Fourteen CVEs posed widespread threats to organizations in 2020 and are likely to stalk unpatched systems well into 2021. The impact of successful exploitation for each of these vulnerabilities is high; most allow for remote code execution (RCE) at a minimum, but several allow unauthenticated, remote attackers to take over infrastructure or gain access to internal networks through exploitation of vulnerable internet-facing systems or interfaces. It’s worth noting that two of the entries in this category—Zoho ManageEngine CVE-2020-10189 and vBulletin CVE-2020-17496—were released into the wild as zero-days with stable exploit code before the vendors made patches available.

2020 opened with widespread exploitation of Citrix NetScaler and Telerik UI. Zoho ManageEngine and SaltStack Salt followed suit in the spring, while the second half of the year was punctuated by internet-scale exploitation of severe vulnerabilities in F5 BIG-IP, Microsoft NetLogon Remote Protocol, and Oracle WebLogic Server. The combination of an authentication bypass and a remote code execution flaw in MobileIron’s Mobile Device Management (MDM) solution also offered a glimpse at how mobile device management software may prove a potent attack vector in the future, even after the remote workforce has begun to transition back to the office. 

There are three outliers in this group that merit closer inspection. The first is CVE-2020-0796, or “SMBGhost,” a remote code execution vulnerability in Microsoft’s Server Message Block (SMB) 3.1.1 protocol that the company inadvertently published in their March 2020 Patch Tuesday advisory before a patch had been released. An out-of-band security update came within 24 hours of the slip, but not before the security community had likened the flaw to MS17-010, the SMB vulnerability suite exploited as part of the 2017 WannaCry and NotPetya attacks that cost global organizations hundreds of millions of dollars.

Network defenders feared the vulnerability would be widely exploited and wormed, but no worms have materialized, at least thus far. In fact, while public proof-of-concept code and an errant botnet took aim at SMBGhost, it’s a bit difficult to argue that the exploits fully arrived, either: Modern memory protections meant that even though a few local exploits made their way to market, remote code execution remains nontrivial (mass migration to remote work may actually have helped limit the vuln’s impact). Even the Lemon_Duck botnet appeared to give up on its SMBGhost exploit module after a trial run. We’ve included CVE-2020-0796 in our list of widespread threats for the sake of methodological consistency, but it’s an exception instead of the rule. 

Another exception is CVE-2020-3452, a read-only path traversal flaw in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) products that allowed remote attackers to enumerate files on target devices. The anomaly here is value rather than exploitability—although a PoC was quickly published and, to quote Microsoft’s Kevin Beaumont, “mass spammed across [the] internet,” exploitation offered attackers no useful access at all. CVE-2020-3452 is also the only vulnerability from among our sample of widespread threats for which Metasploit opted not to prioritize an exploit. 

Finally, if there were a 2020 Microsoft vulnerability that rivaled MS17-010 for severity and catastrophic impact to networked systems, the title would go to “Zerologon” (CVE-2020-1472), a cryptographic flaw in Microsoft’s Netlogon Remote Protocol (MS-NRPC) that allows attackers to bypass authentication and compromise Windows Servers running as domain controllers, paving the way for complete takeover of Active Directory domains. The rare CVSS-10 privilege escalation vulnerability in Microsoft’s August 2020 Patch Tuesday release raised eyebrows, but the advisory was characteristically sparse. Details remained thin until Secura researchers released in-depth analysis mid-September, which was followed by rampant exploitation.

Both Zerologon and the MS17-010 suite of vulnerabilities gave attackers trivially exploitable paths for lateral movement that lend themselves well to ransomware campaigns (including ransomworms). Unlike the 2017 CVEs, which provided for both remote and local code execution, successful exploitation of Zerologon requires network access to a domain controller—in other words, an attacker would need either an internet-exposed domain controller or some type of initial access to the network (e.g., a network pivot). 2020’s threat list included quite a few potential network pivots; we’ll come back to this later on.

With actively exploited vulnerabilities out of the way, we can turn our attention to some of 2020’s notable impending threats. As a brief reminder, an impending threat occurs when two elements of the threat triangle are present, but not all three. Since this paper centers on vulnerabilities, the opportunity element is present by default. The impending threats we present in this section include either a capability (i.e., a mature exploit) or a proxy for measurable intent. Quite a few of the vulnerabilities we’ve classified as targeted threats would have stayed in the impending threat category without the NSA’s Q4 2020 bulletins on flaws exploited by state-sponsored actors.

