A Review of the 2021 CISA and MITRE Vulnerability Lists

This past summer, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) partnered with forces in the United Kingdom and Australia to release a list of the top 30 most exploited vulnerabilities of 2020 (along with some that are being exploited in 2021). Around that same time, MITRE updated their list of the top 25 most common and dangerous software weaknesses. Both lists were created to help organizations and individuals protect themselves from security threats.

We reviewed these lists to understand their similarities and differences, and share our takeaways. Read on for details.

We reviewed these lists to understand their similarities and differences, and share our takeaways. Read on for details.

	CISA's Top 30 Most Exploited Vulnerabilities	MITRE’s Top 25 Most Vulnerable Software Bugs
Origin	CISA’s list was featured in a Join Cybersecurity Advisory issued with UK and Australian authorities in July 2021.	MITRE’s list is released every few years – previous editions exist from 2010, 2011, 2019, and 2020. See the archive of prior lists here.
Purpose	The CISA list was developed to help reduce the exploitation of specific vulnerabilities and to help organizations prioritize critical and high-risk security issues. CISA states that their advisory “provides details on the top 30 vulnerabilities—primarily Common Vulnerabilities and Exposures (CVEs)—routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021.”	The MITRE list was developed to assist security and IT professionals in prioritizing certain categories of vulnerabilities that may pose the most immediate risk to their organization’s security. MITRE states that their list “is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.”
Types of Vulnerabilities	The CISA list focuses on specific vulnerabilities (e.g., CVE-2019-18935) found in some of the most widely used software products. This list primarily consists of vulnerabilities disclosed in the past two years. The oldest security vulnerability in the CISA list dates back to 2017 – a remote code execution (RCE) bug affecting Microsoft Office. Here are the top five most exploited bugs on the CISA list: Citrix NetScaler Arbitrary Code Execution (CVE-2019-19781) Pulse Connect Secure VPN Arbitrary File Read (CVE-2019-11510) Fortinet FortiOS SSL VPN Path Traversal (CVE-2018-13379) F5 Big IP Traffic Management User Interface Remote Code Execution (CVE-2020-5902) MobileIron Remote Code Execution (CVE-2020-15505) Over half of the top 10 entries in the CISA list are remote code execution vulnerabilities.	Instead of focusing on CVEs, MITRE focuses on Common Weakness Enumeration (CWEs), which are types of software weaknesses/vulnerabilities. Vulnerability types include Out-of-Bounds Write/memory corruption, Out-of-Bounds Read, cross-site scripting, etc. This list primarily consists of trends in vulnerabilities disclosed in the past two years. To create this list, MITRE analyzed vulnerability data from the National Vulnerability Database (NVD) from 2019 and 2020, which contained around 32,500 CVEs. The security issues included are considered especially dangerous because of their easy discoverability, high impact, and prevalence. Here are the top three software weaknesses on the MITRE list: CWE-787 – Out-of-Bounds Write, AKA memory corruption. Out-of-Bounds write means the software writes “out of bounds” – past the end or before the beginning of the intended buffer. This can result in the execution of unauthorized code or commands, denial of service (DoS), and memory modification. CWE-79 – Improper Neutralization of Input During Web Page Generation, better known as cross-site scripting (XSS). In this case, a user injects malicious code into a webpage. Another user’s browser can then execute the malicious code when they navigate to the webpage. XSS can result in accessing application data, executing unauthorized code or commands, and more. CWE-125 – Out-of-Bounds Read. Finally, this weakness means that software is reading past an intended buffer’s end or before its beginning. This can result in attackers reading sensitive information (e.g., license keys) from other locations in memory. It can also cause the application to crash, resulting in a DoS.
Mitigations	Follow security best practices (e.g., ensuring your software is updated with the latest patches.) CISA also recommends prioritizing fixes based on known exploitation, implementing automatic software updates, and creating a centralized patch management system.	For each vulnerability type, MITRE provides specific prevention mitigations based on use case. Their guidance applies to various IT and security professionals, such as those responsible for developing applications and those responsible for application security.

CISA Takeaways

CISA pointed out that the recent influx in remote work may have impacted most organizations’ ability to defend themselves against security threats. In a traditional work environment, these threats may have been more easily addressed by an organization’s security team; remote work can complicate patch management, as CISA acknowledged in their “Key Findings” section. The remote work explosion also led to increased exploitation of recently disclosed security issues. This correlation is further illustrated by the emphasis on vulnerabilities in cloud and VPN-related technology, such as CVE-2019-11510, a critical bug in Pulse Connect Secure VPN. Also of note is the prevalence of remote code execution bugs, which are especially attractive targets for attackers due to their ability to be exploited from anywhere in the world.

Finally, every vulnerability on the CISA list has available remediations. So, for all cases exploitation is avoidable.

MITRE Takeaways

MITRE’s 2021 list concentrates on specific, Base-level weaknesses instead of Class-level weaknesses that were the focus of past lists. A Class-level weakness is defined by MITRE as “a weakness that is described in a very abstract fashion, typically independent of any specific language or technology.” A Base-level weakness is more specific, but not as specific as Variant weaknesses, which are “linked to a certain type of product.” Base-level weaknesses are the middle ground between Class-level and Variant. Unlike the CISA list which largely focuses on Variant weaknesses, the MITRE list focuses mostly on Base-level weaknesses. The 2021 list demonstrates that MITRE is attempting to provide more actionable guidance, because “[they] believe that Base-level weaknesses are more informative to stakeholders than Class-level weaknesses.” Most of the weaknesses represent more difficult areas in software to troubleshoot. This is in contrast to previous editions of the list over the years, where implementation-specific weaknesses were more common.

MITRE notes that this recent trend could possibly indicate “the community has improved its education, tooling, and analysis capabilities related to some of the more implementation-specific weaknesses.”

Staying On Top of Threats, Old and New

Both lists highlight the importance of monitoring for new vulnerabilities and addressing them in a timely fashion. Opportunistic attackers will generally move to exploit vulnerabilities as soon as they can – so responding to emerging threats quickly is imperative. Monitoring for emerging threats can mean skimming social media (especially Twitter accounts like @CVEannounce) for real-time CVE updates, following security news, and subscribing to vulnerability bulletins (like this weekly summary offered by CISA).

When patches are released, implement them as soon as realistically possible. If patching information is not immediately available from the vendor (like the recent PrintNightmare scenario), use short-term fixes they advise in the interim.

Lastly, the majority of vulnerabilities on both lists are not exactly new. However, just because a vulnerability has been known for a while does not mean it isn’t a threat to your organization.

Additional Resources for Specific Vulnerabilities and Vulnerability Types

• CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI: CAST’s Caleb Gross wrote this in-depth overview of CVE-2019-18935 when it was first released.
• ProxyLogon (CVE-2021-26855): 2021’s Top Contender for Vulnerability for the Year (It’s March...): CAST team members Barrett Darnell and Mark Goodwin authored this write-up on one of the most critical security bugs of 2021.
• Breaching the Trusted Perimeter | Automating Exploitation: CAST Operator Jon Williams dug into CVE-2019-11510 in this write-up shortly after its details were made public.
• Staying Ahead of Emerging Threats: In this write-up, Director of CAST Operations Ori Zigindere reflected on the Bishop Fox CAST team’s quick response to Citrix CVE-2019-19781.
• What is XSS: An Overview: Finally, this write-up serves as a primer to what cross-site scripting (XSS) is as well as detecting and preventing this exceedingly common vulnerability.

---