Detecting Vulnerabilities Prioritized in CISA’s Binding Operational Directive 22-01

[post-views]
November 10, 2021 · 6 min read
Detecting Vulnerabilities Prioritized in CISA’s Binding Operational Directive 22-01

To enable organizations to address the risks posed by critical vulnerabilities outlined in Binding Operational Directive (BOD) 22-01, SOC Prime provides an extensive list of curated detections to identify possible exploit attempts in your infrastructure and isolate potentially affected assets while patching procedures are in progress.

The increasing sophistication of malicious activities threatening the private and public sectors at a global scale requires organizations to strengthen their cyber defense capabilities to stay one step ahead of attackers. Patching the known vulnerabilities is among the highest priorities to proactively defend against the emerging threats.
On November 3, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) released Binding Operational Directive (BOD) 22-01 aimed to help organizations mitigate the critical risks of known vulnerabilities under active exploitation. BOD 22-01 is mandatory for all the US federal agencies, yet, all other organizations, including private companies, businesses in various industries, and state-owned enterprises, are strongly recommended to prioritize patching the vulnerabilities in the spotlight.

All critical security issues are provided in the public catalog issued by CISA alongside the Directive 22-01.  The main purpose of this catalog is to track and summarize the specific security gaps to enable organizations globally to address possible risks and withstand attacks more efficiently.

Known Exploited Vulnerabilities Catalog by CISA

СISA enumerates  291 Common Vulnerabilities and Exposures (CVEs) to be urgently patched by Federal agencies. Although patches for the whole list of bugs should be applied as soon as possible, prioritization is highly relevant to enable their implementation gradually in three stages

Highest Priority

Some of the vulnerabilities on the list are already past due, therefore, organizations should urgently check if they’ve enhanced their security protection with the existing patches. Such vulnerabilities include the most severe exploits that shook the digital world in 2020-2021, including PrintNightmare, SigRed, Zerologon, CryptoAPI, and Pulse Connect Secure cybersecurity flaws. In total, there are 15 overdue CVEs on the CISA’s list which require immediate remediation.

High Priority

Over 30% (100) of flaws on the CISA-managed vulnerability catalog are prioritized to be patched in less than two weeks, until November 17, 2021, due to the severity of exploits and their high-risk level. 

Medium Priority

For the majority of bugs on the list (176), the remediation procedures are required to be implemented until May 3, 2022, which enables organizations to have more than 6 months left for patching.

Detect CISA BOD 22-01 Vulnerabilities with the SOC Prime’s Detection as Code Platform

In response to the CISA-managed catalog outlined in BOD 22-01, the SOC Prime Content Team provides the list of recommended content to detect attempts to exploit those known vulnerabilities. All detections are available in the SOC Prime’s Detection as Code platform and arranged in the lists according to the remediation priorities based on the severity and risk level of the exploits (highest and high) enabling security teams to reach the most relevant content first. 

The approach introduced by SOC Prime is based on the threat detection and hunting perspective allowing organizations to get the whole picture of the security silos beforehand and easily prioritize what is in dire need of patching. By leveraging the detection stack selected by the SOC Prime experts and arranged according to the remediation priorities, organizations can hunt for malicious actors who exploit critical threats to compromise organizational assets. We recommend leveraging the dedicated SOC Prime’s detection content as triggers for the isolation of potentially affected systems and compromised users.

Detections for CVEs of Highest Priority

Here you can find the list of top detection content we gathered to help security professionals address CVEs that are of highest priority based on the CISA-issued Directive 22-01:

CVE-2021-22893 Pulse Connect Secure (PCS) Remote Code Execution

CVE-2021-26855 Microsoft OWA Exchange Control Panel (ECP) Exploit Chain

CVE-2021-26857 Microsoft OWA Exchange Control Panel (ECP) Exploit Chain

CVE-2021-26858Microsoft OWA Exchange Control Panel (ECP) Exploit Chain

CVE-2021-27065 Microsoft OWA Exchange Control Panel (ECP) Exploit Chain

CVE-2020-1350 “SigRed” Windows DNS Server Remote Code Execution Vulnerability

CVE-2021-34527 — “PrintNightmare” Microsoft Windows Print Spooler Remote Code Execution Vulnerability

