Joint Advisory AA22-279A and Vulristics. Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics.

Alternative video link (for Russia): https://vk.com/video-149273431_456239105

Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on American organizations.” They like to add geopolitics and point the finger at some country. Therefore, I leave the attack attribution mentioned in the advisory title without comment.

But I like such lists of vulnerabilities for a number of reasons:

• Such lists of vulnerabilities show which CVEs need to be addressed. This is the most obvious. If you notice vulnerabilities from the list in your infrastructure, start fixing them as soon as possible.
• Such lists of vulnerabilities show the software and hardware products that are most important to monitor. This means that your vulnerability scanner must support this software very well. Make sure you can verify this.
• Such lists of vulnerabilities show groups of software and hardware products that need to be monitored first. Usually these are products that are available to a wide range of users and are inconvenient to upgrade.
• Such lists of vulnerabilities show the types of vulnerabilities that you need to pay attention to first.
• Such lists of vulnerabilities are relatively compact and can be easily analyzed even manually.

I can’t help but notice that the quality of the advisory is not very high. For example, the description of vulnerabilities was automatically taken from NVD. Including this:

“Microsoft Exchange Server remote code execution vulnerability. This CVE ID differs from CVE-2021-26412, CVE-2021-26854, CVE-2021-26855, CVE-2021-26858, CVE-2021-27065, and CVE-2021-27078”.

Not very informative, right? This joint advisory was released by three big serious organizations. They could work harder and write a unique text for each of the 20 CVEs. But no one seems to care.

Here is a list of all vulnerabilities from the advisory:

1. Apache Log4j CVE-2021-44228 Remote Code Execution
2. Pulse Connect Secure CVE-2019-11510 Arbitrary File Read
3. GitLab CE/EE CVE-2021-22205 Remote Code Execution
4. Atlassian CVE-2022-26134 Remote Code Execution
5. Microsoft Exchange CVE-2021-26855 Remote Code Execution
6. F5 Big-IP CVE-2020-5902 Remote Code Execution
7. VMware vCenter Server CVE-2021-22005 Arbitrary File Upload
8. Citrix ADC CVE-2019-19781 Path Traversal
9. Cisco Hyperflex CVE-2021-1497 Command Line Execution
10. Buffalo WSR CVE-2021-20090 Relative Path Traversal
11. Atlassian Confluence Server and Data Center CVE-2021-26084 Remote Code Execution
12. Hikvision Webserver CVE-2021-36260 Command Injection
13. Sitecore XP CVE-2021-42237 Remote Code Execution
14. F5 Big-IP CVE-2022-1388 Remote Code Execution
15. Apache CVE-2022-24112 Authentication Bypass by Spoofing
16. ZOHO CVE-2021-40539 Remote Code Execution
17. Microsoft CVE-2021-26857 Remote Code Execution
18. Microsoft CVE-2021-26858 Remote Code Execution
19. Microsoft CVE-2021-27065 Remote Code Execution
20. Apache HTTP Server CVE-2021-41773 Path Traversal

Of course, I did not deny myself the pleasure of using this list of CVEs as input for my Vulristics vulnerability prioritization tool. Just to see how Vulristics handles it and tweak Vulristics if needed.

Here is the command I used to generate the report:

$ python3.8 vulristics.py --report-type "cve_list" --cve-project-name "AA22-279A" --cve-list-path joint_cves.txt --cve-data-sources "ms,nvd,vulners,attackerkb" --cve-comments-path comments.txt --rewrite-flag "True"

The full report is here: https://avleonov.com/vulristics_reports/aa22-279a_report_with_comments_ext_img.html

Vulnerable Products

If you look at the list of vulnerable software and hardware products, then some of them, obviously, should have been included in this advisory. Because lately there have been a lot of publications about how attackers exploit the vulnerabilities in these products:

• Apache HTTP Server
• Apache Log4j2
• GitLab
• Microsoft Exchange
• Confluence Server
• Zoho ManageEngine ADSelfService Plus
• Pulse Connect Secure

The second group of products. For them, there were also publications about attacks. But it seems that these are more niche products and are less perceived as targets for attackers:

• BIG-IP
• Citrix Application Delivery Controller
• VMware vCenter
• Cisco HyperFlex HX

And finally, there are quite exotic products that apparently reflect the specifics of American IT:

• Sitecore Experience Platform (XP)
• Hikvision Web Server
• Apache APISIX
• Buffalo WSR

Criticality of Vulnerabilities

Vulristics has identified all vulnerabilities as vulnerabilities of the highest criticality level (Urgent). Vulristics found public exploits for all vulnerabilities.