Note: Several of the vulnerabilities in this group have public proof-of-concept (PoC) code available, but for the purposes of this paper, we consider public PoC to be similar to technical details in that it may enable others to build successful exploit chains or improve upon attack techniques, but it isn’t the same as mature code. Proof-of-concept code often has a way to go before it becomes a fully weaponized and documented exploit, if it makes it that far at all. As Marie Antoinette famously pointed out,

The “exploit available” references in this table all represent Metasploit modules that have been developed and tested for compatibility across a range of platforms. Metasploit is not the only toolkit we consider to be mature as far as capability goes—the Zerologon exploit built on Impacket, for instance, would have met the “exploit available” bar even before it was ported to Metasploit Framework. In the same vein, “high-value target” is a subjective term, though a common-sense one given the broad popularity of the products we’ve listed. “Technical details widely available” denotes in-depth, public information on identifying, triggering, and (frequently) exploiting the vulnerability in question. Technical details commonly include proof-of-concept code or demonstrations.

When a vulnerability occurs in a product with demonstrable value to attackers and a recent history of exploitation, it stands to reason that the intent component of the threat triangle is present even if there’s not yet evidence of successful in-the-wild exploitation. There might be no better example of this principle than Microsoft Exchange and SharePoint vulnerabilities, three of which are notable impending threats (SharePoint CVE-2020-16952, and Exchange CVEs 2020-16875 and 2020-17132). Both products have remained consistently attractive targets for zero-day research, exploit development, and in-the-wild attacks over the years, which is no surprise given that vulnerabilities in Exchange and SharePoint environments can facilitate full compromises of Active Directory.

Unfortunately, patch rates continue to lag, as seen in the following data:

A few other CVEs in this group are worth highlighting for their value to would-be attackers: HP Device Manager CVE-2020-6926 and VMware vCenter Server CVE-2020-3952 are severe vulnerabilities in management software for Windows thin clients and virtualization infrastructure, respectively. Exploitation of these vulns gives an attacker broad access to not only the target software itself, but also all the downstream assets managed by that software. SaltStack Salt CVEs 2020-16846 and 2020-25592 are also severe vulnerabilities that, when chained, offer unauthenticated, remote attackers the opportunity to gain root access to the target system and fully compromise networked infrastructure. Finally, lest we forget that Cisco’s Jabber instant messaging platform is still in use, CVE-2020-3495 presents local attackers with half of a simple attack chain that can be used to worm corporate networks.

When getting to know a new vulnerability, the first thing our research teams look for is an understanding of root cause and what an attacker might use the bug to achieve. Vulnerabilities arise from hundreds of conditions spanning all layers of the stack—from application programming errors to cryptographic implementations to hardware bugs and beyond. Likewise, the potential impact of any given vulnerability can vary widely based on implementation, security controls, and the sensitivity of the data or permissions an attacker can obtain as a result of exploitation. (To use an example from our own data, a remote file disclosure vulnerability might yield as little as benign source code files or as much as sensitive account credentials.)

As you may have noticed by now, we’ve characterized the vulnerabilities in our report dataset by their attacker utility and vulnerability class in addition to separating them by threat status. Attacker utility describes what an attacker can hope to gain as a result of successful exploitation—this often maps to a part of an exploit chain—while vulnerability class is an umbrella term that encompasses both root cause and the type of high-level technique that might trigger it.

We’ve defined four vulnerability classes—improper access control, memory corruption, injection, and deserialization—that are useful for making initial assessments of readily available attacker tooling and forming high-level hypotheses on relative exploitability. Injection attacks, for instance, use specially crafted input and techniques (e.g., SQL injection, operating system command injection) to compromise data integrity or run arbitrary code as a high-privileged user. These attacks tend to be stable and reliable, which makes them less likely to knock over systems than, say, attacks leveraging memory corruption flaws. Deserialization vulnerabilities come with a reputation for high exploitability and have a wealth of off-the-shelf tools with which to build exploit chains. And improper access control flaws—the vulnerability class most represented in both our dataset overall and in the widespread threats we’ve included—run the gamut from complex weaponization requirements to trivial exploitability using curl. 

