Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

06:35 PM

Network Pivots, Patch Bypasses: Exploits Hit Hard in 2020

An analysis of 50 vulnerabilities finds a spectrum of risk, from widespread vulnerabilities exploited by a variety of attackers to serious issues that will likely be exploited in 2021.

In 2020, security teams had to endure a great deal of chaos — not just from the events caused by the pandemic, but by a significant series of changes in the vulnerability landscape, according to Rapid7.

In its "2020 Vulnerability Intelligence Report," released today, the security firm documented 50 vulnerabilities representing shifts that defenders had to contend with. Fourteen vulnerabilities were exploited by nation-state actors and cybercriminals in indiscriminate campaigns that impacted a wide variety of organizations, 16 vulnerabilities were used in targeted attacks by sophisticated actors, and 20 flaws have not yet been seen in the wild but are expected to be used by attackers in their campaigns.

Related Content:

Patch Imperfect: Software Fixes Failing to Shut Out Attackers

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Does XDR Mark the Spot? 6 Questions to Ask

The company delves into the threats to offer defenders a better understanding of what constituted dangerous vulnerabilities in 2020, says Caitlin Condon, manager of software engineering at Rapid7.

"There was a pervasive feeling in the information-security community, especially among defenders, that the sky was falling nearly all the time," she says. "It is often very difficult for the people in charge of security to look at all the research materials and all the artifacts — at all the information about a vulnerability — and determine why a vulnerability may matter or not matter for their risk model."

In the report, Rapid7 breaks down the threats into flaws exploited indiscriminately in widespread attacks (28%), security issues — often, zero-day vulnerabilities — used in targeted attacks (32%), and vulnerabilities the company considers to be impending threats (40%).

Among the most serious threats were attacks on network and security appliances that allowed the attacker to pivot from outside the network to the internal network. So-called network pivots were discovered in Citrix NetScaler, SonicWall SonicOS, Palo Alto Networks PAN-OS, and the Sophos XG Firewall.

"For many network defenders, June 29 through July 29, 2020 was a particularly nightmarish stretch of an already challenging year: No fewer than four CVSS 10 vulnerabilities hit advisories, mailing lists, and news alerts during this period, three of which occurred within two weeks of one another," Rapid7 states in the report. "In each of these cases, the gateway position of the vulnerable products amplified the vulnerabilities’ severity and deepened the impact of exploitation."

Patch bypasses also became a major issue in 2020, which was — according to Rapid7's report — "a banner year." While companies have typically come to trust software vendors to create security updates that not only fix the original issue but also related issues, a number of notably problematic patches were published in 2020. The company details nine vulnerabilities that either had an incomplete patch that attackers were able to evade or that allowed attackers to use a similar or related issue to bypass the patch.

"In some cases, a vulnerability's complexity can make solutions correspondingly complex to develop quickly and well," the company states in the report.

This matches with previous research released in February, where Google's Project Zero team found nine of the 24 zero-day vulnerabilities detected in 2020 were variants of previously patched issues. While companies expect patches to fix a family of vulnerabilities, attackers look at patches as a source of intelligence, Rapid7 states.

"Attackers work off a wholly different guiding principle — namely, that the discovery of one flaw means there are likely more just waiting in the wings, frequently in the same function, protocol, or section of the target product’s code base," the company says. "However, it hardly makes sense for attackers to put effort into hunting for zero-day vulnerabilities when they can change a single character in an exploit for a patched vulnerability and blow past the patch as if it weren’t even there."

Companies have to assess vulnerabilities within the scope of their own infrastructure to determine their risk profile, the report states. One lesson that security teams should take to heart: Those high-profile issues covered in the media are not always the most dangerous flaws, says Condon.

"Not every vulnerability that got talked about a lot in 2020 was an actual threat," she says. "There were a bunch of vulnerabilities that perhaps slipped under the radar that were truer impending threats, so it is important for organizations to understand where their critical components are."

Case in point: Vulnerabilities in operational technology (OT) often garnered a great deal of digital ink, but a variety of factors often reduced the actual threat to organizations. For example, one of the "more severe Ripple20" vulnerabilities was found to be nonexploitable, while the serious Amnesia:33 vulnerabilities could only be exploited in a very narrow set of circumstances.

"Whenever there are new vulnerabilities in shared libraries, the level of exploitability varies from device to device; as you might imagine, this creates quite a lot of confusion and adds another layer of complexity to the already complex industrial vulnerabilities space," Rapid7 stated. "[M]anaging risk is difficult if not impossible without an understanding of attack surface area introduced by OT devices."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-17
In CiviCRM before 5.21.3 and 5.22.x through 5.24.x before 5.24.3, users may be able to upload and execute a crafted PHAR archive.
PUBLISHED: 2021-06-17
In CiviCRM before 5.28.1 and CiviCRM ESR before 5.27.5 ESR, the CKEditor configuration form allows CSRF.
PUBLISHED: 2021-06-17
HashiCorp Nomad and Nomad Enterprise up to version 1.0.4 bridge networking mode allows ARP spoofing from other bridged tasks on the same node. Fixed in 0.12.12, 1.0.5, and 1.1.0 RC1.
PUBLISHED: 2021-06-17
An XSS issue was discovered in manage_custom_field_edit_page.php in MantisBT before 2.25.2. Unescaped output of the return parameter allows an attacker to inject code into a hidden input field.
PUBLISHED: 2021-06-17
All versions of package lutils are vulnerable to Prototype Pollution via the main (merge) function.