The OWASP foundation has long maintained the OWASP Top 10 and it has served as a crucial framework in the development of all web applications. Within infrastructure the list is much larger and we’ve done our best to boil down and outline our own top 10 critical security patches. Each vulnerability outlined, except for CVE-2020-1350, has public exploit code available meaning any attacker can copy, paste, and compromise exposed systems. The purpose of this list is to maintain and outline critical patches that must be applied above all others.

Before outlining each of the Top 10 Critical Security Patches, it is important to outline first the cost of a data breach, and the top causes of a data breach. Within North America, the average cost of a data breach is between $4M USD and $10M USD and these numbers are on the rise. According to a recent report, nearly 60% of data breaches in the past two years can be traced back to critical missing security patches within operating systems, or applications.

“It’s a scale issue and it’s a prioritization issue,” says Stephen Boyer, co-founder and CTO at BitSight. “Think about all the vulnerabilities coming at you. The key question is which vulnerabilities [to patch] and when.”

Stephen Boyer, co-founder and CTO at BitSight

Remote working, during the COVID-19 pandemic, has also increased the challenges surrounding remote patch deployment as well as the maintenance of corporate systems. We are falling behind on patching corporate systems which has created massive opportunities for attackers. This list does not include weak or default credentials, insecure configurations, and use of legacy network protocols which still proliferate organizations today.

Remote Code Execution (RCE): In computer security, remote code execution is the ability for an attacker that has internet connectivity to a target system, to take control and perform unauthorized operations. This often includes running their own malicious code.

PL-1 – Windows DNS: CVE-2020-1350 (NEW)

Published in 2020, there is a storm brewing online related to a recently released Microsoft patch addressing a workable remote code execution (RCE) flaw in Microsoft DNS. This vulnerability affects all versions of Microsoft DNS for the past and will have widespread impacts once the public exploit code has been released. There is no indication yet that this is being exploited in the wild, but it is only a matter of time before this changes.

PL-2 – ETERNALBLUE: CVE-2017-0144

A leaked NSA tool included an armoury of digital weapons including ETERNALBLUE and several other vulnerabilities. These vulnerabilities affect nearly all versions of Windows and lead to remote code execution. These vulnerabilities have been exploited in secret for US National Security objectives. After its leak by Shadow Brokers in April of 2017, it has been used in devastating ransomware campaigns like WannaCry, NotPetya, BadRabbit causing over $1B worth of damage across 65 countries.

PL-3 – Blue Keep (RDP): CVE-2019-0708

Disclosed in May of 2019, it is present in all unpatched versions of Microsoft Windows from Windows 2000 through Server 2008 R2 including Windows 7. While these operating systems are end of life, they are still widely deployed according to NetMarketShare and account for roughly 23% of all end-user desktops. Remote Desktop Protocol (RDP) is a protocol that facilitates remote access often exposed on the internet. 

https://en.wikipedia.org/wiki/BlueKeep

PL-4 – Citrix ADC: CVE-2019-19781

On December 17, 2019, a vulnerability in the Citrix ADC and Netscaler Gateway was disclosed and mere days after the holiday break, exploit code was made public and has been used in various attacks. In May of 2020, Australia outlined a massive cyber attack underway across all levels of government and private organizations that made use of the Citrix ADC vulnerability. This vulnerability enables a remote compromise via a crafted HTTP request.

  • Affected Versions: Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0 and Citrix SD-WAN WANOP 10.2.6 and 11.0.3.
  • Discovered in 2019

PL-5 – F5 TMUI: CVE-2020-5902

On July 1, 2020, F5 announced a critical vulnerability which was swiftly weaponized on July 4 and made public on July 5 via a Metasploit module. This vulnerability affects all F5 BIG-IP products. This vulnerability holds the highest CVSS score of 10.0 enabling an attacker to access the admin console, perform directory traversal and even obtain unauthorized shell access.

Metasploit: Metasploit is a commercial-grade penetration testing software containing over four thousand exploits that can be used to test corporate systems.

