A deep dive into CISA’s catalog of 311 known exploited vulnerabilities reveals a plethora of vendors who have multiple products affected by several vulnerabilities. We looked into the products with the most vulnerabilities and the maximum CVEs associated with them. Let us take a closer look at the Top 5 worst-affected products.
Product Density Map
We have already looked at the top vendors affected, where Microsoft, Apple, and Google share the top three positions with the most vulnerabilities. When we look at the product density map, however, Google and Microsoft take pole positions, appearing twice in the same list, but for different products. Ruling the roost, Chrome and Exchange Servers share 10 vulnerabilities each. Apple creates a neat divide to the table with 9 vulnerabilities affecting iOS. Chromium V8 and Windows Win32K take up 9 and 7 pieces each to make it the fourth and fifth worst affected products by number of associated vulnerabilities.
A detailed list of product versions affected is listed at the end of this article as a ready-reckoner that can be referred to during remediation.
Google Chrome
Google Chrome has the highest number of vulnerabilities affecting it. With a total of 10 unique CVEs, it stands atop the product density list, alongside Microsoft Exchange Server.
|
CVE ID |
CVSS v3 Score | Severity |
APT Associations |
Ransomware Associations |
CWE Enumeration |
CISA Patch Deadline |
|
9.6 | CRITICAL |
n/a |
n/a |
CWE-416 |
November 2021 | |
|
9.6 | CRITICAL |
n/a |
n/a |
CWE-416 |
November 2021 |
|
|
9.6 | CRITICAL |
n/a |
n/a |
CWE-416 |
May 2022 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-119 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-416 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-843 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-787 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-416 |
November 2021 |
|
|
6.5 | MEDIUM |
n/a |
n/a |
CWE-787 |
November 2021 |
|
|
6.5 | MEDIUM |
n/a |
n/a |
N/A |
November 2021 |
Some Google Chrome vulnerabilities that are worthy of mention are:
-
CVE-2021-37973, a use after free zero-day vulnerability that leads to remote code execution and affects the portals in Google Chrome versions prior to v94.0.4606.61.
-
Most of the vulnerabilities associated with Chrome in 2021 were zero-day flaws that require immediate remediation to avoid exploitation attacks.
Microsoft Exchange Server
Microsoft Exchange Server leads the product tally with a total of 10 unique CVEs affecting a variety of products.
The Exchange Server has also been plagued by ransomware attacks in the last couple of months. Here is a detailed analysis of the 10 CVEs.
|
CVE ID |
CVSS v3 Score | Severity |
APT Associations |
Ransomware Associations |
CWE Enumeration |
CISA Patch Deadline |
|
9.8 | Critical |
10 |
3 |
N/A |
April 2021 |
|
|
9.8 | Critical |
1 |
3 |
N/A |
November 2021 |
|
|
9.8 | Critical |
1 |
2 |
CWE-269 |
November 2021 |
|
|
8.8 | High |
1 |
2 |
CWE-798 |
May 2022 |
|
|
8.8 | High |
– |
– |
N/A |
December 2021 |
|
|
8.4 | High |
– |
– |
N/A |
May 2022 |
|
|
7.8 | High |
9 |
2 |
N/A |
April 2021 |
|
|
7.8 | High |
9 |
4 |
N/A |
April 2021 |
|
|
7.8 | High |
9 |
2 |
N/A |
April 2021 |
|
|
7.2 | High |
1 |
2 |
N/A |
November 2021 |
MS Exchange vulnerabilities that are worthy of mention are:
-
The ProxyLogon vulnerabilities comprise four flaws – CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065 – each being crucial for organizations to fix since multiple ransomware and APT groups have exploited them in the wild.
-
A Google Trends analysis of the aforementioned vulnerabilities finds the following trends in the past year.
|
CVE-2021-26855 |
|
|
|
CVE-2021-26857 |
|
|
|
CVE-2021-26858 |
|
|
|
CVE-2021-27065 |
|
|
-
The vulnerabilities tagged as CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 comprise what is popularly known as the ProxyShell vulnerabilities. CVE-2021-34473, which was recently exploited by Blackbyte ransomware, was noted trending in Australia, Germany, and India in the last 90 days.
|
CVE-2021-31207 |
|
|
|
CVE-2021-34473 |
|
|
|
CVE-2021-34523 |
|
|
-
MS Exchange vulnerabilities have been associated with major ransomware groups such as Conti, Petya, Ryuk, WannaCry, Lockfile, Magniber, Vice Society, and more recently, BlackByte.
