Behind the Scenes: How We Picked 2021’s Top Vulnerabilities – and What We Left Out
The 2021 Threat Landscape Retrospective explored the top five vulnerabilities of the year. Learn about other high-impact vulnerabilities that nearly made our list.
When putting together the Threat Landscape Retrospective (TLR) for 2021, the Security Response Team had a particularly difficult challenge picking the top five vulnerabilities for the year out of the many candidates.
In this blog post, we’re pulling back the curtain on our selection process, both to highlight the high-impact vulnerabilities that almost made the cut and to discuss our methodology for selecting the top five.
Our goal is to complement the TLR, whose mission is to help cybersecurity professionals with ongoing analysis of the threat landscape, including government, vendor and researcher advisories on important vulnerabilities and noteworthy incidents.
How we chose the 2021 Top 5
When we compiled the top five vulnerabilities for the 2020 TLR, it was easier to select distinct, individual CVEs. As a matter of fact, most of 2020’s top five CVEs continue to haunt organizations well into 2021. One of them — CVE-2020-1472, aka Zerologon — even carried over to the 2021 top five).
On the other hand, 2021 was more about clusters of vulnerabilities that illustrated the cybersecurity landscape. Therefore, we selected “representative” CVEs — selecting a single vulnerability out of a cluster that effectively epitomized a class of flaws or a particular product that was highly targeted throughout the year. For example, the full TLR covers eight vulnerabilities in Microsoft Exchange Server, but CVE-2021-26855, aka ProxyLogon, was the first to gain broad exploitation that continues to this day.
That brings us to another key decision criteria for the top five: long term impact. You may notice that CVE-2021-44228, aka Log4Shell, does not appear on the list. That is because the long term effects of the vulnerabilities in Log4j 2.0 remain to be seen. We may see long term exploitation of these flaws but, when we published the 2021 TLR, they were still too new to have that level of impact. In our analysis, we find time and again that the vulnerabilities with a long tail are the biggest risk to organizations.
Zero-day vulnerabilities typically become more problematic for most organizations after they’ve made the transition to legacy status.
In short, here are our key criteria for selecting the top five vulnerabilities:
- Representative of a product that has been highly targeted by threat actors
- Has had sustained and widespread exploitation
- Offers high value in attack chains
- Affects ubiquitous products or protocols
Now, let us explore how the vulnerabilities that didn’t make the Top 5 measure up against these criteria.
|CVE||Description||CVSSv3 Score||Tenable VPR*|
|CVE-2021-26855||Microsoft Exchange Server remote code execution||9.8||9.9|
|CVE-2021-34527||Windows Print Spooler remote code execution||8.8||9.8|
|CVE-2021-21985||VMware Vsphere remote code execution||9.8||9.4|
|CVE-2021-22893||Pulse Connect Secure authentication bypass||10||10.0|
|CVE-2020-1472||Windows Netlogon protocol elevation of privilege||10||10.0|
|CVE-2021-20016||SonicWall SMA SQL injection||9.8||9.7|
|CVE-2021-40444||Windows MSHTML remote code execution||7.8||9.9|
|CVE-2021-30116||Kaseya VSA credential exposure||9.8||9.7|
|CVE-2021-36942||Windows LSA spoofing vulnerability||5.3||5.0|
|CVE-2021-27101||Accellion FTA SQL injection||9.8||9.0|
* Please note Tenable VPR scores are calculated nightly. This blog post was published on March 13, 2022 and reflects VPR at that time.
CVE-2021-20016: SonicWall SMA zero day
In January 2021, SonicWall disclosed that its internal systems were breached by threat actors, and in February it followed up with an advisory for CVE-2021- 20016, a zero-day vulnerability in its Secure Mobile Access (SMA) SSL VPN. Discovered by NCC Group, CVE-2021-20016 is a SQL injection vulnerability that allows a remote, unauthenticated attacker to access login credentials and session information.
