Detecting Vulnerabilities Prioritized in CISA’s Binding Operational Directive 22-01
Table of contents:
To enable organizations to address the risks posed by critical vulnerabilities outlined in Binding Operational Directive (BOD) 22-01, SOC Prime provides an extensive list of curated detections to identify possible exploit attempts in your infrastructure and isolate potentially affected assets while patching procedures are in progress.
The increasing sophistication of malicious activities threatening the private and public sectors at a global scale requires organizations to strengthen their cyber defense capabilities to stay one step ahead of attackers. Patching the known vulnerabilities is among the highest priorities to proactively defend against the emerging threats.
On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01 aimed to help organizations mitigate the critical risks of known vulnerabilities under active exploitation. BOD 22-01 is mandatory for all the US federal agencies, yet, all other organizations, including private companies, businesses in various industries, and state-owned enterprises, are strongly recommended to prioritize patching the vulnerabilities in the spotlight.
All critical security issues are provided in the public catalog issued by CISA alongside the Directive 22-01. The main purpose of this catalog is to track and summarize the specific security gaps to enable organizations globally to address possible risks and withstand attacks more efficiently.
Known Exploited Vulnerabilities Catalog by CISA
СISA enumerates 291 Common Vulnerabilities and Exposures (CVEs) to be urgently patched by Federal agencies. Although patches for the whole list of bugs should be applied as soon as possible, prioritization is highly relevant to enable their implementation gradually in three stages:
Highest Priority
Some of the vulnerabilities on the list are already past due, therefore, organizations should urgently check if they’ve enhanced their security protection with the existing patches. Such vulnerabilities include the most severe exploits that shook the digital world in 2020-2021, including PrintNightmare, SigRed, Zerologon, CryptoAPI, and Pulse Connect Secure cybersecurity flaws. In total, there are 15 overdue CVEs on the CISA’s list which require immediate remediation.
High Priority
Over 30% (100) of flaws on the CISA-managed vulnerability catalog are prioritized to be patched in less than two weeks, until November 17, 2021, due to the severity of exploits and their high-risk level.
Medium Priority
For the majority of bugs on the list (176), the remediation procedures are required to be implemented until May 3, 2022, which enables organizations to have more than 6 months left for patching.
Detect CISA BOD 22-01 Vulnerabilities with the SOC Prime’s Detection as Code Platform
In response to the CISA-managed catalog outlined in BOD 22-01, the SOC Prime Content Team provides the list of recommended content to detect attempts to exploit those known vulnerabilities. All detections are available in the SOC Prime’s Detection as Code platform and arranged in the lists according to the remediation priorities based on the severity and risk level of the exploits (highest and high) enabling security teams to reach the most relevant content first.
The approach introduced by SOC Prime is based on the threat detection and hunting perspective allowing organizations to get the whole picture of the security silos beforehand and easily prioritize what is in dire need of patching. By leveraging the detection stack selected by the SOC Prime experts and arranged according to the remediation priorities, organizations can hunt for malicious actors who exploit critical threats to compromise organizational assets. We recommend leveraging the dedicated SOC Prime’s detection content as triggers for the isolation of potentially affected systems and compromised users.
Detections for CVEs of Highest Priority
Here you can find the list of top detection content we gathered to help security professionals address CVEs that are of highest priority based on the CISA-issued Directive 22-01:
CVE-2021-22893 — Pulse Connect Secure (PCS) Remote Code Execution
CVE-2021-26855 — Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
CVE-2021-26857 — Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
CVE-2021-26858 — Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
CVE-2021-27065 — Microsoft OWA Exchange Control Panel (ECP) Exploit Chain
CVE-2020-1350 — “SigRed” Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-34527 — “PrintNightmare” Microsoft Windows Print Spooler Remote Code Execution Vulnerability
CVE-2020-1472 — “ZeroLogon” NetLogon Elevation of Privilege Vulnerability
CVE-2020-0601 — Windows 10 API/ECC Vulnerability (Windows CryptoAPI)
CVE-2020-8260 — Pulse Connect Secure RCE
CVE-2019-11510 — Pulse Secure VPN arbitrary file reading vulnerability (COVID-19-CTI list)
CVE-2021-22900 — Pulse Connect Secure Arbitrary File Upload Vulnerability
CVE-2021-22894 — Pulse Connect Secure Collaboration Suite Remote Code Execution
CVE-2021-22899 — Pulse Connect Secure Remote Code Execution
CVE-2020-8243 — Pulse Connect Secure Arbitrary Code Execution
The full list of detections addressing all CVEs of the highest priority is available in the SOC Prime’s Detection as Code platform.
