September Vuln of the Month: 2022 Round-Up Edition

September’s Vuln of the Month finds us in a reflective mood, so we thought we’d make sure you had an eye on a few of the more interesting vulnerabilities from 2022. Just in case you overlooked them—but perhaps shouldn’t have.  

This month we’re looking at two vulns that earned our highest possible risk score (100) and one that earned the lowest score we’ve ever featured in this series (41) but hasn’t stayed there. Just in case you’re wondering, they all pose significant risks to vulnerable organizations. 

January 2022: An Atlassian Confluence vuln that couldn’t have had a higher risk profile if it tried. About this time last year, US Cybercom tweeted a grim warning alerting Security teams to the criticality of CVE-2021-26084: “Patch immediately if you haven’t already,” the alert read. “This cannot wait until after the weekend.”  The warning came because this OGNL (Object-Graph Navigation Language) injection vulnerability can leave organizations running affected versions of the Atlassian Confluence Server and Data Center open to remote code execution (RCE) of malicious code. 

CVE-2021-26084’s Kenna Risk Score rose progressively as exploits (more than 425 when we published the blog) piled up, and more was learned about how attackers were making life difficult for Confluence customers. (Some attackers installed and ran the XMRig cryptocurrency miner on affected systems.)  

Ultimately, we gave this vuln a risk score of 100—the highest score possible and higher than 99.98% of all the vulns we’ve ever scored. By now, most enterprises with Confluence Server and Data Center instances likely have remediated this vulnerability, but anyone who hasn’t is leaving their organization open to massive headaches. Check out the original blog for remediation pointers. 

February 2022: A Windows RCE vuln that was too easy to overlook. Headline vulnerabilities like log4j vulns grab a lot of attention and send executives streaming into the offices of CISOs everywhere. That not only prompts endless fire drills for SecOps teams, but it can cause some to overlook other very worthy vulnerabilities—and Windows vulns are always worth a look, especially if they can be executed remotely, require zero authentication, and have a potentially high impact on service and system availability. 

That was the case with CVE-2022-21907. No exploits had been observed when we published the original blog, which often led to lower risk scores. But the potential for exploitation was real for organizations running Windows Server 2019 and Windows 10 version 1809 that enabled the HTTP Trailer Support via the EnableTrailerSupport registry value.  

When we published our February 2022 entry, the Kenna Risk Score for CVE-2022-21907 was 41, the lowest score of any vuln featured in this series. (Despite this seemingly low score, this CVE still represented a higher risk than 90.9% of all vulns we’ve scored.) We told readers then that if this vuln were ever exploited, that score would likely rise. Two months later, exploits were observed, and the Kenna Risk Score for CVE-2022-21907 rose to 60—riskier than 98.4% of the nearly 200,000 vulns we’ve scored. This once again proves our oft-stated point that vulnerabilities themselves are dynamic, which makes static scoring systems inferior to those that update as information and threat profiles change. View the original blog for remediation guidance.  

August 2022: The hardwired backdoor password in a support app for—you guessed it—Atlassian Confluence. We had a little fun last month throwing around some retro ‘80s vibes as we recalled how using a backdoor password once saved the world. This was in service to our spotlight of CVE-2022-26138, which affects the Questions for Confluence app (ver. 2.7.x and 3.0.x), an Atlassian user support app for the Confluence server. The app includes a hardcoded backdoor password that works with an automatically generated user account. An attacker needs only log in via that account and enter the password. Once in, they could view internal issues, export data, and conjure up ways to further do damage.  

Making this especially risky is that the password was publicized on Twitter. As you might imagine, it didn’t take long for this vuln to be exploited in the wild. 

CVE-2022-26138 earned a Kenna Risk Score of 100, and it wasn’t just showing off. Even Atlassian jumped in to warn its 8,000 Questions for Confluence users: “A remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to. It is important to remediate this vulnerability on affected systems immediately.” 

Low access complexity, a broad attack surface, exploitable remotely, zero authentication privileges (thanks, backdoor password!), publicity on Twitter, and exploits observed. No wonder CVE-2022-26138 was such an overachiever on the Kenna Risk Meter. If you haven’t mitigated this one, by all means, jump to it. We cover mitigation in our original blog. 

This is all about reducing your risk 

Our goal with this series is to help you lower the risk these vulnerabilities pose to your business. We do this because vulns are rapidly moving targets, and today’s SecOps teams need all the help they can get as they try to identify which vulnerabilities are worth fixing and which can wait. That’s especially important because organizations can only remediate 10% to 30% (and 15% on average) of all the vulnerabilities in their environment. So focusing on which vulns pose a real risk is crucial. This matters even more because fewer than 5% of vulns are exploited. When you can focus on the true high-risk (not just high-profile) vulns, then you’ll have time to take care of vulns like CVE-2022-21907 which may represent a serious threat someday, but maybe not at this moment. 

That’s where Kenna Risk Scores come in. They apply both technical criteria and vital contextual information to evaluate each vulnerability. And it’s contextual information that makes Kenna Risk Scores so different, answering questions essential to understanding how much risk a vuln poses to your organization: There are exploits, but what types of organizations (by size, industry, etc.) have attackers been targeting? On which of your assets does the vulnerability exist? And how exposed or mission-critical are those assets? Basic vulnerability scores such as CVSS and scanner-generated scores (typically repackaged CVSS scores) lack that essential context.  

For a closer look at how to address high-risk vulns without having to beef up your SecOps team, read 4 Ways to Rethink Planning for and Responding to Extreme Vulnerabilities. It’s an eye-opener. 

We’ll be back next month with a new CVE for Vuln of the Month. 

Watch this space for regular Vuln of the Month spotlights, which appear on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.