  • Affected Versions: LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller and PEM versions 11.X through 15.x.
  • Discovered in 2020

PL-6 – Palo Alto GlobalProtect SSL VPN: CVE-2019-1579

Discovered in 2019, this vulnerability in Palo Alto SSL VPN enables unauthorized access by leveraging a format string vulnerability. This vulnerability was discovered first by Palo Alto and silently patched, however, there continues to be a long list of active deployments. SSL VPNs by design are exposed to the internet which is why this vulnerability made it on our top 10 list. With limited effort, an attacker can exploit this vulnerability and introduce a web shell enabling remote code execution on affected deployments.

Newer vulnerabilities were just disclosed: https://security.paloaltonetworks.com/CVE-2020-2021

PL-7 – Sharepoint / IIS: CVE-2019-0604

Disclosed by Zero Day Initiative, this critical finding in Microsoft Sharepoint 2010-2019 enables remote code execution through often publicly exposed SharePoint instances. Exploitation requires an attacker to upload an application package to the affected version of Microsoft Sharepoint triggering remote code execution. While a patch was available in February 2019, this vulnerability is still being exploited today and was a key finding in the Australian Cyber Attack Advisory in June of 2020. Also, APT 27 has allegedly used this vulnerability to load web-shells on to SharePoint servers at various Government organizations in the Middle East.

APT: Advanced Persistent Threat is a collective of attackers, typically a nation state or state sponsored group, which obtains unauthorized access to computer targets and remains undetected for an extended period of time. APT 27 is believed to be located in China.

  • Affected Versions:
    • Microsoft SharePoint Enterprise Server 2016
    • Microsoft SharePoint Foundation 2010 Service Pack 2
    • Microsoft SharePoint Foundation 2013 Service Pack 1
    • Microsoft SharePoint Server 2010 Service Pack 2
    • Microsoft SharePoint Server 2013 Service Pack 1
    • Microsoft SharePoint Server 2019
  • Discovered in 2019

PL-8 – Microsoft Exchange Insecure Deserialization: CVE-2020-0688

In February of 2020, Microsoft patched a vulnerability in Microsoft Exchange that exposed over four hundred thousand deployments to a potential remote code execution vulnerability. In order to exploit this finding, an attacker requires any valid credential at the target organization which can be easily recovered through phishing or various other means. As of March 3, 2020, an exploit was merged into the Metasploit code base and is being actively exploited in the wild. This vulnerability takes advantage of an insecure object deserialization process running as SYSTEM. The exploitation of this vulnerability can lead to a full remote system compromise.

PL-9 – Apache Struts: CVE-2017-5638

The infamous vulnerability, that led to the Equifax breach in 2017, enables an attacker to compromise affected websites leveraging vulnerable versions of the Apache Struts framework. Apache Struts is a framework developed for Java-based applications and is used by banks, government organizations and Fortune 500 companies. To exploit this vulnerability, an attacker can execute arbitrary commands via a crafted file-upload attempt.

PL-10 – Telerik UI Insecure Deserialization: CVE-2019-18935

Discovered in December 2019, a vulnerability in the Telerik UI for ASP.NET could allow for remote code execution via an insecure deserialization in the RadAsyncUpload function. Successful exploitation of this vulnerability enables code execution in the context of a privileged process and potentially a full system compromise. Telerik is a popular web application UI suite and widespread exploitation of this vulnerability has been reported via the Australian Copy Paste Compromise advisory. Successful exploitation requires access to encryption keys which were hardcoded up until the release of CVE-2017-11317.

  • Affected versions: <R2 2017 (2017.2.711 (AT RISK), R2 2017 SP2 (2017.2.711) -> R3 2019 (2019.3.917)
  • Discovered in 2019

Are you affected?

At Packetlabs, we specialize in Penetration Testing and Application Security. If you have concerns whether you may be impacted by any of the top 10 critical vulnerabilities outlined in this article, we’d be more than happy to help. Implementing a vulnerability management program helps to prioritize the application of security patches, and reduce risk within your organization. The frequency of your vulnerability scans must be at least quarterly. In large organizations, we often recommend weekly scans given the size and complexity of the environment. Book time with us to get started.