Improper access control vulnerabilities in particular posed a consistent threat to corporate networks, allowing attackers to bypass authentication (if it existed at all), execute code, add administrative users, and write files to disk. These flaws consistently blurred the line between vulnerability management and incident response and accounted for many of 2020’s compromise investigations.

The second type of metadata our researchers define when analyzing emergent threats answers the question, “As an attacker, what does this vulnerability get me?” Remote code execution is how vendors and CVE numbering authorities (CNAs) frequently describe high-impact vulnerabilities, but in some cases, that description downplays the ways that severe CVEs can be used to further compromise a network.

Unsurprisingly, vulnerabilities that provide attackers with remote code execution opportunities—i.e., the ability to execute a payload on a target system—are the most represented type of utility across the 50 CVEs we analyzed, at nearly 50% of the total dataset. Local code execution features much less prominently, which is also hardly surprising since it’s much easier to launch internet-scale attacks from, well, the internet. We’ve already discussed the attractiveness of vulnerabilities that allow attackers to compromise entire swaths of network infrastructure (e.g., virtualization or automation infrastructure) instead of just a single target. 

One of the best examples of this is CVE-2019-11510, a remote, unauthenticated arbitrary file read vulnerability in Pulse Secure VPNs whose exploitation disclosed sensitive information like passwords and private keys. That information gave attackers what they needed to execute commands as root on vulnerable VPN servers. (GitLab CVE-2020-10977 provides another more recent example!)

All of this brings us to our final attacker utility type—one that played such a major role in 2020’s threat landscape that it deserves a section all its own.

As many security practitioners who have experienced the transition into a post-WannaCry world can attest, MS17-010 and the ETERNALBLUE-based attacks of 2017 created a new paradigm for how the information security industry reacts to vulnerabilities in Windows network protocols like SMB and RDP (Remote Desktop Protocol). Patch Tuesday protocol CVEs instill dread in network security teams, and the infosec zeitgeist is quick to christen protocol vulnerabilities with a variety of “Blue”- and “Bleed”-related nicknames while security news keeps the term “wormable” fresh in our minds. None of it is unfair, unwarranted, or technically incorrect...and yet. 

2020 security headlines trumpeted at least four wormable vulnerabilities in Windows networking protocols, as well as a smattering of others across major vendors. Despite the notoriety these bugs commanded, the prophesied worms failed to materialize, and with the exception of “SMBGhost” (as mentioned earlier, even this distinction is dubious), not one has seen exploitation at scale. Why? 

Most any vulnerability can be exploited given sufficient skill, opportunity, and motivation. But certain bugs are much more difficult to trigger and weaponize reliably. We’re speaking, of course, of memory corruption vulnerabilities, the wild child of the vulnerability research world and the target of famous exploits like ETERNALBLUE and (to a much lesser extent) BlueKeep. Memory corruption is a large category of vulnerabilities that involves the misuse of data to alter memory and cause unexpected behavior. The overarching memory corruption category also contains more granular vulnerability types like stack and heap buffer overflows, type confusion, and use-after-free (UAFs).

When exploited successfully, memory corruption vulnerabilities can result in arbitrary code execution, or else in unhandled exceptions that cause an application to crash, triggering a denial of service (DoS) condition. The former is more frequently seen in local attacks, while the latter figures more prominently in remote attacks against internet-accessible targets. In recent years, broad adoption of safeguards has significantly complicated exploitation of memory corruption vulnerabilities. As a result, developing successful attacks takes skill and often requires manual secondary reconnaissance (e.g., finding a heap or kernel memory leak to execute an exploit successfully), which limits utility at scale. Even when a memory corruption exploit is successful at scale—i.e., ETERNALBLUE—reliability is likely to remain a challenge. 

On the other hand, exploits written for memory corruption vulns have a few compelling advantages over easier-to-develop attacks. Arbitrary code execution within a process or other memory space conceals malicious code better and leaves fewer artifacts (e.g., touching disk, spawning new processes), which translates to better operational security for malicious actors. These types of vulnerabilities are also likely to be present in targets straight out of the box, frequently in base-level functionality that doesn’t require authentication or separate installation. Take October’s “Bad Neighbor” vulnerability (CVE-2020-16898), for example: The CVE affected all versions of Windows by default without needing to account for configuration—uniform attack surface area even if exploitation is finickier. 

