Introducing Kenna’s Vuln of the Month Series
Share with Your Network
Yesterday was Patch Tuesday, so we’re calling today Exploit Wednesday. And with that, today we launch a new monthly blog series from Kenna Security. We call it Vuln of the Month. It’s an opportunity for those of us on the data science research team to spotlight a named CVE that may not already be on your radar screen, but probably should be.
Every month, we’ll call out a vuln of special interest that we’re following here at Kenna, and why you should be paying attention as well. We’re basing our assessment on various factors, including evidence of actual exploits, gleaned from data-driven threat and vulnerability intelligence, as well as our assessment of the vuln’s potential for widespread impact. In other words, all the things that make a vuln worthy of a closer look.
This month’s vuln: CVE-2021-1647
Kenna Security’s research team is following closely a remote code execution vulnerability in Microsoft Defender (CVE-2021-1647). Our research shows that CVE-2021-1647 meets most of the criteria we look for to be widely exploited. We’ve listed these criteria by their significance in assessing the risk of this vuln.
- Exploit code published: Yes
- Active exploits observed: Yes
- Attack volume: High
- Attack velocity: High
- Malware exploitable: Yes
- Potential attack surface: > 1 billion
- Potential impact on availability: Complete
- Access complexity: Low
- Authentication/privilege requirements: Low
As the graph above illustrates, only 4.62% of observed vulnerabilities have a higher risk score than CVE-2021-1647.
Why CVE-2021-1647 matters
This past month, security execs and media outlets have paid a lot of attention to recent vulnerabilities in software from SonicWall (CVE-2021-20016), SAP (CVE-2020-6207), Oracle (CVE-2021-2109), and SUDO (CVE-2021-3156). So chances are, you’re already either working to remediate those vulns or at least assess whether they are likely to create a risk to your environment.
We believe CVE-2021-1647 is deserving of the same attention. This vuln has the potential to have a widespread impact. For instance, the bar is low for both attack complexity and privileges required to exploit the vuln. Microsoft notes that a successful exploit, which can be executed remotely or simply by phishing an unsuspecting user into opening the wrong file, can result in “the attacker being able to fully deny access to resources in the impacted component.”
Windows Defender is installed by default on the more than 1 billion Windows 10 devices, making it a massive target. And with POC code known to be released, we have already seen it actively used by bad actors.
Bottom line
We would not be surprised to see this Windows Defender vulnerability find its way into most offensive toolkits and used in malware and ransomware in the future.
Mitigation status
Microsoft published security updates to address CVE-2021-1647 on Patch Tuesday, Jan. 12, 2021.
Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our real-time vulnerability intelligence powered by machine learning.
