From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
2024-10-22 23:11:11 Author: www.tenable.com(查看原文) 阅读量:0 收藏

Tenable Security Response Team

A blue and purple background with the Tenable logo and the letters SRT with the words "Tenable Security Response Team" underneath it. This blog highlights 25 CVEs handpicked by the Security Response Team at Tenable in honor of MITRE CVE's 25th Anniversary.

Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.

Background

In January 1999, David E. Mann and Steven M. Christey published the paper “Towards a Common Enumeration of Vulnerabilities” describing an effort to create interoperability between multiple vulnerability databases. To achieve a common taxonomy for vulnerabilities and exposures, they proposed Common Vulnerabilities and Exposures (CVE). In September 1999, the MITRE Corporation finalized the first CVE list, which included 321 records. CVE was revealed to the world the following month.

As of October 2024, there are over 240,000 CVEs. including many that have significantly impacted consumers, businesses and governments. The Tenable Security Response Team has chosen to highlight the following 25 significant vulnerabilities, followed by links to product coverage for Tenable customers to utilize.

25 Significant CVEs

CVE-1999-0211: SunOS Arbitrary Read/Write Vulnerability

Arbitrary ReadArbitrary WriteLocalCritical1999Why it’s significant: To our knowledge, there is no formally recognized “first CVE.” However, the GitHub repository for CVE.org shows that the first CVE submitted was CVE-1999-0211 on September 29, 1999 at 12:00AM. Because it was the first one, we’ve chosen to highlight it. The vulnerability was first identified in 1991 and a revised patch was issued in 1994.

CVE-2010-2568: Windows Shell Remote Code Execution Vulnerability

Remote Code ExecutionExploitedZero-DayLocalStuxnetHigh2010Why it’s significant: Regarded as one of the most sophisticated cyberespionage tools ever created, Stuxnet was designed to target SCADA systems in industrial environments to reportedly sabotage Iran's nuclear program. Stuxnet exploited CVE-2010-2568 as one of its initial infection vectors, spreading via removable drives. Once a compromised USB drive was inserted into a system, Stuxnet was executed automatically via the vulnerability, infecting the host machine, propagating to other systems through network shares and additional USB drives.

CVE-2014-0160: OpenSSL Information Disclosure Vulnerability

HeartbleedInformation DisclosureExploitedZero-DayNetworkCybercriminalsHigh2014Why it’s significant: Dubbed “Heartbleed” because it was found in the Heartbeat extension of OpenSSL, this vulnerability allows an attacker, without prior authentication, to send a malicious heartbeat request with a false length field, claiming the packet contains more data than it does. The receiving system would then return data from its memory extending beyond the legitimate request, which may include sensitive private data, such as server keys and user credentials. OpenSSL is used by millions of websites, cloud services, and even VPN software, for encryption, making Heartbleed one of the most widespread vulnerabilities at the time.

CVE-2014-6271: GNU Bash Shellshock Remote Code Execution Vulnerability

Shellshock Bash Bug Remote Code ExecutionExploitedZero-DayNetworkCybercriminalsCritical2014Why it’s significant: An attacker could craft an environment variable that contained both a function definition and additional malicious code. When Bash, a command interpreter used by Unix-based systems including Linux and macOS, processed this variable, it would execute the function, but also run the arbitrary commands appended after the function definition. “Shellshock” quickly became one of the most severe vulnerabilities discovered, comparable to Heartbleed’s potential impact. Attackers could exploit Shellshock to gain full control of vulnerable systems, leading to data breaches, service interruptions and malware deployment. The impact extended far beyond local systems. Bash is used by numerous services, particularly web servers, via CGI scripts to handle HTTP requests.

