One of the most vital things to get right in application security is dependency management, and to achieve this, your suite of AppSec tools must be up to date. This means that your vulnerability scanning, detection, and remediation capabilities must be able to identify and address the newest and most exploited vulnerabilities.
Do you know what these vulnerabilities are? Have you got them covered? With the help of some of the world’s leading cybersecurity authorities, you can be. To find out how, read on.
The Feds and the Five Eyes are looking out for you and your AppSec
The Five Eyes (FVEY) intelligence alliance has released a list of the top twelve most exploited vulnerabilities in 2022, in a new joint cybersecurity advisory published August 2023. The alliance involves the following federal and national cybersecurity agencies:
- United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
- Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
- Canada: Canadian Centre for Cyber Security (CCCS)
- New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
- United Kingdom: National Cyber Security Centre (NCSC-UK)
The list identifies Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumeration(s) (CWEs) that were most frequently used by malicious actors in 2022, plus thirty more vulnerabilities that were also routinely exploited.
What are the top 12 exploited vulnerabilities?
2022’s top 12 is dominated by vulnerabilities in Microsoft (4), VMWare (2), and Atlassian (2) software, plus software by Fortinet, Zoho, F5 Networks, and Apache. These include:
- Fortinet’s FortiOS and FortiProxy SSL VPN credential exposure critical (CVSS 9.1) vulnerability CVE-2018-13379, which has been on the list since 2018
- Microsoft’s Exchange Server Proxy Shell remote code execution (RCE) CVE-2021-34473, Security Feature Bypass CVE-2021-31207, privilege escalation CVE-2021-34523, and its RCE vulnerability CVE-2022-30190
- VMWare’s Workspace ONE Access and Identity Manager remote code execution (RCE) CVE-2022-22954 and Improper Privilege Management CVE-2022-22960 flaws
- F5 Networks’ BIG-IP Missing Authentication Vulnerability CVE-2022-1388.
- Atlassian’s Confluence Server and Data Center RCE flaw CVE-2022-26134, and arbitrary code execution CVE-2021-26084
- An RCE/authentication bypass CVE-2021-40539 in Zoho’s ADSelfServicePlus
- And last but by no means least, the infamous Log4Shell RCE in Apache’s Log4j2 product (CVE-2021-44228)
Details of these and the further thirty vulnerabilities are downloadable from the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
What can we learn from these findings?
This new list shows that hackers prefer to exploit older, unpatched security flaws more frequently than recently disclosed vulnerabilities. They prefer developing exploits for prevalent CVEs and they like to target unpatched, internet-facing systems, usually within the first two years of public disclosure, after which, the software is often patched or upgraded. And they prioritize vulnerabilities that are more prevalent in their specific targets’ networks.
What should you do to ensure you’re protected?
The most important action you can take is preventive: regularly update and patch your software components and dependencies. To that end, CISA advises that vendors and developers ensure that their software, its components, and dependencies are secure by design and default by doing the following:
- Identify repeatedly exploited classes of vulnerability, with an analysis of both CVEs and known exploited vulnerabilities
- Implement appropriate mitigations to eliminate those classes of vulnerability
- Ensure business leaders are responsible for security
- Follow the U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), recommendations for mitigating the risk of software vulnerabilities, SP 800-218, and implement secure design practices into each stage of the software development lifecycle (SDLC)
- Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge
- Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.
CISA then advises end-user organizations to conduct the following
- Timely update software, operating systems, apps, and firmware on IT network assets.
- Prioritize patching known exploited vulnerabilities, then critical and high vulnerabilities that allow for RCE or denial-of-service on internet-facing equipment.
- Replacing end-of-life software.
- Routinely performing automated asset discovery to identify and catalog all systems, services, hardware, and software.
- Implement a robust patch management process.
- Document secure baseline configurations for all IT/OT components, including cloud infrastructure.
- Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration.
- Maintain an updated cybersecurity incident response plan.
2. Identity and access management
- Enforce phishing-resistant multifactor authentication (MFA) for all users
- Enforce MFA on all VPN connections.
- Regularly review, validate, or remove privileged accounts
- Configure access control under the principle of least privilege
3. Protective controls and architecture
- Secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices
- Harden commonly exploited enterprise network services
- Strictly control native scripting applications
- Implement zero-trust network architecture to limit or block lateral movement by controlling access to applications, devices, and databases
- Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement
- Use security tools, such as vulnerability scanning and remediation solutions
- Use web application firewalls to monitor and filter web traffic, to detect and mitigate exploitation attempts when a malicious web request is sent to an unpatched device
- Implement an administrative policy and/or automated process to monitor unwanted hardware, software, or programs against an allowlist
- Use a network protocol analyzer to examine captured data, including packet-level data
When using third-party applications, ensure contracts require vendors and/or third-party service providers to:
- Provide notification of security incidents and vulnerabilities
- Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities
- Demonstrate how they are working to remove classes of vulnerabilities and to set secure default settings.