As Google’s Project Zero team stated in their must-read blog post, 2020 was a year of some serious 0-day vulnerabilities. And although we’ve barely scratched the surface of 2021, this year just may follow suit if the past few weeks have been any preview of things to come. In this recap of January and the first part of February 2021, we’ll review some of the more notable security bugs that have come out this year.
A trend you may notice is how many of the below vulnerabilities have already been under active exploitation by attackers, which speaks to the importance of patching as soon as these emerging threats become known. Another trend you’ll see is the appearance of several buffer overflows. Buffer overflows, which have persisted in software for almost half a century, usually aren’t the most prevalent of security threats. However, buffer overflows can pose a real danger to organizations since many can be weaponized for remote code execution; this, coupled with unauthenticated access, greatly increases the risk of exploitation.
Although workarounds have been widely documented over the years, buffer overflows still occur due to insecure coding, primarily with the C and C++ programming languages. In 2020, MITRE ranked buffer overflows among their Top 25 Most Dangerous Software Weaknesses (see “CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer”). So although they might not be as widespread as other vulnerability classes, buffer overflows are serious risks when they do pop up.
CVE-2021-21017, which impacts Adobe Acrobat Reader, was reported by Adobe as being actively targeted against Windows users. This CVE is a heap-based buffer overflow vulnerability that an attacker could use to facilitate arbitrary code execution. Adobe shared the vulnerability – and remediation information – in their security bulletin published on February 9, 2021 along with fixes for other critical and important vulnerabilities. This one is still a relatively fresh find, so be sure to check out the bulletin if you suspect your organization may be at risk.
Meanwhile, Microsoft’s Patch Tuesday on February 9 brought with it news of its own 0-day vulnerability. CVE-2021-1732 is a Win32k.exe vulnerability that can be used to elevate privileges in affected Windows environments. Like the Adobe vulnerability, Microsoft said that this was already being exploited by attackers, making it more of an immediate threat than its “important” ranking would otherwise indicate. This vulnerability was among the 56 that were resolved in this Patch Tuesday update. Additionally, Microsoft resolved three critical and important vulnerabilities affecting the Windows TCP/IP stack. These vulnerabilities encompass remote code execution and denial of service, and Microsoft issued a blog post to discuss them in depth.
Yet another critical-risk vulnerability that a vendor reported as being under active exploitation, CVE-2021-20016 is found in all SonicWall SMA 100 series devices. This bug could enable a devastating SQL injection attack. As SonicWall describes in their official advisory, the critical-risk vulnerability “allows remote exploitation for credential access by an unauthenticated attacker,” putting usernames, passwords, and other session information at risk. SonicWall initially shared that the bug was being exploited in January and provided pertinent mitigation information for impacted users. In early February, they released a firmware update to address the CVE and advised “immediate patching.”
CVE-2021-3156 turned heads when it was made public in January 2021 due to its ubiquity and the fact that it has been in the wild for nearly a decade. This high-risk vulnerability – with a 7.8 rating on the CVSSv3 scale – impacts Sudo, which is an extremely common program for Linux-based and Unix-based operating systems. Upon successful exploitation, this heap buffer overflow vulnerability affords an attacker the ability to gain root privilege on a vulnerable host system without proper root authentication. A fix for this widespread security flaw exists in Sudo 1.9.p2. Any version of Sudo prior to 1.9.p2 is believed to be at risk of exploitation.
In late January 2021, Apple announced a security update to remediate multiple vulnerabilities, including three 0-day issues – which, according to Apple, were being actively exploited. CVE-2021-1870 and CVE-2021-1871 affect the WebKit browser engine whereas CVE-2021-1782 affects the iOS and iPadOS kernel. The latter is a race condition vulnerability that allows for privilege escalation, and the WebKit vulnerabilities could lead to arbitrary code execution, which is nearly always a critical or high-risk threat. All three of these bugs were resolved in iOS 14.4.
Finally, several high-risk and critical Cisco vulnerabilities created quite a stir in January 2021. These vulnerabilities affected Cisco SD-WAN products as well as Cisco DNA and Smart Software Manager Satellite. The majority of the vulnerabilities could permit an unauthenticated attacker to remotely execute code, execute arbitrary SQL queries or system commands, or deny service to legitimate users. The most serious of these issues is CVE-2021-1300, a buffer overflow vulnerability. At the time of this article, there is not a publicly available proof-of-concept exploit for these vulnerabilities. Solutions, however, do exist (see here for the list of advisories and software updates). If you use Cisco SD-WAN products, make sure your software is up to date. Additionally, we recommend looking for the string "SD-WAN Center" in the response body of the path "/login" across your attack surface to identify any potentially affected devices.
We are just over six weeks into the new year, and the severe security vulnerability alerts keep coming. The importance of patching cannot be overstated – even delaying software updates a few days could prove a costly misstep.
Your organization's attack surface is a continual work in progress, so static inventories can become obsolete fast. Ensure you are keeping pace with the constant barrage of vulnerabilities by watching for vendor announcements and consulting your organization’s asset inventories to apply any necessary software patches as needed. Continuous scanning is the most accurate way to keep your asset inventory up to date and become immediately aware of any possible exposures. The best protection against being caught off-guard by a newly published critical or high-risk CVE is to patch early, patch often, and scan your attack surface continuously.