CVE-2015-5119: Adobe Flash Player Use After Free

Remote Code Execution Denial-of-ServiceExploitedZero-DayCybercriminalsAPT GroupsCritical2015Why it’s significant: Discovered during the Hacking Team data breach, it was quickly weaponized, appearing in multiple exploit kits. CVE-2015-5119 is a use-after-free flaw in Flash’s ActionScript ByteArray class, allowing attackers to execute arbitrary code by tricking users into visiting a compromised website. It was quickly integrated into attack frameworks used by Advanced Persistent Threat (APT) groups like APT3, APT18, and Fancy Bear (APT28). These groups, with ties to China and Russia, used the vulnerability to spy on and steal data from governments and corporations. Fancy Bear has been associated with nation-state cyber warfare, exploiting Flash vulnerabilities for political and military intelligence information gathering​. This flaw, along with several other Flash vulnerabilities, highlighted Flash’s risks, accelerating its eventual phase-out.

CVE-2017-11882: Microsoft Office Equation Editor Remote Code Execution Vulnerability

Remote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsHigh2017Why it’s significant: The vulnerability existed for 17 years in Equation Editor (EQNEDT32.EXE), a Microsoft Office legacy component used to insert and edit complex mathematical equations within documents. Once CVE-2017-11882 became public, cybercriminals and APT groups included it in maliciously crafted Office files. It became one of 2018’s most exploited vulnerabilities and continues to be utilized by various threat actors including SideWinder.

CVE-2017-0144: Windows SMB Remote Code Execution Vulnerability

EternalBlueRemote Code ExecutionExploitedNetworkWannaCry NotPetyaHigh2017Why it’s significant: CVE-2017-0144 was discovered by the National Security Agency (NSA) and leaked by a hacker group known as Shadow Brokers, making it widely accessible. Dubbed “EternalBlue,” its capacity to propagate laterally through networks, often infecting unpatched machines without human interaction, made it highly dangerous. It was weaponized in the WannaCry ransomware attack in May 2017 and spread globally. It was reused by NotPetya, a data-destroying wiper originally disguised as ransomware. NotPetya targeted companies in Ukraine before spreading worldwide. This made it one of history’s costliest cyberattacks.

CVE-2017-5638: Apache Struts 2 Jakarta Multipart Parser Remote Code Execution Vulnerability

Remote Code ExecutionExploitedNetworkEquifax BreachCritical2017Why it’s significant: This vulnerability affects the Jakarta Multipart Parser in Apache Struts 2, a popular framework for building Java web applications. An attacker can exploit it by injecting malicious code into HTTP headers during file uploads, resulting in remote code execution (RCE), giving attackers control of the web server. CVE-2017-5638 was used in the Equifax breach, where personal and financial data of 147 million people was stolen, emphasizing the importance of patching widely-used frameworks, particularly in enterprise environments, to prevent catastrophic data breaches.

CVE-2019-0708: Remote Desktop Services Remote Code Execution Vulnerability

BlueKeep DejaBlue Remote Code ExecutionExploitedNetworkRansomware GroupsCybercriminalsCritical2019Why it’s significant: Dubbed "BlueKeep," this vulnerability in Windows Remote Desktop Services (RDS) was significant for its potential for widespread, self-propagating attacks, similar to the infamous WannaCry ransomware. An attacker could exploit this flaw to execute arbitrary code and take full control of a machine through Remote Desktop Protocol (RDP), a common method for remote administration. BlueKeep was featured in the Top Routinely Exploited Vulnerabilities list in 2022 and was exploited by affiliates of the LockBit ransomware group.

CVE-2020-0796: Windows SMBv3 Client/Server Remote Code Execution Vulnerability

SMBGhost EternalDarknessRemote Code ExecutionExploited NetworkCybercriminalsRansomware GroupsCritical2020Why it’s significant: Its discovery evoked memories of EternalBlue because of the potential for it to be wormable, which is what led to it becoming a named vulnerability. Researchers found it trivial to identify the flaw and develop proof-of-concept (PoC) exploits for it. It was exploited in the wild by cybercriminals, including the Conti ransomware group and its affiliates.