But even in the absence of public tooling, it would be surprising—to the point of near impossibility—if fully weaponized exploits for these types of bugs weren’t developed privately.

State-sponsored actors and other sophisticated attackers typically aren’t resource-constrained the way in-house researchers at security firms or other corporate environments are. Neither, to a lesser degree, are vulnerability developers who sell zero-day exploits to the highest bidder—either directly or through brokers who act as a black box for both sides of the transaction. With that in mind, it’s understandable that a number of 2020’s memory corruption vulnerabilities saw exploitation by state-sponsored actors, whether they were disclosed as zero-days or included in intelligence agency communications about foreign adversary operations months after their release. Oracle Solaris CVE-2020-14871 and Windows kernel CVE-2020-0986 both fit the former description, while SigRed (CVE-2020-1350) and Cisco IOS XR CVE-2020-3118 fit the latter. The IOS XR vulnerability is a fantastic example of a bug that is entirely impractical at scale—successful exploitation requires an attacker to be on the local area network, directly attached to the vulnerable switch—but is evidently a bit more useful to state-sponsored threat actors.

We will see more of these types of bugs in 2021; we may even see more high-severity memory corruption bugs in Windows network protocols. While we share the security community’s concern in many of these cases, “patch but don’t panic” remains a good mantra to live by.

Threats to operational technology environments today include common and targeted ransomware along with targeted campaigns like Trisis or the 2015 attack on the Ukrainian power grid. In 2020, OT and IoT vendors also found themselves responding to a variety of vulnerabilities in common low-level software libraries—namely, common TCP/IP libraries shared by many vendors and products. These groups of CVEs, named Ripple20 and Amnesia:33, pose a challenge to both vendors tasked with developing fixes and OT organizations tasked with reducing risk. Vendor and supply chain fragmentation means that very often, millions of devices are affected by these CVEs, and the full list of vulnerable products and vendors may be populated over the course of months or years. 

Whenever there are new vulnerabilities in shared libraries, the level of exploitability varies from device to device; as you might imagine, this creates quite a lot of confusion and adds another layer of complexity to the already complex industrial vulnerabilities space. Earlier this year, SCADAfence researchers tested one of the more severe Ripple20 vulnerabilities in our lab. CVE-2020-11898 has a CVSS score of 9.1 (critical) and can potentially allow remote attackers to read sensitive information. After testing on multiple devices that were reported vulnerable by their vendors, we found the vulnerability to be non-exploitable.

SCADAfence researchers also tested the exploitability of several of the more serious Amnesia:33 vulnerabilities and determined that exploitation was extremely unlikely outside of specific, tailor-made attack scenarios, since implementations vary from device to device. Furthermore, of the four remote code execution vulnerabilities released as part of the Amnesia:33 research, three of them reside in the way DNS domain names are encoded and the way DNS response packets are processed; another arises from the way IPv6 ICMP echo packets are processed. Why is this relevant? Because compared to other industries, it’s much less common for OT environments to use DNS over hard-coded IP addresses, and most devices these days—especially OT networks—use IPv4 over IPv6. 

There were, however, several vulnerabilities published in 2020 that do pose an active threat to OT environments and industrial organizations. Perhaps the most important set of 2020 vulnerabilities are CVE-2020-7486 and CVE-2020-7491, both of which affect Schneider Electric Triconex SIS devices. SIS (Safety Instrumented Systems) are critical process controls used to prevent disasters, like fires or explosions, in industrial environments. In July 2020, CISA in the U.S. warned that these vulnerabilities could be exploited remotely and with little skill. The same day, CISA and the NSA issued a joint alert recommending immediate actions to reduce exposure across OT and control systems.

The tried-and-true pieces of guidance in this section have impeded exploitation for many of the vulnerabilities in this report and aided defenders in more quickly identifying signs of compromise or suspicious activity. We recognize that advice is rarely one-size-fits-all, and that security program maturity varies widely even among organizations of the same size, industry, and market cap. Nevertheless, the following suggestions encapsulate learnings that will apply to future threats as well as the specific risks highlighted in this paper:

• Patch early and as often as possible, even when widespread exploitation isn’t seen.

