One lesson from 2020 is clear: Patching security holes must be a high priority for security operations teams throughout this year and beyond. While the newest vulnerabilities often get the most media attention, attackers frequently look for low-hanging fruit such as older, easier-to-exploit vulnerabilities that exist in widely used systems and applications.
Proper patching reduces risk, yet many businesses fall behind when testing and deploying the security updates they need to close the attackers’ doors. There are several reasons organizations fail to keep up, from the inability to thoroughly test new updates, to the challenge of prioritizing large numbers of vulnerabilities. For example, every month on Patch Tuesday, Microsoft shares patches for dozens of CVEs identified in its products — and that’s not including out-of-band updates and temporary mitigations for zero-day vulnerabilities that have been discovered in the wild. Organizations cannot ignore the importance of organizing and prioritizing updates when managing their cybersecurity risk.
Of the thousands of CVEs reported in 2020, some stand out. To help you prioritize vulnerability management and assess how you handled the challenges of 2020, we’ve compiled a list of some of 2020’s most troublesome vulnerabilities covered by CrowdStrike’s Falcon Spotlight™ vulnerability management solution. These vulnerabilities struck a chord for their criticality and their damage if used as an exploit, and each of them should be prioritized and patched by organizations to reduce risk.
10 Critical Vulnerabilities in 2020
- CVE-2020-1472: Also known as Zerologon, this CVE was one of the most well-publicized vulnerabilities of 2020. It has also been covered extensively by CrowdStrike’s identity threat protection team and Falcon Spotlight team. Zerologon is a critical privilege escalation issue impacting Microsoft Active Directory. The vulnerability resides in the Windows Netlogon Remote Protocol and enables an unauthenticated attacker to compromise domain controllers. Once news of the vulnerability became public, attackers quickly moved to incorporate exploits in their toolkits. Note that as of February 2021, “enforcement mode” was automatically enabled on all Windows Domain Controllers, which will block vulnerable connections from non-compliant third-party devices.
- CVE-2020-0601: This Windows vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. As a result, an attacker can craft TLS (transport layer security) certificates that appear to originate from a trusted certificate authority (CA) and use them to sign a malicious executable. If the vulnerability is exploited successfully, it could enable an attacker to launch man-in-the-middle attacks or deliver malicious files that appear digitally signed and trusted, potentially evading security applications. Read more in this blog, “CrowdStrike Delivers Protection for Critical Windows Certificate Spoofing Vulnerability.” It is important to note that this vulnerability marked the first time that the U.S. National Security Agency (NSA) was publicly credited by Microsoft for disclosing a bug — and in the year since, it has been used by threat actors.
- CVE-2020-0646: This vulnerability is a remote code execution issue that occurs when the Microsoft .NET Framework fails to validate inputs properly. An attacker could use it to take control of an affected system. To exploit the vulnerability successfully, an attacker would need to pass specific information to an application utilizing susceptible .NET methods.
- CVE-2020-1147: CVE-2020-1147 is a vulnerability affecting the .NET Framework, Microsoft SharePoint and Visual Studio. It exists when the software fails to check the source markup of XML file input. If exploited, an attacker could use it to run arbitrary code in the process responsible for the XML content’s deserialization. To exploit this flaw, a threat actor could upload a specially crafted document to a server using an affected product to process content.
- CVE-2020-0640: This vulnerability is caused by Internet Explorer improperly accessing objects in memory. The vulnerability could allow an attacker to execute arbitrary code in the context of the current user. To launch this attack, the threat actor could host a malicious website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites, or websites that accept or host user-provided content or advertisements by adding specially crafted content to exploit the vulnerability. In all cases, the attacker would have to trick or force a user to view the attacker-controlled content.
- CVE-2020-0605: CVE-2020-0605 is a vulnerability in .NET software due to a failure to check the source of the markup of a file. A successful exploit could enable remote code execution, potentially allowing the attacker to take full control of a vulnerable system. Exploiting the vulnerability requires tricking a user into opening a specially crafted file with an affected version of the .NET Framework.
- CVE-2020-0606: This vulnerability is another issue in .NET software that can enable remote code execution if successfully exploited. Like CVE-2020-0605, it can be leveraged by an attacker via a specially crafted file.
- CVE-2020-0609: A Remote Desktop Gateway vulnerability, CVE-2020-0609 allows an unauthenticated attacker to execute code remotely. The vulnerability requires no user interaction and could be used to install programs; view, change or delete data; or create new accounts with full user rights.
- CVE-2020-0610: CVE-2020-0610 is also a Remote Desktop Gateway vulnerability. Like CVE-2020-0609, it can be exploited to remotely execute code, and it only affects UDP transport, which by default runs on UDP port 3391.
- CVE-2020-0611: This remote code execution vulnerability exists in the Windows Remote Desktop client when a user connects to a malicious server. To exploit this issue successfully, an attacker would need to force or trick a user into connecting to a server under the attacker’s control, which could be done via social engineering, DNS poisoning or other techniques. The threat actor could also compromise a legitimate server and simply wait for a user to connect.
Looking Forward in 2021 and Beyond
As the number of vulnerabilities increases, keeping pace with the threat landscape means continuously assessing IT assets and ensuring the approach being taken best suits your organization’s needs. Legacy vulnerability management tools have multiple drawbacks — they are often bulky and slow down systems during scanning, and they also have numerous blind spots, which have been exacerbated by the growth of remote work, cloud adoption and virtualization. Assets not connected to the corporate network will be missed with a network-based scanning solution, leaving a potential hole for criminal hackers to exploit.
A more modern approach is needed — one that does not risk slowing the business down or missing systems and applications that are part of an organization’s growing hybrid environment. CISOs and CIOs should re-evaluate their vulnerability assessment/management solutions to ensure they are still effectively addressing the weaknesses their organizations face. Those solutions should be able to effectively identify and prioritize vulnerabilities that are critical to the business. This is why choosing a solution such as Falcon Spotlight is vital for IT staff to improve their efficiency and time to respond in order to properly remediate vulnerabilities before it’s too late.