CVE-2019-19781: Citrix ADC and Gateway Remote Code Execution Vulnerability

Path TraversalExploitedNetworkAPT GroupsRansomware GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Citrix Application Delivery Controller (ADC) and Citrix Gateway is significant due to its rapid exploitation by multiple threat actors, including state-sponsored groups and ransomware affiliates. By sending crafted HTTP requests, attackers could gain RCE and take full control of affected devices to install malware or steal data. The vulnerability remained unpatched for a month after its disclosure, leading to widespread exploitation. Unpatched systems are still being targeted today, highlighting the risk of ignoring known vulnerabilities.

CVE-2019-10149: Exim Remote Command Execution Vulnerability

Remote Command ExecutionExploitedNetworkAPT GroupsCybercriminalsCritical2019Why it’s significant: This vulnerability in Exim, a popular Mail Transfer Agent, allows attackers to execute arbitrary commands with root privileges simply by sending a specially crafted email. The availability of public exploits led to widespread scanning and exploitation of vulnerable Exim servers, with attackers using compromised systems to install cryptocurrency miners (cryptominers), launch internal attacks or establish persistent backdoors. The NSA warned that state-sponsored actors were actively exploiting this flaw to compromise email servers and gather sensitive information.

CVE-2020-1472: Netlogon Elevation of Privilege Vulnerability

ZerologonElevation of PrivilegeExploitedLocalRansomware GroupsAPT GroupsCybercriminalsCritical2020Why it’s significant: This vulnerability in the Netlogon Remote Protocol (MS-NRPC) allows attackers with network access to a Windows domain controller to reset its password, enabling them to impersonate the domain controller and potentially take over the entire domain. Its severity was underscored when Microsoft reported active exploitation less than two months after disclosure and the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to patch the flaw. Despite available patches, it continues to be exploited by ransomware groups, APT groups, and others, highlighting its broad and ongoing impact on network security.

CVE-2017-5753: CPU Speculative Execution Bounds Check Bypass Vulnerability

SpectreSpeculative Execution Bounds Check BypassLocalMedium2018Why it’s significant: In a speculative execution process, an idle microprocessor waiting to receive data speculates what the next instruction might be. Although meant to enhance performance, this process became a fundamental design flaw affecting the security of numerous modern processors. In Spectre’s case, an attacker-controlled process could read arbitrary memory belonging to another process. Since its discovery in January 2018, Spectre has affected nearly all modern processors from Intel, AMD and ARM. While it’s difficult to execute a successful Spectre attack, fully remediating the root cause is hard and requires microcode as well as operating system updates to mitigate the risk.

CVE-2017-5754: CPU Speculative Execution Rogue Data Cache Load Vulnerability

MeltdownSpeculative Execution Rogue Data Cache LoadLocalHigh2018Why it’s significant: Meltdown, another speculative execution vulnerability released alongside Spectre, can allow a userspace program to read privileged kernel memory. It exploits a race condition between the memory access and privilege checking while speculatively executing instructions. Meltdown impacts desktop, laptop and cloud systems and, according to researchers, may affect nearly every Intel processor released since 1995. With a wide reaching impact, both Spectre and Meltdown sparked major interest in a largely unexplored security area. The result: a slew of research and vulnerability discoveries, many of which were also given names and logos. While there’s no evidence of a successful Meltdown exploit, the discovery showcased the risk of security boundaries enforced by hardware.

CVE-2021-36942: Windows LSA Spoofing Vulnerability

PetitPotamSpoofingExploitedZero-DayNetworkRansomware GroupsHigh2021Why it’s significant: This vulnerability can force domain controllers to authenticate to an attacker-controlled destination. Shortly after a PoC was disclosed, it was adopted by ransomware groups like LockFile, which have chained Microsoft Exchange vulnerabilities with PetitPotam to take over domain controllers. Patched in the August 2021 Patch Tuesday release, the initial patch for CVE-2021-36942 only partially mitigated the issue, with Microsoft pushing general mitigation guidance for defending against NTLM Relay Attacks.

CVE-2022-30190: Microsoft Windows Support Diagnostic Tool Remote Code Execution

FollinaRemote Code ExecutionExploitedZero-DayLocalQakbot RemcosHigh2022Why it’s significant: Follina, a zero-day RCE vulnerability in MSDT impacting several versions of Microsoft Office, was later designated CVE-2022-30190. After public disclosure in May 2022, Microsoft patched Follina in the June 2022 Patch Tuesday. After disclosure, reports suggested that Microsoft dismissed the flaw’s initial disclosure as early as April 2022. Follina has been widely adopted by threat actors and was associated with some of 2021’s top malware strains in a joint cybersecurity advisory from CISA and the Australian Cyber Security Centre (ACSC), operating under the Australian Signals Directorate (ASD).

CVE-2021-44228: Apache Log4j Remote Code Execution Vulnerability

Log4ShellRemote Code ExecutionExploitedNetworkCybercriminalsAPT GroupsCritical2021Why it’s significant: Log4j, a Java logging library widely used across many products and services, created a large attack surface. The discovery of CVE-2021-44228, dubbed “Log4Shell,” caused great concern, as exploitation simply requires sending a specially crafted request to a server running a vulnerable version of Log4j. After its disclosure, Log4Shell was exploited in attacks by cryptominers, DDoS botnets, ransomware groups and APT groups including those affiliated with the Iranian Islamic Revolutionary Guard Corps (IRGC).

CVE-2021-26855: Microsoft Exchange Server Server-Side Request Forgery Vulnerability

ProxyLogonServer-Side Request Forgery (SSRF)ExploitedZero-DayNetworkAPT Groups Ransomware GroupsCybercriminalsCritical2021Why it’s significant: CVE-2021-26855 was discovered as a zero-day along with four other vulnerabilities in Microsoft Exchange Server. It was exploited by a nation-state threat actor dubbed HAFNIUM. By sending a specially crafted HTTP request to a vulnerable Exchange Server, an attacker could steal the contents of user mailboxes using ProxyLogon. Outside of HAFNIUM, ProxyLogon has been used by ransomware groups and other cybercriminals. Its discovery created a domino effect, as other Exchange Server flaws, including ProxyShell and ProxyNotShell, were discovered, disclosed and subsequently exploited by attackers.

CVE-2021-34527: Microsoft Windows Print Spooler Remote Code Execution Vulnerability

PrintNightmareRemote Code ExecutionExploitedLocalAPT GroupsRansomware GroupsCybercriminalsHigh2021Why it’s significant: This RCE in the ubiquitous Windows Print Spooler could grant authenticated attackers arbitrary code execution privileges as SYSTEM. There was confusion surrounding the disclosure of this flaw, identified as CVE-2021-34527 and dubbed “PrintNightmare.” Originally, CVE-2021-1675, disclosed in June 2021, was believed to be the real PrintNightmare. However, Microsoft noted CVE-2021-1675 is “similar but distinct” from PrintNightmare. Since its disclosure, several Print Spooler vulnerabilities were disclosed, while a variety of attackers, including the Magniber and Vice Society ransomware groups exploited PrintNightmare.

CVE-2021-27101: Accellion File Transfer Appliance (FTA) SQL Injection Vulnerability

SQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2021Why it’s significant: The file transfer appliance from Accellion (now known as Kiteworks) was exploited as a zero-day by the CLOP ransomware group between December 2020 and early 2021. Mandiant, hired by Kiteworks to investigate, determined that CLOP (aka UNC2546) exploited several flaws in FTA including CVE-2021-27101. This was CLOP’s first foray into targeting file transfer solutions, as they provide an easy avenue for the exfiltration of sensitive data that can be used to facilitate extortion.

CVE-2023-34362: Progress Software MOVEit Transfer SQL Injection Vulnerability

SQL InjectionExploitedZero-DayNetworkRansomware GroupCritical2023Why it’s significant: CLOP’s targeting of file transfer solutions culminated in the discovery of CVE-2023-34362, a zero-day in Progress Software’s MOVEit Transfer, a secure managed file transfer software. CLOP targeted MOVEit in May 2023 and the ramifications are still felt today. According to research conducted by Emsisoft, 2,773 organizations have been impacted and information on over 95 million individuals has been exposed as of October 2024. This attack underscored the value in targeting file transfer solutions.

