On 12th November 2024, CISA (Cybersecurity and Infrastructure Security Agency) along with cybersecurity agencies from the US (FBI, NSA), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ, CERT NZ), and the UK (NCSC-UK) published its Routinely Exploited Vulnerabilities advisory for 2023.
It is annually published to detail the most active weaknesses exploited during the year by cyber criminals. For any organization looking to secure their systems and mitigate potential breaches, this advisory serves as an invaluable source of information as to the latest and most exploited threats.
In 2022, the exploitation of zero-day vulnerability surged and continued into 2023. These vulnerabilities, unknown to vendors, give no time for patching, allowing attackers to breach critical networks. Over half of the most exploited vulnerabilities in 2023 were zero day, a significant increase from the previous year. Despite new vulnerabilities, many critical ones identified by CISA in 2023 were long-know, often due to delays in patching or poor defenses.
The CISA alert (AA24-317A) lists 15 top routinely exploited vulnerabilities and 32 additional ones. Some of the most exploited vulnerabilities targeted high-impact software products from vendors such as Citrix, Cisco, Microsoft, and Atlassian. The vulnerabilities include code injection, privilege escalation, and buffer overflows, along with improper authorization and insecure deserialization.
Figure 1: CISA 2023 Top Routinely Exploited Vulnerabilities
As of now, ATI covers 13 of the top 15 and 19 of the 32 additional vulnerabilities. Work is ongoing to expand coverage in subsequent releases, ensuring that all critical vulnerabilities are addressed as new exploits and updates are identified.
Keysight’s Application and Threat Intelligence (ATI) team continuously monitors and analyses most recent CVE exploits, so that organizations are informed on newly discovered vulnerabilities as well as outdated ones. Keeping security teams informed in terms of active vulnerabilities and the most adopted attack techniques is a very important proactive move in defense and which ATI plays very significantly.
Now let’s discuss some of the vulnerabilities CISA identified for 2023:
1. CVE-2020-1472: The “Zerologon” vulnerability exploits a weakness in the cryptographic scheme used by the Netlogon Remote Protocol (MS-NRPC), which leverages AES-CFB8 encryption. This vulnerability allows an unauthenticated attacker, within the same network, to impersonate any machine, including the Domain Controller, by manipulating the authentication process. Successful exploitation can lead to privilege escalation, potentially enabling full control over a Windows domain. ATI has covered this vulnerability in detail in our earlier blog.
2. CVE-2023-4966: A buffer overflow vulnerability in Citrix NetScaler ADC and NetScaler Gateway, caused by improper validation of input hostname data’s size and format before processing it. The issue occurs when HTTP host headers exceed a certain length, causing the system to reveal parts of its memory, which could include sensitive data such as session cookies. A remote, unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to the affected endpoint, potentially disclosing session tokens.
3. CVE-2023-42793: An authentication bypass vulnerability in JetBrains TeamCity (before version 2023.05.4). The vulnerability allows unauthenticated attackers to bypass authentication and execute remote code on the target server. This could lead to full administrative access, compromising the entire TeamCity environment. Attackers can exploit this vulnerability remotely by sending a specially crafted request. JetBrains has released a patch to address the issue. It is recommended to upgrade to the fixed version or apply the security update immediately to prevent exploitation.
4. CVE-2023-20273: The command injection vulnerability in Cisco IOS XE’s Web UI component allows remote attackers to run unauthorized OS commands with root-level access due to improper validation of IPv6 addresses submitted during software upgrades, enabling remote, authenticated attacker to exploit this vulnerability through crafted HTTP requests.
5. CVE-2023-22515: This CVE exploits a privilege escalation vulnerability in Atlassian Confluence Data Center and Server, due to weak access controls in the setup actions component. The vulnerability is due to key properties of the Action object by creating complex getter/setter chains on unauthenticated endpoints. By altering the setup Complete variable, an attacker can create a new administrator account. With carefully crafted requests to the setup endpoint, an unauthenticated attacker may execute arbitrary code with admin-level privileges.
6. CVE-2021-34473: This is a server-side request forgery (SSRF) vulnerability that means the attacker can force the vulnerable server to make requests to internal resources on his behalf. No authentication is needed in this case since the requests are made by the endpoints to the backend servers, so trust is already there. The vulnerability occurs due to a path confusion issue where the URI is parsed incorrectly. Click here to know more about this vulnerability.
7. CVE-2023-23397: This vulnerability in Microsoft Outlook is due to PidLidReminderFileParameter, which accepts a UNC path for reminder tones. When Outlook tries to access a remote resource through this UNC path (potentially controlled by an attacker), it initiates NTLM authentication, inadvertently exposing the user’s NTLM hash. Attackers can exploit this by sending malicious calendar appointments, capturing the NTLM hash, and relaying it to access other networked services, potentially compromising additional systems through credential theft. This blog provides a great overview of this vulnerability.
Why Are These Vulnerabilities Still a Threat:
The most important takeaway from CISA’s 2023 advisory is that so many of these vulnerabilities have been around for quite a while now and remain front-page threats due to the delay in patching and insufficient security measures.
With these and more threats against organizations, continuous testing approach will be required, focusing on the most critical, highest-risk, old, and new vulnerabilities.
Timely patching is critical for end-user organizations and is especially relevant to vulnerabilities identified in this advisory. Organizations must establish centralized patch management processes, monitor for signs of system compromise, and utilize security tools such as EDR solutions, firewalls, and protocol analyzers.
Organizations should also engage with the software providers to understand their activities under secure-by-design initiatives, where vendors are actively taking steps to address elimination of vulnerability classes and the adoption of secure default settings.
Continuous Testing for Better Security:
Breaking Point’s latest testing scenarios bring against CISA’s 2023 Top Routinely Exploited Vulnerabilities, and hence now, it is possible for security teams to verify certain attacks against known exploits.
Figure 2: “CISA 2023 Top Routinely Exploited Vulnerabilities” Strike List
Figure 3: “CISA 2023 Additional Routinely Exploited Vulnerabilities” Strike List
Testing scenarios based on real-world situations allow teams to test and refine their defenses in a safe setting. including regular updates to CISA’s Top Exploited Vulnerabilities list, so they are always benchmarked against the most current attack vectors. BPS gives organizations all the tools needed to stay ahead of cybercrime through real-time attack simulations, comprehensive vulnerability coverage, and the latest ATI research incorporated into each test.
In Conclusion
The 2023 CISA advisory underscores evolution of cybersecurity threats, with the need for timely patching and proactive defense mechanisms. While vulnerabilities continue to arise, most of those most widely exploited have been known for years, this makes it crucial to remain vigilant in maintaining strong security practices. We have discussed similar trends and ongoing challenges through our earlier article on the CISA 2022 advisory.
Leverage Subscription Service to Stay Ahead of Attacks
Keysight’s Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing Breaking Point Customers to test their currently deployed security control’s ability to detect or block such attacks.