Virtualization Technology News and Information
Cymulate 2022 Predictions: Overwhelming Number of Vulnerabilities with a CVSS score above 9 Makes Patching Prioritization Frustrating

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual series exclusive.

Overwhelming Number of Vulnerabilities with a CVSS score above 9 Makes Patching Prioritization Frustrating

By Dave Klein, Director and Cyber Evangelist, Cymulate 

A New Methodology Is Needed to Reduce Risk & Cost Between Patching Cycles

Banner Year for Vulnerabilities

This year was a banner year for enterprise vulnerabilities. Between bug bounty's findings, the industry's improvement at policing itself and others, and the heightened concern over third-party risks, the discovery of vulnerabilities came in at a higher rate than ever seen before. Looking at the Mitre CVE list, the number of registered CVEs in 2011 was 4,816. In 2021, it jumped to 29,482, a 600% increase. Add to that the number of still active CVEs from previous years, the total number of active CVEs listed in CVE Details by the end of 2021 reached a staggering 167,039 vulnerabilities.


With such a high number discovered this year, one would expect most would be of low-quality, lacking Remote Control and Execute (RCE). Yet, to our shock and dismay, it appears an alarmingly high number of active CVEs have RCE capabilities plus vulnerabilities that were RCE capable and posed real threats to enterprises. Checking the CVE Details records shows that there are currently over 19,061 active vulnerabilities with a CVSS score higher than 9.


Increased Speed from Vulnerability to Exploit and Some Patching is not Complete

To make matters worse, this year, we found that even when a vulnerability was announced before existing exploits were available, they would rapidly surface.  The speed at which multi-tiered, affiliate-boosted cyber-criminal ranging from lone hackers to nation-state professionals graduated from proof-of-concept exploit to active ones was lightning fast.

In 2022, we expect the quantity and severity of emerging exploits to continue to increase and the time window between vulnerability publication to exploit availability to shrink. This has serious ramifications for enterprises already struggling to keep up. Disruptive, time-consuming, and arduous patching cycles have always been troublesome, and the periods in between are increasingly fraught with risks. Far too often, this had led to disruptive "clear the deck" emergency patching cycles interrupting IT and business processes. Furthermore, in cases of severe CVEs, the initial patches are only a stop-gap measure, and additional patching is required. 

Cost of patching

Patching, whether during pre-set maintenance windows or during disruptive all-hands-on-deck emergency patching, is resource intensive and costly. In fact, a new study by Ivanti revealed 71% of IT and security professionals find patching to be overly complex and time-consuming

2021 Examples

  • A notable example, this year, included those who still run on-premises Microsoft Exchange Servers. On March 2nd Microsoft announced four critical vulnerabilities (CVE-2021-26855, CVE-2021- 26857, CVE-2021-26858, and CVE-2021-27065). Already being exploited in the wild by a Chinese Nation-State, Actor APT 40, also known as HAFNIUM. As people burned emergency patching windows to address, within a week and a half, these vulnerabilities were incorporated into common Ransomware and other attacks.
  • Another fitting example was a critical vulnerability in Microsoft's Hypertext Markup Language (MSHTML), a web content rendering engine that Microsoft Office applications use. In this case, the vulnerability CVE-2021-40444 could lead to malicious ActiveX controls that would RCE systems. Discovered on September 7th, 2021, it was exploited in less than 72 hours by multiple threat actors. What made matters worse was that, while the patch handled some aspects of the MSHTML flaws by December 21st, attackers found additional ways to launch their attacks on patched versions of MSHTML, requiring defenders to patch again.
  • Log4J is this year's best example of patching issues. Beyond the silly memes, it is a severe issue. With the world running on apps and apps today firmly rooted in web services, the effects of this vulnerability spread everywhere at lightning speed. The provided patching was piecemeal and inefficient. The first patch, upgrading to version 2.15.0, did not plug all the vulnerability issues. This led to additional patching releases, 2.16.0, 2.17.0 and, as the year closes, 2.17.1.

A NEW Example Invoke-noPac - Critical Active Directory Server Vulnerabilities

In this blog, we will introduce another critical vulnerability. One that is only a week old, and currently hides in the shadow of Log4J, but is just as widespread and arguably more deadly. It starts with two severe vulnerabilities CVE-2021-42287 & CVE-2021-42278, found in every Windows Server release, that, when exploited together in a SAMAccountName spoofing and escalation attack, allow un-elevated users within a domain to spoof and get Active Directory Domain Administration rights.

What makes this especially scary is that we are tracking multiple proof-of-concept exploits on this across GitHub and various hacking blog sites. We have even seen a YouTube video demonstrating a successful proof of concept exploit.

How is that exploit instrumentalized?

It is frightfully easy.

1.  A regular, unelevated user on a domain simply creates a Kerberos service ticket request to a vulnerable Active Directory server. The vulnerable Active Directory server replies with a standard Kerberos service ticket.


2.  The user then fakes a domain admin request and sends a second Kerberos service ticket impersonating the domain admin. The two vulnerabilities together are the key - the first one does not verify the account name, and the second one allows the escalation of privileges. The vulnerable Active Directory server then simply grants access to this second Kerberos service ticket with admin rights.


3.  Now, that user has full control of that Active Directory domain and can do any number of things.


Some have called the PoC exploits "Weaponization of CVE-2021-42287 & CVE-2021-42278" and others have given it the name "Invoke-noPac Active Directory Attack", after the way the user requests the Kerberos service tickets. Regardless, the number of active PoC exploits observed have been around twenty. It is only a matter of time this gets weaponized by criminal and nation-state hackers alike.

2022 Doing the Impossible - Decrease Risk While Patching Less

If 2021 has taught us anything, we must become smarter between patching cycles by doing everything we can to find first and third-party security controls to compensate for vulnerabilities, reducing risk, and paradoxically, patching less. In doing this, we can ensure lower risk and expense.

Looking at our Invoke-noPac example, CVE-2021-42287 & CVE-2021-42278, effective patches were already released on Tuesday, November 9th. Some things can be done to reduce the emergency patching burden and hold off until a periodical maintenance window. Third-party controls can be used to segment off access to Active Directory, and they can use behavior-based anti-malware on the Domain Controllers. Additionally, they can incorporate first-party controls by removing unelevated users' ability to register systems in a domain by modifying the default Active Directory configuration.

At Cymulate, we created a purple team test that discovers and exploits (safely for your production environment) these two vulnerabilities, and subsequently removes any elevations to keep Active Directory untouched.


We can expect the onslaught of high severity vulnerabilities seen in 2021 to continue unabated in 2022. The difference will be in our ability to incorporate first-party and third-party controls to mitigate risk quickly and easily, and reduce the number of patching windows to a minimum. By doing such, we can better secure our enterprises and do so with less cost.



Dave Klein 

Dave Klein is a Director and Cyber Evangelist for Cymulate. You can follow him on Twitter at @cybercaffeinate.

Published Tuesday, January 25, 2022 7:33 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<January 2022>