CVE-2023-4966: Citrix NetScaler and ADC Gateway Sensitive Information Disclosure Vulnerability

CitrixBleedInformation DisclosureExploitedZero-DayNetworkRansomware GroupsAPT GroupsCritical2023Why it’s significant: CVE-2023-4966, also known as “CitrixBleed,” is very simple to exploit. An unauthenticated attacker could send a specially crafted request to a vulnerable NetScaler ADC or Gateway endpoint and obtain valid session tokens from the device’s memory. These session tokens could be replayed back to bypass authentication, and would persist even after the available patches had been applied. CitrixBleed saw mass exploitation after its disclosure, and ransomware groups like LockBit 3.0 and Medusa adopted it.

CVE-2023-2868: Barracuda Email Security Gateway (ESG) Remote Command Injection Vulnerability

CVE-2024-3094: XZ Utils Embedded Malicious Code Vulnerability

Embedded Malicious CodeZero-DayUnknown Threat Actor (Jia Tan)Critical2024Why it’s significant: CVE-2024-3094 is not a traditional vulnerability. It is a CVE assigned for a supply-chain backdoor discovered in XZ Utils, a compression library found in various Linux distributions. Developer Andres Freund discovered the backdoor while investigating SSH performance issues. CVE-2024-3094 highlighted a coordinated supply chain attack by an unknown individual that contributed to the XZ GitHub project for two and a half years, gaining the trust of the developer before introducing the backdoor. The outcome of this supply chain attack could have been worse were it not for Freund’s discovery.

Identifying affected systems

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages:

Tenable Security Response Team

Tenable Security Response Team

The Tenable Security Response Team (SRT) tracks threat and vulnerability intelligence feeds to ensure our research teams can deliver sensor coverage to our products as quickly as possible. The SRT also works to analyze and assess technical details and writes white papers, blogs and additional communications to ensure stakeholders are fully informed of the latest risks and threats. The SRT provides breakdowns for the latest vulnerabilities on the Tenable blog.

Related Articles

  • Exposure Management
  • Vulnerability Management

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank You

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank you

Thank you for your interest in Tenable.io. A representative will be in touch soon.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose your subscription option:

Thank you

Thank you for your interest in Tenable Vulnerability Management. A representative will be in touch soon.

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a sales representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Thank you

Thank you for your interest in Tenable Lumin. A representative will be in touch soon.

Request a demo of Tenable Security Center

Please fill out this form with your contact information.

A sales representative will contact you shortly to schedule a demo.

* Field is required

Request a demo of Tenable OT Security

Get the Operational Technology security you need.

Reduce the risk you don’t.

Request a demo of Tenable Identity Exposure

Continuously detect and respond to Active Directory attacks. No agents. No privileges.

On-prem and in the cloud.

Request a demo of Tenable Cloud Security


Exceptional unified cloud security awaits you!


We’ll show you exactly how Tenable Cloud Security helps you deliver multi-cloud asset discovery, prioritized risk assessments and automated compliance/audit reports.

See
Tenable One
in action

Exposure management for the modern attack surface.

See Tenable Attack Surface Management in action

Know the exposure of every asset on any platform.

Get a demo of Tenable Enclave Security

Please fill out the form with your contact information and a sales representative will contact you shortly to schedule a demo.

Thank You

Thank you for your interest in Tenable Enclave Security. A representative will be in touch soon.

Try Tenable Nessus Professional free

Free for 7 days

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
now available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Try Tenable Nessus Expert free

Free for 7 days.

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Learn How Tenable Helps Achieve SLCGP Cybersecurity Plan Requirements

Tenable solutions help fulfill all SLCGP requirements. Connect with a Tenable representative to learn more.


文章来源: https://www.tenable.com/blog/from-bugs-to-breaches-25-significant-cves-as-mitre-cve-turns-25
如有侵权请联系:admin#unsafe.sh