When severe vulnerabilities are exploited within hours or days of publication, patching should be performed on an emergency basis, if possible. It is also wise to monitor for suspicious behavior and events in addition to fine-tuning intrusion detection and prevention systems. Relying on common rules and signatures alone is inadvisable during critical situations, as attackers routinely find ways to evade them. F5 BIG-IP CVE-2020-5902 is a fine example of this.

Several of the highest-severity vulnerabilities in this report weren’t widely exploited until weeks or months after their publication (e.g., Zerologon, SMBghost, Microsoft Exchange Server CVE-2020-0688). Wherever possible, implementing a 30-day patch cycle will help protect against attacks with a longer tail, especially from commodity attackers who operate on economies of scale (e.g., botnet operators, ransomware campaigns, your everyday script kiddies, and so on).

• Defense in depth is a more effective strategy than patching alone.
  
  Skilled attackers are resourceful and, at times, utterly opportunistic. They can and will use any tool—any technique, any weakness, any piece of information—to build successful attack chains. Patches are not always effective, either, as evidenced by CVE-2020-14882 and CVE-2020-16875, which saw repeated patch bypasses.
  
  Additionally, many of the CVEs treated individually in this report can be used in concert with one or more additional vulnerabilities to achieve something beyond the scope of a single CVE’s impact. Defenders can get ahead of future attacks by taking care not to treat individual vulnerabilities as if they existed in a vacuum, but instead choosing to implement controls and detection mechanisms across the whole of their environment.

Finally, ensuring that (preferably aggregated) logging is set up across networks and hosts will save some time during active threat events. There are several community-driven signature repositories and low-cost (or free!) rulesets that can give defenders at least basic visibility into potential intrusions in their environments, along with a plethora of commercial solutions. Knowing ahead of time what kind of visibility defenders have into suspicious events will drive faster and more effective response during critical situations.

• Keep an up-to-date inventory list that emphasizes assets or products that sit on the perimeter and/or may be used as pivot points for external attackers to gain access to the internal network.

Understanding attack surface area and critical network entry points saves time when severe vulnerabilities surface in internet-facing technologies. Pay particular attention to security gateway products such as VPNs and firewalls, as well as anything else that’s exposed by common practice or necessity. CVE-2019-19781 and CVE-2020-0688 are noteworthy examples.

Management and administrative interfaces should never be exposed to the public internet. The same goes for domain controllers and any other assets that organizations would not want an external attacker to be able to probe, such as IoT devices unwittingly exposed online. Audit internet-exposed attack surface area regularly, including via external penetration tests, if possible. 

At Rapid7, we believe that research-driven context on vulnerabilities and emergent threats is critical to building forward-looking security programs and advancing community knowledge. Security and IT teams face mounting challenges in a heightened threat climate, and we are committed to partnering with those teams to foster deeper understanding of defense-in-depth strategies that will strengthen organizations’ security posture both now and in the future. 

For more information on the vulnerabilities featured in this report, and for Rapid7 and community analysis of new vulnerabilities and threats, keep an eye on AttackerKB. If you wish to follow updates on specific CVEs or add assessments of your own, you can create an account using GitHub.

CVEs featured in this report are from 2020 with two exceptions: Telerik UI CVE-2019-18935 and Citrix NetScaler ADC/Gateway CVE-2019-19781, both of which were published late in 2019 and saw sustained exploitation throughout 2020. 

Since the trustworthiness of our data is important, we cite primary sources wherever possible for vulnerabilities we’ve listed as exploited in the wild—that is, we reference firsthand accounts of exploitation from the organizations or individuals who detected, verified, and reported them. Examples of primary sources referenced throughout this paper include U.S. intelligence agency alerts of advanced persistent threat (APT) exploitation; security firm analyses of threats and IOCs they’ve tracked during incident response or other investigations; and vendor advisories that specify exploitation in the wild (this includes CVEs that are disclosed as zero-days). In the interest of readability, when firsthand reports of exploitation are disparate and varied, we will occasionally cite an article in a security news publication that aggregates those accounts.

The CVEs we have categorized as exploited in the wild in this report are not the only vulnerabilities actively exploited during the 2020 calendar year. For example, we have excluded a number of other exploited bugs in Internet Explorer, Chrome, and Firefox. Google Project Zero has a spreadsheet of some other zero-days exploited in the wild in 2020 here.