The attacks exploiting CVE-2021-20016 were tied to the FiveHands ransomware by Mandiant, though the NCC Group also saw “indication of indiscriminate” exploitation shortly after SonicWall’s initial announcement, before patches were available. NCC Group did not release significant details or a proof-of-concept (PoC) for CVE-2021-20016 because they didn’t want to facilitate future attacks.
Per the @SonicWall advisory - https://t.co/teeOvpwFMD - we've identified and demonstrated exploitability of a possible candidate for the vulnerability described and sent details to SonicWall - we've also seen indication of indiscriminate use of an exploit in the wild - check logs— NCC Group Research & Technology (@NCCGroupInfosec) January 31, 2021
Why it didn’t make the cut
While CVE-2021-20016 fits many of the criteria used to select the top five, it just barely missed out on inclusion because it did not quite have the same effect as those that made the cut. Perhaps because no PoC was published, we did not see widespread exploitation on the scale of vulnerabilities like ProxyLogon, PrintNightmare or even other vulnerabilities in SSL VPNs. On that note, we felt that the flaw in Pulse Connect Secure was much more illustrative of the risks to VPN products. Because CVE-2021-22893 was already in the top five, we felt the remaining slots were best used for other illustrative vulnerabilities in order to give a full view of the threat landscape.
CVE-2021-40444: Microsoft MSHTML zero day
CVE-2021-40444 is a remote code execution vulnerability in Microsoft’s MSHTML (Trident) platform. Microsoft announced the vulnerability on September 7, 2021, in response to active exploitation but did not release patches until that month’s dedicated Patch Tuesday a week later. By then, nearly two dozen PoC repositories had been published on GitHub. To exploit this vulnerability, an attacker would use social engineering like phishing to convince targets to open a malicious Microsoft Office document.
CVE-2021-40444 was exploited as a zero day in limited, targeted attacks and continues to be exploited, notably in targeted cyberespionage attacks by an advanced persistent threat group. After the full advisory was published, Microsoft confirmed that “multiple threat actors, including ransomware-as-a-service affiliates” had adopted CVE-2021-40444.
While RiskIQ did find that initial attacks exploiting CVE-2021-40444 shared common infrastructure with the Ryuk ransomware family, the researchers were careful to note that this overlap is inconclusive.
Why it didn’t make the cut
Despite being adopted by ransomware groups, the primary attacks exploiting CVE-2021-40444 were targeted and leveraged specially tailored phishing lures that require user interaction. This specificity limits the scope of this vulnerability and, while we expect to see it used in ongoing phishing attacks, it did not meet the level of concern we felt for the Microsoft Exchange vulnerabilities.
CVE-2021-30116, CVE-2021-30119, CVE-2021-30120: Kaseya VSA
There is an unfortunate precedent of cybersecurity incidents ruining a holiday weekend. Chief among them in 2021, Kaseya Limited announced on July 5 that three zero-day vulnerabilities in its Virtual System Administrator (VSA) remote monitoring and management software were exploited in a large-scale ransomware attack later tied to the REvil ransomware group.
|CVE-2021-30116||Insufficiently protected credentials||9.8||9.7|
|CVE-2021-30120||Incorrect authorization vulnerability||7.5||5.1|
The disclosure and investigation of this incident was a whirlwind, developing quickly over the Fourth of July holiday weekend in the United States. The attack was first reported on July 2 and patches were released on July 11.
Since the incident in July, more vulnerabilities have been disclosed in Kaseya products, but none have been exploited in the wild, and one (CVE-2021-40386) remains unpatched at the time this blog post was published.
Why it didn’t make the cut
This set of vulnerabilities falls into the subcategory of zero days that made a big splash, but it didn’t have the long tails we have seen on other vulnerabilities in the top five. According to Kaseya, “only a very small percentage of our customers were affected — currently estimated at fewer than 40 worldwide.” Interestingly, only CVE-2021-30116 has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities Catalog. While that doesn’t necessarily mean there hasn’t been known exploitation of the other vulnerabilities, it does offer additional context for evaluating these vulnerabilities against the rest of the top five.
Somewhat unique on this list is PetitPotam, which is a new technology LAN manager (NTLM) relay attack rather than a distinct vulnerability. Originally disclosed by Gilles Lionel, PetitPotam can force domain controllers to authenticate to an attacker-controlled destination. Shortly after disclosure, the PoC was adopted by ransomware groups like LockFile. At first, Microsoft labeled this issue as “won’t fix,” and continues to primarily rely on its general mitigation guidance for defending against NTLM Relay Attacks.
There is a vulnerability associated with this attack, CVE-2021-36942, which is a Windows LSA Spoofing Vulnerability that received a CVSSv3 score of 7.8 and was patched in August’s Patch Tuesday release. However, later reports indicate that this patch was incomplete. It is important to note that, in this case, the vulnerability itself does not represent the true risks of this attack vector.
Why it didn’t make the cut
PetitPotam has seen similar use to Zerologon by threat actors but with a smaller attack surface and more limited adoption. The CVE associated with PetitPotam does have the lowest CVSSv3 score on the list but that wasn’t a factor in our decision. It is perhaps more notable that a vulnerability with a score of 5.3 made it into the top 10 at all.
CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104: Accellion File Transfer Appliance
At the end of 2020 and into the beginning of 2021, a large number of organizations — we have tracked more than 40 — were breached using four zero day vulnerabilities in Accellion’s File Transfer Appliance (FTA).
|CVE-2021-27102||Operating system command injection||7.8||8.4|
|CVE-2021-27103||Server-side request forgery||9.8||8.4|
|CVE-2021-27104||Operating system command injection||9.8||8.4|
Almost immediately upon the announcement of these attacks, some were traced back to the Clop/CL0P ransomware group. Disclosures of breaches linked to Accellion FTA continued to occur throughout the beginning of 2021, making these zero days some of the most exploited vulnerabilities in the first half of the year.
Why it didn’t make the cut
While these vulnerabilities had considerable impact on the organizations breached using them, the effects were relatively short-lived. Attacks exploiting Accellion peaked in January 2021 and these vulnerabilities don’t appear to have the long tail that characterize those in the top five.
Common themes among the outliers
One thing that stands out for several of these entries is that they are not a distinct CVE but rather groups or chains of vulnerabilities. While this wasn’t a conscious decision factor when we selected the top five, it shows an important component of our decision criteria. We sought out vulnerabilities that not only represented considerable, long-term risks to organizations but also those that were uniquely illustrative. We could have compiled the top five just out of flaws in Microsoft Exchange Server and Print Spooler but decided to instead highlight a diverse set of products that many organizations might deploy.
Also interesting is that the vulnerabilities that did not make the cut were all zero days, while only two of the final top five were. While we did see more threat actors exploiting zero days in attacks this year, 83% of the zero days we tracked for the 2021 TLR were exploited in the wild, unpatched known vulnerabilities continue to be a fertile ground for attackers.
While the effects of these vulnerabilities were acutely felt by those organizations breached using them, the wide-scale impact was lacking. Attackers have a plethora of vulnerabilities from which to choose, and the vulnerabilities that did make it into the top five represent those that a large number of attackers chose to exploit in a greater number of attacks than those that just missed the cut. That being said, organizations with any of the vulnerabilities discussed here should immediately set a plan to identify and remediate any affected assets.
Identifying affected systems
Tenable has released scan templates for Tenable.io, Tenable.sc and Nessus Professional which are pre-configured to allow quick scanning for the vulnerabilities discussed in this report. In addition, Tenable.io customers have a new dashboard and widgets in the widgets library and Tenable.sc users also have a new dashboard covering the 2021 Threat Landscape Retrospective.
Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable, the first Cyber Exposure platform for holistic management of your modern attack surface.
Get a free 30-day trial of Tenable.io Vulnerability Management.
Are You Vulnerable to the Latest Exploits?
Enter your email to receive the latest cyber exposure alerts in your inbox.