10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics.
Alternative video link (for Russia): <https://vk.com/video-149273431_456239105>
Americans can't just release a list of "20 vulnerabilities most commonly exploited in attacks on American organizations." They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.
But I like such lists of vulnerabilities for a number of reasons:
I can't help but notice that the quality of the advisory is not very high. For example, the description of vulnerabilities was automatically taken from NVD. Including this:
"Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078".
Not very informative, right? This joint advisory was released by three big serious organizations. They could work harder and write a unique text for each of the 20 CVEs. But no one seems to care.
Here is a list of all vulnerabilities from the advisory:
Of course, I did not deny myself the pleasure of using this list of CVEs as input for my Vulristics vulnerability prioritization tool. Just to see how Vulristics handles it and tweak Vulristics if needed.
Here is the command I used to generate the report:
$ python3.8 vulristics.py --report-type "cve_list" --cve-project-name "AA22-279A" --cve-list-path joint_cves.txt --cve-data-sources "ms,nvd,vulners,attackerkb" --cve-comments-path comments.txt --rewrite-flag "True"
The full report is here: <https://avleonov.com/vulristics_reports/aa22-279a_report_with_comments_ext_img.html>
If you look at the list of vulnerable software and hardware products, then some of them, obviously, should have been included in this advisory. Because lately there have been a lot of publications about how attackers exploit the vulnerabilities in these products:
The second group of products. For them, there were also publications about attacks. But it seems that these are more niche products and are less perceived as targets for attackers:
And finally, there are quite exotic products that apparently reflect the specifics of American IT:
Vulristics has identified all vulnerabilities as vulnerabilities of the highest criticality level (Urgent). Vulristics found public exploits for all vulnerabilities.
At the same time, if you look at CVSS, then there is this:
All vulnerabilities: 20
Critical: 16
High: 4
Medium: 0
Low: 0
So if you are using CVSS for prioritization, don't forget about the High level vulnerabilities.
As we can see, all vulnerabilities are obviously critical except for one "Path Traversal":
Path Traversal - Citrix Application Delivery Controller (CVE-2019-19781)
The description of the vulnerability leaves no room for detecting another type:
"An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal".
The same type is indicated in the advisory AA22-279A: Citrix ADC CVE-2019-19781 Path Traversal
And only in the description of the exploit we can see that this is in fact RCE: "This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for remote code execution."
Well, this is another reminder to us that we should not do hard filtering by vulnerability type. It's also not a good idea to trust the description from NVD. The type of vulnerability may change over time, and no one will make changes to the description in NVD.
In some cases, Vulristics can help to more accurately determine the type of vulnerability:
AA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal
Vulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773)
Why? Because we can read in the description: "If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution."
But of course Vulristics is not a silver bullet. It is difficult to come up with something here other than manual analysis of publications about vulnerabilities and exploits.
I also cannot help but point out that for some of the vulnerabilities, Vulrisitcs determined the types of vulnerabilities more correctly in accordance with the description:
AA22-279A: GitLab CE/EE CVE-2021-22205 Remote Code Execution
Vulristics: Command Injection - GitLab (CVE-2021-22205) - Urgent [947]
"… which resulted in a remote command execution."
AA22-279A: Sitecore XP CVE-2021-42237 Remote Code Execution
Vulristics: Command Injection - Sitecore Experience Platform (XP) (CVE-2021-42237)
"… it is possible to achieve remote command execution on the machine."
AA22-279A: VMware vCenter Server CVE-2021-22005 Arbitrary File Upload
Vulristics: Remote Code Execution - VMware vCenter (CVE-2021-22005)
"…may exploit this issue to execute code on vCenter Server by uploading a specially crafted file."
AA22-279A: F5 Big-IP CVE-2022-1388 Remote Code Execution
Vulristics: Authentication Bypass - BIG-IP (CVE-2022-1388)
… undisclosed requests may bypass iControl RESTauthentication"
AA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal
Vulristics: Remote Code Execution - Apache HTTP Server (CVE-2021-41773)
"… this could allow for remote code execution."
AA22-279A: Apache CVE-2022-24112 Authentication Bypass by Spoofing
Vulristics: Remote Code Execution - Apache APISIX (CVE-2022-24112)
"… is vulnerable to remote code execution."
AA22-279A: Buffalo WSR CVE-2021-20090 Relative Path Traversal
Vulristics: Authentication Bypass - Buffalo WSR (CVE-2021-20090)
"… allow unauthenticated remote attackers to bypass authentication."
Therefore, do not rush to trust the vulnerability type from the CISA Known Exploited Vulnerabilities Catalog and take it into account when prioritizing vulnerabilities.
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.976 High
EPSS
Percentile
100.0%