The Log4Shell vulnerability affecting Apache’s Log4j library and the ProxyLogon and ProxyShell vulnerabilities affecting Microsoft Exchange email servers topped the list of the most routinely exploited vulnerabilities in 2021.
These threats were outlined in a joint Cybersecurity Advisory (CSA) coauthored by the cybersecurity authorities of the United States, Australia, Canada, New Zealand and the United Kingdom.
The advisory provided details on the top 15 common vulnerabilities and exposures (CVEs) routinely exploited by malicious actors in 2021, as well as other CVEs that were frequently exploited.
The CSA noted exploitation of older vulnerabilities demonstrates the continued risk to organizations that fail to patch software in a timely manner or are using software that is no longer supported by a vendor.
The report also offered a series of mitigation actions, which include applying timely patches to systems and implementing a centralized patch management system to reduce the risk of compromise by malicious actors.
Bud Broomhead, CEO at Viakoo, a provider of automated IoT cyber hygiene, noted both Log4j and Microsoft Exchange vulnerabilities were both extremely serious but in different ways.
“Log4j brought a lot of attention to vulnerabilities being delivered via open source software libraries and their ability to be present in hundreds, if not thousands, of makes and models of devices, particularly IoT,” he said.
From his perspective, compared to vulnerabilities impacting just one manufacturer, the blast radius from Log4j is enormous.
“Because of the diversity of devices infected by Log4j, it also highlighted how many IoT devices can be functioning within an organization past its end-of-life date,” he said. “For those devices, there will never be a patch available to remediate vulnerabilities like Log4j.”
He explained that Microsoft Exchange Server vulnerabilities (like ProxyLogon) highlighted a different but equally serious issue; how long it takes to patch a system once a patch is available.
In the case of Exchange Server, it was one of the most urgent and visible vulnerabilities of 2021, yet six months after the patch was made available, 30% of Exchange servers were still vulnerable, according to Rapid7.
“Despite this being a path for business email compromise, planting of malware and ransomware or privilege escalation, this shows how the lack of an effective process for keeping systems on the safest version of firmware creates a giant risk to the organization,” Broomhead said.
Mike Parkin, senior technical engineer at Vulcan Cyber, a provider of SaaS for enterprise cyberrisk remediation, said that by now, most vulnerable Microsoft Exchange servers and Log4J instances should have been patched—the problems lie in the ones that were missed.
“This is especially a problem with Log4j; it is so widely used by developers, but the development resources to find and fix the stragglers may not exist,” he said. “With software vulnerabilities, discovery and reporting are an evolving process.”
He pointed out the current “responsible disclosure” model works reasonably well when vendors are responsive.
“Making the process faster and more consistent is the next step, and that will happen over time,” Parkin explained.
The Problem With Patching
Broomhead said the fact that so many vulnerable systems remain unpatched shows how difficult the task is and how much more attention needs to be paid to the issue.
From his perspective, it also revealed the complexity of the patch process.
“In the case of Exchange Server prior patches had to first be applied and, in the case of Log4j, multiple device types all with different firmware update procedures added complexity,” he said. “In addition, IT tools don’t work for IoT, automated patch management solutions for IT devices do not work for IoT and organizations should focus on deploying automated IoT vulnerability remediation solutions.”
Broomhead added because of the increasing number of vulnerabilities deployed through open source software libraries, having device-level software bills of materials (SBOMs) will help to more quickly identify vulnerable devices.
“Organizations should also have internal compliance and audit capabilities to determine if devices are using default or easily-guessed passwords or are on older firmware,” he said.
He pointed out many devices fall outside the management of IT and are under the responsibility of a line of business; for example, manufacturing or facilities.
“Ensuring that those responsibilities are clear and that training and tools are provided to support those responsibilities will reduce risk to the organization,” Broomhead said.
He noted organizations need to realize that cybercriminals will be exploiting the weakest areas of corporate cybersecurity—today, that is focused on IoT devices and delivering vulnerabilities through widely used software libraries.
“If IoT devices are not explicitly exempted from corporate InfoSec and other security policies, then they need to be tracked, assessed and secured according to those policies,” he said. “Organizations must be prepared to act on software patches on IoT devices, in particular, because of the large scale of IoT devices as compared to IT devices.”
Parkin added while zero-day exploits are still a threat, as the Exchange and Log4j vulnerabilities showed, many organizations are still behind on implementing secure configurations and compensating controls.
“The harder it is for an attacker to get access, the less likely it is they can leverage a new exploit,” he said. “Perhaps more important is better user training and implementing access controls on the user base. If the users aren’t secure, the attackers won’t need a ‘next new thing’ zero-day to get in.”
He pointed out the MS Exchange and Log4j vulnerabilities were major issues and led to a lot of compromised systems, but that they were just the tip of the proverbial iceberg.
“Unfortunately, in the grand scheme of cybersecurity, they are just some of the latest newsworthy problems that got the spotlight,” Parkin said. “There will be others.”