contact us

Blast from the Past! Working from home leads to uptick in Remote Access Vulnerability Trends

by May 20, 2020

Blast from the Past! Working from home leads to uptick in Remote Access Vulnerability Trends

Back in May of 2019, one of the most trending and high-profile vulnerabilities of the decade, CVE-2019-0708 codenamed BlueKeep, was publicly disclosed. Then in August of 2019, BlueKeep received a second wave of hype when a second disclosure of similar vulnerabilities were identified and made public. BlueKeep became such a high-profile vulnerability because of three main factors: it is a “wormable” Remote Code Execution (RCE) type vulnerability, it affects a huge portion of recent versions of Windows and Windows Server, and it affects a very commonly used Remote Access Service (RAS) called Remote Desktop Protocol (RDP).

Fast forward to today, where the reliance on technology like RDP and other Remote Access Services has never been higher, and it becomes obvious why BlueKeep has yet again trended as recently as March 28th of this year.

Remote Access Services, such as Remote Desktop Protocol and Secure Shell (SSH), have always been major targets for adversaries. Unauthorized access to a host through a RAS can be as damaging to an organization as compromising a VPN. Yet again, it is easy to see why BlueKeep and other RAS vulnerabilities are trending. A major portion of the global workforce is operating remotely and reliant on technology like RDP, SSH, and other RAS.

However, Microsoft is not the only remote access vendor who is being actively targeted by attackers. We extended our research to cover top vendors in the market affected by remote access-related Common Vulnerabilities and Exposures (CVEs) spanning the last 10 years.

RAS Weaponization by Vendor

TeamViewer is affected by 8 CVEs respectively, which is the highest CVE count among the top remote access providers. When considering the average Common Vulnerability Scoring System (CVSS), the top three remote access vendors with the highest average CVSS v3 base score affecting their products include BeyondTrust (10), Microsoft (9.8), and TightVNC (9.23).

Of the 23 remote access products we analyzed over the past 10 years, 72 vulnerabilities were discovered, with 11 of them being weaponized. One noteworthy observation that did not make headline news is ConnectWise, which had the most weaponized vulnerabilities of any other remote access vendor in the market. Out of 11 weaponized remote access CVEs, ConnectWise had three weaponized vulnerabilities, two of which were web application vulnerabilities and one was a remote code execution (RCE) vulnerability.

Of the top eight remote access vendors, seven of these vendors (LogMeIn, BeyondTrust, Microsoft, SolarWinds, Mobatek, TeamViewer, and ConnectWise) have at least one vulnerability in the last 10 years that has been weaponized. Of those seven vendors, only TightVNC and Microsoft had weaponized CVEs in 2019.

RAS Weaponization by Year

Seven of the total 11 weaponized CVEs allow RCE or PE, which are critical capabilities that attackers use to breach defenses. A majority of the weaponized vulnerabilities have occurred since 2017 with 2017 having the highest number of weaponized CVEs and 2019 having the most total vulnerabilities. While 2019 and 2020 seem to have oddly low counts in weaponized CVEs, it is important to remember there are many factors that can contribute to this, including a latency issue. Again, we see a dangerous remote access vulnerability first disclosed in May of 2019 and trending most recently on March 28th, 2020. With this in mind, we expect more vulnerabilities to become weaponized in the future and strongly urge organizations to take a second look at their security posture. Organizations should pay special attention to BlueKeep (CVE-2019-0708) and should also be aware of other remote access products’ vulnerability status.

Trending Remote Access Vulnerability

CVE Attack Classification Vendor Product
CVE-2019-0708 RCE Microsoft Windows 7, Windows 8, Windows 10, Windows Vista, Windows XP, Windows Server 2000, Windows Server 2003, Windows Server 2008

Contributing authors: Daniel Peterson and Taylor Wong