header. BitSight observed that 14% of entities still have unremediated instances of CVE-2017-7269. Alright, still under 20%, nothing too crazy.
 

4 ornament
F5 BIG IP Traffic Management User Interface RCE (CVE-2020-5902​)
A vulnerability in various versions of the BIG-IP Traffic Management User Interface (TMUI), also referred to as the Configuration utility, enables attackers to execute arbitrary system commands, create or delete files, disable services, and/or execute arbitrary Java code. BitSight observed that 20.69% of entities still have unremediated instances of CVE-2020-5902. Eesh, here we go. 
 
5 ornament
Fortinet FortiOS SSL VPN credential exposure vulnerability (CVE-2018-13379​)
An improper limitation of a pathname to a restricted directory in various versions of Fortinet FortiOS and FortiProxy under SSL VPN web portal allows attackers to download system files via HTTP resource requests. BitSight observed that 23% of entities still have unremediated instances of CVE-2018-13379. Ayyyy.
 
6 ornament
Windows Remote Desktop RCE Vulnerability "BlueKeep" (CVE-2019-0708)​ 
A remote code execution vulnerability in Remote Desktop Services that enables attackers to connect to and execute arbitrary code on the target system. This vulnerability is pre-authentication and requires no user interaction. BitSight observed that 24% of entities still have unremediated instances of CVE-2019-0708. Oh man, that’s almost a quarter unpatched.
 
7 ornament
SAP NetWeaver AS JAVA (LM Configuration Wizard) (CVE-2020-6287)
This vulnerability allows an attacker to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising confidentiality, integrity and availability of the system. BitSight observed that 26% of entities still have unremediated instances of CVE-2020-6287. A twisted NetWeb, indeed.
 
8 ornament
Kaseya VSA Remote Code Execution (CVE-2021-30116)
This vulnerability in Kaseya VSA, a tool used by managed service providers (MSPs) to remotely manage customer environments, allows credential disclosure and was exploited to distribute REvil ransomware in July 2021. BitSight observed that 32% of entities had unremediated instances of CVE-2021-30116. Yikes, RMM software touches everything!
 
9 ornament
Pulse Connect Secure (PCS) Remote Code Execution (CVE-2021-22893)
This authentication bypass vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure allows attackers to perform remote arbitrary code execution on the Pulse Connect Secure gateway. BitSight observed that 41% of entities still have unremediated instances of CVE-2021-22893. Ugh, no bueno.
 
10 ornament
VMware vCenter Server RCE (CVE-2021-21972)
A vulnerability in a vCenter Server plugin affecting various versions of VMware vCenter Server and VMware Cloud Foundation. An attacker with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. BitSight observed that 46% of entities still have unremediated instances of CVE-2021-21972. C’mon, VM admins you can do better than this.
 
11 ornament
SolarWinds Orion API Authentication Bypass (CVE-2020-10148
This vulnerability can enable an authentication bypass that could allow a remote attacker to execute API commands and compromise a SolarWinds instance. SolarWinds has indicated that this vulnerability is likely to have been used to install the malware known as SUPERNOVA. BitSight observed that 55% of entities still have unremediated instances of CVE-2020-10148. Over 50%! SUPER NO-GO.
 
12 ornament
SonicWall Email Security Pre-Authentication Administrative Account Creation (CVE-2021-20021)
A vulnerability in the SonicWall Email Security version 10.0.9.x allows an attacker to create an administrative account by sending a crafted HTTP request to the remote host. When chained with CVE-2021-20022 and CVE-2021-20023 it enables attackers to upload arbitrary files and read arbitrary files from the host. BitSight observed that 85% of entities still have unremediated instances of CVE-2021-20021. Oh dear.
DHS Vulnerabilities

See how BitSight can identify vulnerabilities in your extended organization and third party ecosystem. With our latest report of US Dept. of Homeland Security (DHS) highlighted vulnerabilities, we show your risk exposure both internally and with your vendors in a quick and concise way.

Request DHS report demo
Button Arrow