CVE-2020-1472 — “ZeroLogon” NetLogon Elevation of Privilege Vulnerability

CVE-2020-0601 Windows 10 API/ECC Vulnerability (Windows CryptoAPI)

CVE-2020-8260 Pulse Connect Secure RCE

CVE-2019-11510 Pulse Secure VPN arbitrary file reading vulnerability (COVID-19-CTI list)

CVE-2021-22900​  Pulse Connect Secure Arbitrary File Upload Vulnerability

CVE-2021-22894​ Pulse Connect Secure Collaboration Suite Remote Code Execution

CVE-2021-22899Pulse Connect Secure Remote Code Execution

CVE-2020-8243 Pulse Connect Secure Arbitrary Code Execution

The full list of detections addressing all CVEs of the highest priority is available in the SOC Prime’s Detection as Code platform.

Detections for CVEs of High Priority

The following list includes curated detection content available in the SOC Prime’s platform covering the known exploited vulnerabilities that can be ranked as high-priority based on the corresponding CISA-managed catalog:

CVE-2021-1675 Windows Print Spooler RCE

CVE-2021-22986 F5 iControl REST unauthenticated RCE

CVE-2021-1879  Apple iOS Webkit Browser Engine XSS

CVE-2021-21166Google Chrome Heap Buffer Overflow in WebAudio Vulnerability

CVE-2021-21224  —  Chromium V8 JavaScript Engine Remote Code Execution

CVE-2021-21972 VMWare vCenter Server RCE

CVE-2021-21985VMWare vCenter Server Remote Code Execution

CVE-2021-22005 — VMWare vCenter Server File Upload

CVE-2021-22205GitLab Community and Enterprise Editions From 11.9 Remote Code Execution

CVE-2021-22502 Micro Focus Operation Bridge Report (OBR) Server RCE

CVE-2021-26084 Atlassian Confluence Server Arbitrary Code Execution

CVE-2021-26411 Microsoft Internet Explorer and Edge Memory Corruption Vulnerability

CVE-2021-30551 Chromium V8 Engine Type Confusion

CVE-2021-30554 Google Chrome WebGL Use after Free

CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability

CVE-2021-31956 Microsoft Windows NTFS Elevation of Privilege Vulnerability

CVE-2021-31979 Windows Kernel Elevation of Privilege

CVE-2021-33771 Windows Kernel Elevation of Privilege

CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2021-35211 SolarWinds Serv-U Remote Memory Escape Vulnerability

CVE-2021-36942 Microsoft LSA Spoofing

CVE-2021-38647 Microsoft Azure Open Management Infrastructure (OMI) Remote Code Execution

CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability

CVE-2021-40539 Zoho Corp. ManageEngine ADSelfService Plus Version 6113 and Earlier Authentication Bypass

CVE-2021-41773 Apache HTTP Server Path Traversal Vulnerability

CVE-2021-42013 Apache HTTP Server 2.4.49 and 2.4.50 Path Traversal

Refer to the full list of detections for CVEs of high priority via the SOC Prime’s Detection as Code platform. 

In this article, we are covering the most relevant detection content for top critical CVEs listed in CISA’s vulnerability catalog. SOC Prime is constantly enriching the Detection as Code platform with the most up-to-date content, and new detections addressing CVEs covered by BOD 22-01 are under research and development for curation and delivery in the coming weeks. 

Searching for the latest threat detection content? Explore the SOC Prime’s Detection as Code platform that natively delivers curated Sigma-based detection content via subscription to 20+ SIEM and XDR solutions helping security teams from across the world defend against digital attacks easier, faster and more efficiently. To boost collaborative cyber defense, join the SOC Prime’s crowdsourcing initiative enabling threat hunters and researchers worldwide to monetize their own detection content while contributing to a safer future.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts