Remote Work Without VPN Patches? Govt Security Agencies Reveal Most Exploited Vulnerabilities

Slashdot reader storagedude quotes eSecurityPlanet : The FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) joined counterparts in the UK and Australia Wednesday to announce the top 30 vulnerabilities exploited since the start of the pandemic.

The list, a joint effort with the Australian Cyber Security Centre (ACSC) and the UK's National Cyber Security Centre (NCSC), details vulnerabilities — primarily Common Vulnerabilities and Exposures (CVEs) — "routinely exploited by malicious cyber actors in 2020 and those being widely exploited thus far in 2021."

Many of the vulnerabilities are known ones for which patches exist, so they can typically be easily fixed. The agencies also recommended a centralized patch management system to prevent such oversights going forward.

Most of the vulnerabilities targeted in 2020 were disclosed during the last two years. "Cyber actor exploitation of more recently disclosed software flaws in 2020 probably stems, in part, from the expansion of remote work options amid the COVID-19 pandemic," said a CISA statement. "The rapid shift and increased use of remote work options, such as virtual private networks (VPNs) and cloud-based environments, likely placed additional burden on cyber defenders struggling to maintain and keep pace with routine software patching."

The vulnerabilities include a number of well publicized ones from major vendors like Citrix, Microsoft, Fortinet, VMware and others, so a good portion of the blame can be placed on those who just aren't being vigilant with patching.

No patches if you do not upgrade to new version

[Canberra1]

Most software companies refuse to supply patches for old versions of software that works just fine. They tell businesses they must upgrade to the newest version that costs double or triple and introduces 'extras' that were not needed before. Plus they now try cloud and CPU price formula increases. No surprise stingy companies stay on 'old' software and risk it. The solution is to buy used software licenses from Germany or Switzerland where no licence bullshittery applies. These countries are ready to fine

Re:

[Alain Williams]

So is that why there is only one vulnerability in an open source product ? But why is that Drupal problem being exploited, there has been a patch available since April 2018 [github.com] ?

The cynic in me wonders what other vulnerabilities that they do not mention as they are the ones that the FBI, CISA, ... exploit themselves.

Re:

[jellomizer]

It is really a shame that we are forced upgrades. For most of the stuff in terms of technology the products that are 10 or even 20 years old can do the work. But the software industry is so corrupt that we need to always upgrade or face the wrath of being a security risk.

Re:

[bjwest]

Most software companies refuse to supply patches for old versions of software that works just fine. They tell businesses they must upgrade to the newest version that costs double or triple and introduces 'extras' that were not needed before. Plus they now try cloud and CPU price formula increases. No surprise stingy companies stay on 'old' software and risk it.

Stingy companies refuse to give in to greedy companies. Who's really to blame here? The company that doesn't want to pay for unneeded feature bloat, or the company that's needlessly bloating their product, so they can charge more? It's easy to say "well, if you can't afford to upgrade your software then you don't need to be in business", but if you put that same logic into the pharma industry and say "well, if you can't afford your medication, then you don't deserve to live", it sheds a whole new light o

Re:

[serafean]

This might also be our fault. As in developer's.

Most of us love creating features, but most software is pretty much done at some point. And enters maintenance mode. Which we don't like. No fun there: Nothing to show for it (no new bling), and only looking for obscure code paths. With personnel churn, eventually most people who know the product by heart are gone. And hell breaks loose. I've seen this happen...

Hell it's the same reason why bridges are slowly crumbling in the west: maintenance doesn't present

Re:

[bjwest]

I totally agree. IIRC, there was a time when writing comments in code was encouraged, now they teach to write code so it doesn't need comments and forgo any explanation as to what your code does or is trying to do. This inevitably leads to developers who don't know how to write comments, getting sloppy with their variable and method names and creating spaghetti code that even they can't follow a few months down the road.

I must admit, though, I'm guilty of not comment my code myself if I'm in a hurry, but

Re:

[aaarrrgggh]

We upgraded our ASA back in 2018 for this reason— going to a cheaper and more powerful IKEv2 alternative. But we could do it because of our Linux experience; our MSP wanted to push us into a solution that was about 20x more expensive back then, and as the pandemic started they pushed for a cloud based solution that was nearly 100x the cost.

Our annual IT budget runs at about 5% of revenue, which is reasonably healthy. These more expensive solutions would force a 20% increase in our costs, which is unsu

Re:

[antdude]

Yep. I miss the old days when they supported older versions without new features (v1.0 -> v1.1). Newer major versions would have new features (e.g., v1 -> v2).

As expected

[phantomfive]

The vulnerabilities include a number of well publicized ones from major vendors like Citrix, Microsoft, Fortinet, VMware and others

These are the companies I would expect to have the most vulnerabilities, because the employees have no incentive to avoid them.

Re:

[i.r.id10t]

I think it was the Fortinet one that wanted to replace the core SSL libraries on my Linux desktop and laptop... I noped out, and use a SSH tunnel with some port forwarding and a dynamic socks proxy instead

Re:

[BardBollocks]

Fortinet suffed the 'heartbleed bug' - to me that indicates it is NSL'd and backdoored.

Enterprise Network Security is screwed up...

[Junta]

So for one, use of a VPN generally implies that a company has a 'trusted' network. In my experience, believing in a trusted network means pretty nice and peaceful existence for a long time, then utter catastrophe when someone on the trusted network falls prey to malware and just ruins the day of all sorts of poorly secured systems on the formerly 'trusted' networks. Set up and consistently use a certificate authority? Nah just rely on everyone clicking 'trust this site'. Set up secure multi-factor authent

Re:

[jonwil]

I suspect a big part of the reason patch management is so screwed up in the corporate world is because they are scared of a patch breaking some critical line-of-business application and so they want to spend who knows how long testing everything and making sure its OK (by which time the next patch is already out).
 

Re:

[Junta]

Yes, this is one facet of patch management that really falls apart around security problems in particular.

You have some 'unknown risk' with a new patch, and that always is seen as unacceptable even in the face of pretty dire known risk.

Often, the in-house test process for a patch isn't even that comprehensive anyway. With some familiarity in this area, I don't remember the last time the team at our work actually caught a problem with a patch before rolling it out (basically, the in house testing of patches

CISA doesn't have a clue

[takionya]

CISA doesn't have a clue, like most government departments. They do make sure to spend their entire annual budget, else they'll get less next year.

You don't need a VPN if you don't have a network.

[FictionPimp]

The place I work for is 100% remote and we use 100% SaaS services secured with a cloud IDM provider, hardware MFA, and good old TLS. What exactly would a VPN do for us?

There is no office, no datacenter, no servers directly under our control. What would we even VPN to?