Check out John’s hot-take video for his additional thoughts.
In July, a joint advisory on routinely exploited vulnerabilities was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Centre (ACSC), the United Kingdom’s National Cyber Security Centre (NCSC), and the U.S. Federal Bureau of Investigation (FBI). This advisory lists the top CVEs exploited in 2020 and 2021. In 2020, 4 out of 12 of the CVEs were clearly device firmware. In 2021, this increased to 11 out of 16 CVEs, showing a pattern of increasing attacker attention on device firmware.
Top Routinely Exploited CVEs in 2020 (emphasis added)
| Vendor | CVE | Type |
| Citrix | CVE-2019-19781 | arbitrary code execution |
| Pulse | CVE 2019-11510 | arbitrary file reading |
| Fortinet | CVE 2018-13379 | path traversal |
| F5- Big IP | CVE 2020-5902 | remote code execution (RCE) |
| MobileIron | CVE 2020-15505 | RCE |
| Microsoft | CVE-2017-11882 | RCE |
| Atlassian | CVE-2019-11580 | RCE |
| Drupal | CVE-2018-7600 | RCE |
| Telerik | CVE 2019-18935 | RCE |
| Microsoft | CVE-2019-0604 | RCE |
| Microsoft | CVE-2020-0787 | elevation of privilege |
| Microsoft | CVE-2020-1472 | elevation of privilege |
Top Routinely Exploited CVEs in 2021 (emphasis added)
| Fortinet | CVEs | Notes |
| Microsoft Exchange | CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 | See CISA’s Alert: Mitigate Microsoft Exchange Server Vulnerabilities for more information on identifying and mitigating malicious activity concerning these vulnerabilities. |
| Pulse Secure | CVE-2021-22893, CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900 | See CISA’s Alert: Exploitation of Pulse Connect Secure Vulnerabilities for more information on how to investigate and mitigate this malicious activity. |
| Accellion | CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104 | See the Australia-New Zealand-Singapore-UK-U.S. Joint Cybersecurity Advisory: Exploitation of Accellion File Transfer Appliance for technical details and mitigations. |
| VMware | CVE-2021-21985 | See CISA’s Current Activity: Unpatched VMware vCenter Software for more information and guidance. |
| Fortinet | CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 | See the CISA-FBI Joint Cybersecurity Advisory: APT Actors Exploit Vulnerabilities to Gain Initial Access for Future Attacks for more details and mitigations |
On the face of it, an increase from 33% of critical vulnerabilities being found in firmware in 2020 to 69% being embedded in firmware in 2021 seems to indicate a significant shift. But is it a trend?
By aligning additional data points — the National Vulnerability Database has reported a 6x increase in firmware-centered VPN vulnerabilities in the last 5 years, firmware vulnerabilities in Accellion, Pulse Secure and Juniper being actively attacked — it seems safe to call it a trend. And it’s one cyber security teams should begin to address.
What can you do about this?
Most of these CVEs were found/reported in 2021 suggesting there was little time to prepare and stage changes. Such critical attacks and updates often coincide with weekends and holidays, leaving fewer people and less time available for robust testing and rollout. These aspects of the issue are out of the control of cyber defense personnel, but the story doesn’t end here.
The current paradigm of Zero Trust Architecture slowly moves organizations to a better state of preparedness by verifying the user, device, and session continuously. Moving from a concept of trusted, internal systems to fully untrusted (but verified) systems is not easy, but the steps follow a theme: identify, verify, fortify.
Identify
The infosec meme community has it right on this one. Integrating access control and monitoring systems with given equipment means knowing what devices exist so you can look for patches. The right tools make this possible, but the work is all about having answers to simple inventory questions.
Verify
The premise of Zero Trust is well stated in Department of Defense Zero Trust Reference Architecture, “The foundational tenet of the Zero Trust Model is that no actor, system, network, or service operating outside or within the security perimeter is trusted. Instead, we must verify anything and everything attempting to establish access. It is a dramatic paradigm shift in philosophy of how we secure our infrastructure, networks, and data, from verify once at the perimeter to continual verification of each user, device, application, and transaction.”
It may be difficult to figure out how to verify some equipment, but the basic rule does not change. Given an inventory, personnel have a place to start. A strategy to manage the complexity of this inventory and to gain insight into the expected operations of each user, device, and session. Then monitoring can focus on a tractable problem and provide useful alerts on unexpected activity.
Fortify
With all the focus on vulnerabilities and updates, it may seem odd to put this last, but good configuration baselines and patching processes must inherently stand on the shoulders of the identify and verify steps. Since there’s a lot of pressure on urgent patching due to recently disclosed attacks, the continuous verification capabilities become both an indication of whether you are already a victim as well as a quick check for correct and normal operations after emergency patching.
A Better Future
The trend of increasing vulnerability and attacks on the firmware layer are clearly established. This is why Eclypsium has been collaborating with NIST and others to create practitioners’ guides that include firmware visibility into both enterprise patching and supply chain integrity. This simply involves connecting the existing processes for risk management and security operations with new device-level data. The same goes for Zero Trust. Visibility into device firmware and hardware informs existing processes across the lifecycle of devices, users, and transactions. This way defenders cover more ground at the same time.
