October 28, 2021
You have one or several digital services that can be reached from anywhere over the Internet. You might have as well one or more wireless devices allowing employees to access corporate services and visitors to access resources on the Internet. These are just two examples of how information technology enables organizations to run their operations broadly. In either case, there is something essential to do daily: checking whether the software components allowing users to do their work are updated and free of vulnerabilities.
Recently, the alert AA21-209A was published on the Cybersecurity & Infrastructure Security Agency (CISA) website, coauthored by this organization and other American, Australian, and British agencies. The message is simple: there are a bunch of known vulnerabilities that are being routinely exploited.
In that document, you can find the details of these vulnerabilities affecting the software of many world-renowned vendors like Microsoft, VMware, and Fortinet, to name a few. Want to prevent a hack or data breach? Have a look at the list, and make sure you have addressed these CVEs. But, don’t stop there: make sure your organization has a process to continuously check whether your software, especially the components that can be reached from the Internet or by visitors or intruders in your corporate network, is free from known vulnerabilities.
Types of these often-exploited vulnerabilities
In our work with many organizations, we routinely find software components that are vulnerable to known exploits. We always provide our customers with the information to address these weaknesses over the systems they entrust us for hacking. This is the main reason we wrote this piece: aligned with the alert, we have evidence that organizations may be more exposed than they think with the outdated software they might have, but this is something they fail to address quickly.
Figure 1. Top Routinely Exploited CVEs in 2020 (Source: Alert AA21-209A - Top Routinely Exploited Vulnerabilities).
What are these exposures? Let’s make a summary of what is in the alert document.
Path traversal (see
Fluid AttacksDocumentation: Path Traversal). In short, a software component can be hacked if it allows accessing files that are not supposed to be accessed. By using strings like
../(a string used as a command to navigate across folders in an operative system), attackers can bypass the boundaries of the software and gain access to sensitive information or functionalities.
Remote code execution (see
Fluid AttacksDocumentation: RCE). This weakness allows, literally, the execution of code remotely. If a software component is vulnerable to this sort of flaw, unexpected actions can be triggered by an internal or external attacker.
Elevation of privileges (see
Fluid AttacksDocumentation: privilege escalation). Usually, a wrong configuration enables users to assign themselves somehow rights they shouldn’t have. For instance, a bank sales representative might leverage this flaw to give more resources or authorizations than they should in their role.
Think of any of these weaknesses; they could be present in your IT assets at some point. It might take just one of these to gain access to a corporate network and, for instance, silently leak confidential data. Also, it is not very difficult to think about a ransomware attack.
Closing these "invisible" doors could make a significant contribution in managing operational and organizational risk. The steps that can be taken to prevent the abuse of IT assets from these vulnerabilities could save a lot of effort and money for organizations. Furthermore, these steps would preserve the goodwill of their brands.
Cybersecurity is a process and should be layered
Why is it essential to have continuous checks? Because cybersecurity is not an end, and threats are evolving so fast that everything is becoming more digital and software-mediated. Have a look at the MIT Technology Review article "2021 has broken the record for zero-day hacking attacks." These numbers are worrisome, and we should ask ourselves how many vulnerabilities are out there silently harming. Organizations need to focus on what they can have control of and do it quickly.
Also, organizations must bear in mind that cybersecurity is not concentrated in one or two places. Quite the opposite: cybersecurity is distributed or layered. Although we have emphasized outdated software here, other IT and business environment components should also be addressed as attack surfaces. For example, there are cases in which one information resource is, by omission, published on the Internet, and only that allows an attacker to gain access to a supposedly protected network. Layered cybersecurity is critical to ensure availability is preserved, as well as integrity and confidentiality. Companies must check whether different layers of protection are fully working.
Companies can have comprehensive support in this endeavor from other expert organizations across all of their IT assets or cover at least the most critical ones. This is usually more efficient and desirable, as the independence of the third party ensures the disclosure of all flaws for the betterment of the organization.
What can Fluid Attacks do for you?
Fluid Attacks focuses on attacking systems
continuously for proactive
defense. Our tests are performed constantly, considering the changes
made in the source code, the deployed applications, and the
We aim to find all vulnerabilities that exist across the software development lifecycle. Yes, we can start checking for vulnerabilities right away when you have just begun developing your software. We employ several techniques like static code review, looking for coding practices that inject vulnerabilities, and dynamic penetration testing over deployed applications and infrastructure. In this last scenario, the interaction between infrastructure and application might lead to other vulnerabilities not visible in the source code. Thus, it is a comprehensive approach.
Organizations of all sizes can benefit from our approach by precisely doing what we suggest in this article: closing the "invisible doors." Our mission is to point out to our customers where these doors are and provide them with the information to close them effectively. We also run tests to check whether fixes have been successful.
We hope you have enjoyed this post. Let us know what you think, and reach out to us if you want to know more about our solutions.
Recommended blog posts
You might be interested in the following related posts.
Get an overview of vulnerability assessment
Benefits of continuous over point-in-time pentesting
For which security standards is pentesting a must-have?
Pentesting is a system-agnostic approach to security
Injecting JS into one site is harmful, into all, lethal
Differences between these security testing approaches
Our CLI is an approved AST tool to secure cloud apps
How BAS solutions work, their importance and benefits