Apple iOS
Apple’s iOS has a total of nine vulnerabilities associated with it, giving Apple the third position on the products affected list.
|
CVE ID |
CVSS v3 Score | Severity |
APT Associations |
Ransomware Associations |
CWE Enumeration |
CISA Patch Deadline |
|
9.8 | CRITICAL |
n/a |
n/a |
N/A |
November 2021 |
|
|
9.8 | CRITICAL |
n/a |
n/a |
N/A |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-416 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-120 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-787 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-416 |
November 2021 |
|
|
7.8 | HIGH |
n/a |
n/a |
CWE-190 |
November 2021 |
|
|
7.0 | HIGH |
n/a |
n/a |
CWE-362 | CWE-269 |
November 2021 |
|
|
6.1 | MEDIUM |
1 |
n/a |
CWE-79 |
November 2021 |
Here are some iOS vulnerabilities that are worthy of mention:
-
Two high severity vulnerabilities which include CVE-2021-30860, the other being CVE-2021-30858, were found trending in the wild over the last month. Interestingly, both the vulnerabilities have been linked to the infamous Pegasus Spyware zero-click iMessages attack in September 2021.
2. CVE-2021-30860 was seen trending mostly in Canada, France, and Germany
this year.
-
Two zero-day vulnerabilities of interest that affect the Webkit Storage in iOS devices are CVE-2021-30761 and CVE-2021-30762. Both vulnerabilities lead to arbitrary code execution attacks.
Google Chromium V8
Google appears twice in the list of Top products affected, with Chromium V8 affected by 8 vulnerabilities.
|
CVE ID |
CVSS v3 Score | Severity |
APT Associations |
Ransomware Associations |
CWE Enumeration |
CISA Patch Deadline |
|
8.8 | HIGH |
n/a |
n/a |
CWE-787 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-416 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-119|CWE-20 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-843 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-843 |
November 2021 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-787|CWE-843 |
May 2022 |
|
|
8.8 | HIGH |
n/a |
n/a |
CWE-787 |
May 2022 |
|
|
6.5 | MEDIUM |
n/a |
n/a |
CWE-787|CWE-843 |
May 2022 |
|
|
– |
– |
– |
– |
December 2021 |
Some Chromium V8 vulnerabilities of interest are as follows:
-
CVE-2020-6418, is a remote code execution type confusion in Chromium V8 in Google Chrome versions prior to 80.0.3987.122. It allows an attacker to remotely exploit heap corruption via a maliciously crafted HTML page. It was exploited through vulnerability chaining by a threat actor in the past. The patch for the vulnerability was released in February 2020.
-
Our security analysts sensed malicious possibilities and advised users to address the following issue immediately. CVE-2021-30551, a trending zero-day vulnerability in Chrome’s Javascript engine which has privilege escalation capabilities. On June 10, 2021, CISA issued a warning alert to urge users to patch these Chrome vulnerabilities that could allow an attacker to hijack affected systems.
-
CVE-2021-30551 was seen trending primarily in Canada and the United States in 2021.
Microsoft Windows Win32K
Microsoft Windows Win32K, with 7 unique CVEs affecting its products tie Microsoft alongside Google with two products each in the top 5.
|
CVE ID |
CVSS v3 Score | Severity |
APT Associations |
Ransomware Associations |
CWE Enumeration |
CISA Patch Deadline |
|
7.8 | HIGH |
1 |
n/a |
CWE-269 |
November 2021 |
|
|
7.8 | HIGH |
1 |
n/a |
CWE-269 |
November 2021 |
|
|
7.8 | HIGH |
n/a |
n/a |
N/A |
May 2022 |
|
|
7.8 | HIGH |
n/a |
n/a |
N/A |
May 2022 |
|
|
7.8 | HIGH |
n/a |
2 |
N/A |
May 2022 |
|
|
7.8 | HIGH |
1 |
1 |
N/A |
May 2022 |
|
|
7.8 | HIGH |
n/a |
n/a |
CWE-787 |
May 2022 |
It is interesting to note that the vulnerabilities affecting Windows Win32K are all escalation of privileges vulnerabilities.
CSW Vendor-specific Patch Watch notifications are a lifeline for organizations looking for product-specific information.
CSW security experts and researchers have provided Vendor-specific patch watch notifications and have called out more than 198 of the 311 vulnerabilities detailed by CISA in their Known Exploited Vulnerabilities (KEV) catalog.
It is a priority for organizations to take immediate action towards patching these exploited vulnerabilities. At CSW, our expert pentesters and security researchers can help prioritize the patching of the vulnerabilities and conduct monthly or quarterly assessments to improve your cyber hygiene, thereby enhancing your organization’s security posture.
A list of the vulnerabilities mentioned in the blog having ransomware and threat group associations is detailed below. These vulnerabilities should be given special importance since some of them are trending and are being actively exploited by these attackers.
For a more comprehensive list of CVEs connected to ransomware, please visit our blog.
Our security researchers have also put together a list of product versions affected by the vulnerabilities covered in this blog. The list can be used as a ready-reckoner by organizations to help remediate the mentioned vulnerabilities.
CSW’s Vulnerability Management as a Service (VMaaS) offers full coverage encompassing your entire IT landscape and detects, prioritizes,
and fixes vulnerabilities on your organizational infrastructure.
To know more about CSW’s Vulnerability Management as a Service (VMaaS),
please click here.