At the same time, if you look at CVSS, then there is this:

All vulnerabilities: 20
Critical: 16
High: 4
Medium: 0
Low: 0

So if you are using CVSS for prioritization, don’t forget about the High level vulnerabilities.

Detected Types of Vulnerabilities

• Remote Code Execution
• Command Injection
• Arbitrary File Reading
• Authentication Bypass
• Path Traversal

As we can see, all vulnerabilities are obviously critical except for one “Path Traversal”:

Path Traversal – Citrix Application Delivery Controller (CVE-2019-19781)

The description of the vulnerability leaves no room for detecting another type:

“An issue was discovered in Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0. They allow Directory Traversal”.

The same type is indicated in the advisory AA22-279A: Citrix ADC CVE-2019-19781 Path Traversal

And only in the description of the exploit we can see that this is in fact RCE: “This tool exploits a directory traversal bug within Citrix ADC (NetScalers) which calls a perl script that is used to append files in an XML format to the victim machine. This in turn allows for remote code execution.”

Well, this is another reminder to us that we should not do hard filtering by vulnerability type. It’s also not a good idea to trust the description from NVD. The type of vulnerability may change over time, and no one will make changes to the description in NVD.

In some cases, Vulristics can help to more accurately determine the type of vulnerability:

AA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal
Vulristics: Remote Code Execution – Apache HTTP Server (CVE-2021-41773)

Why? Because we can read in the description: “If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution.”

But of course Vulristics is not a silver bullet. It is difficult to come up with something here other than manual analysis of publications about vulnerabilities and exploits.

I also cannot help but point out that for some of the vulnerabilities, Vulrisitcs determined the types of vulnerabilities more correctly in accordance with the description:

AA22-279A: GitLab CE/EE CVE-2021-22205 Remote Code Execution
Vulristics: Command Injection – GitLab (CVE-2021-22205) – Urgent [947]
“… which resulted in a remote command execution.”

AA22-279A: Sitecore XP CVE-2021-42237 Remote Code Execution
Vulristics: Command Injection – Sitecore Experience Platform (XP) (CVE-2021-42237)
“… it is possible to achieve remote command execution on the machine.”

AA22-279A: VMware vCenter Server CVE-2021-22005 Arbitrary File Upload
Vulristics: Remote Code Execution – VMware vCenter (CVE-2021-22005)
“…may exploit this issue to execute code on vCenter Server by uploading a specially crafted file.”

AA22-279A: F5 Big-IP CVE-2022-1388 Remote Code Execution
Vulristics: Authentication Bypass – BIG-IP (CVE-2022-1388)
… undisclosed requests may bypass iControl REST authentication“

AA22-279A: Apache HTTP Server CVE-2021-41773 Path Traversal
Vulristics: Remote Code Execution – Apache HTTP Server (CVE-2021-41773)
“… this could allow for remote code execution.”

AA22-279A: Apache CVE-2022-24112 Authentication Bypass by Spoofing
Vulristics: Remote Code Execution – Apache APISIX (CVE-2022-24112)
“… is vulnerable to remote code execution.”

AA22-279A: Buffalo WSR CVE-2021-20090 Relative Path Traversal
Vulristics: Authentication Bypass – Buffalo WSR (CVE-2021-20090)
“… allow unauthenticated remote attackers to bypass authentication.”

Therefore, do not rush to trust the vulnerability type from the CISA Known Exploited Vulnerabilities Catalog and take it into account when prioritizing vulnerabilities.