Detections for CVEs of High Priority
The following list includes curated detection content available in the SOC Prime’s platform covering the known exploited vulnerabilities that can be ranked as high-priority based on the corresponding CISA-managed catalog:
CVE-2021-1675 — Windows Print Spooler RCE
CVE-2021-22986 — F5 iControl REST unauthenticated RCE
CVE-2021-1879 — Apple iOS Webkit Browser Engine XSS
CVE-2021-21166 — Google Chrome Heap Buffer Overflow in WebAudio Vulnerability
CVE-2021-21224 — Chromium V8 JavaScript Engine Remote Code Execution
CVE-2021-21972 — VMWare vCenter Server RCE
CVE-2021-21985 — VMWare vCenter Server Remote Code Execution
CVE-2021-22005 — VMWare vCenter Server File Upload
CVE-2021-22205 — GitLab Community and Enterprise Editions From 11.9 Remote Code Execution
CVE-2021-22502 — Micro Focus Operation Bridge Report (OBR) Server RCE
CVE-2021-26084 — Atlassian Confluence Server Arbitrary Code Execution
CVE-2021-26411 — Microsoft Internet Explorer and Edge Memory Corruption Vulnerability
CVE-2021-30551 — Chromium V8 Engine Type Confusion
CVE-2021-30554 — Google Chrome WebGL Use after Free
CVE-2021-31207 — Microsoft Exchange Server Security Feature Bypass Vulnerability
CVE-2021-31956 — Microsoft Windows NTFS Elevation of Privilege Vulnerability
CVE-2021-31979 — Windows Kernel Elevation of Privilege
CVE-2021-33771 — Windows Kernel Elevation of Privilege
CVE-2021-34473 — Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-34523 — Microsoft Exchange Server Elevation of Privilege Vulnerability
CVE-2021-35211 — SolarWinds Serv-U Remote Memory Escape Vulnerability
CVE-2021-36942 — Microsoft LSA Spoofing
CVE-2021-38647 — Microsoft Azure Open Management Infrastructure (OMI) Remote Code Execution
CVE-2021-40444 — Microsoft MSHTML Remote Code Execution Vulnerability
CVE-2021-40539 — Zoho Corp. ManageEngine ADSelfService Plus Version 6113 and Earlier Authentication Bypass
CVE-2021-41773 — Apache HTTP Server Path Traversal Vulnerability
CVE-2021-42013 — Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal
Refer to the full list of detections for CVEs of high priority via the SOC Prime’s Detection as Code platform.
In this article, we are covering the most relevant detection content for top critical CVEs listed in CISA’s vulnerability catalog. SOC Prime is constantly enriching the Detection as Code platform with the most up-to-date content, and new detections addressing CVEs covered by BOD 22-01 are under research and development for curation and delivery in the coming weeks.
Searching for the latest threat detection content? Explore the SOC Prime’s Detection as Code platform that natively delivers curated Sigma-based detection content via subscription to 20+ SIEM and XDR solutions helping security teams from across the world defend against digital attacks easier, faster and more efficiently. To boost collaborative cyber defense, join the SOC Prime’s crowdsourcing initiative enabling threat hunters and researchers worldwide to monetize their own detection content while contributing to a safer future.