Kenna Security is now part of Cisco

|Learn more
Contact Us
Talk to an Expert
Request a demo

Introducing Kenna’s Vuln of the Month Series

Feb 10, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

Yesterday was Patch Tuesday, so we’re calling today Exploit Wednesday. And with that, today we launch a new monthly blog series from Kenna Security. We call it Vuln of the Month. It’s an opportunity for those of us on the data science research team to spotlight a named CVE that may not already be on your radar screen, but probably should be. 

Every month, we’ll call out a vuln of special interest that we’re following here at Kenna, and why you should be paying attention as well. We’re basing our assessment on various factors, including evidence of actual exploits, gleaned from data-driven threat and vulnerability intelligence, as well as our assessment of the vuln’s potential for widespread impact. In other words, all the things that make a vuln worthy of a closer look.

This month’s vuln: CVE-2021-1647

Kenna Security’s research team is following closely a remote code execution vulnerability in Microsoft Defender (CVE-2021-1647). Our research shows that CVE-2021-1647 meets most of the criteria we look for to be widely exploited. We’ve listed these criteria by their significance in assessing the risk of this vuln.

  • Exploit code published: Yes
  • Active exploits observed: Yes
  • Attack volume: High
  • Attack velocity: High
  • Malware exploitable: Yes
  • Potential attack surface: > 1 billion
  • Potential impact on availability: Complete
  • Access complexity: Low
  • Authentication/privilege requirements: Low
This graph illustrates that 4.62% of observed vulnerabilities have a higher risk score than CVE-2021-1647.

As the graph above illustrates, only 4.62% of observed vulnerabilities have a higher risk score than CVE-2021-1647.

Why CVE-2021-1647 matters

This past month, security execs and media outlets have paid a lot of attention to recent vulnerabilities in software from SonicWall (CVE-2021-20016), SAP (CVE-2020-6207), Oracle (CVE-2021-2109), and SUDO (CVE-2021-3156). So chances are, you’re already either working to remediate those vulns or at least assess whether they are likely to create a risk to your environment.

We believe CVE-2021-1647 is deserving of the same attention. This vuln has the potential to have a widespread impact. For instance, the bar is low for both attack complexity and privileges required to exploit the vuln. Microsoft notes that a successful exploit, which can be executed remotely or simply by phishing an unsuspecting user into opening the wrong file, can result in “the attacker being able to fully deny access to resources in the impacted component.” 

Windows Defender is installed by default on the more than 1 billion Windows 10 devices, making it a massive target. And with POC code known to be released, we have already seen it actively used by bad actors.  

Bottom line

We would not be surprised to see this Windows Defender vulnerability find its way into most offensive toolkits and used in malware and ransomware in the future.

Mitigation status

Microsoft published security updates to address CVE-2021-1647 on Patch Tuesday, Jan. 12, 2021. 

Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our real-time vulnerability intelligence powered by machine learning. 

Read the Latest Content

Threat Intelligence

CVE-2020-0601 FAQ

A major vulnerability CVE-2020-0601 in the Windows CryptoAPI (crypt32.dll) component has generated has brought a lot of questions to Kenna
READ MORE
Webinars

10-Year Cybersecurity Wrap-up and 2021 Trends to Watch

The pandemic dominates current conversations, but events of the last decade and their impact on cybersecurity can reveal insights into the future.
WATCH NOW
Trending Vulns

Are We Patching CVE-2020-0688 (the Microsoft Exchange RCE) Fast Enough?

In order to understand how remediation teams were doing against cve-2020-0688, we pulled a representative sample of remediation data,
READ MORE
Sign up to get the latest updates
FacebookLinkedInTwitterYouTube

© 2021 Kenna Security. All Rights Reserved. Privacy Policy.