Kenna Security is now part of Cisco

|Learn more

Introducing Kenna’s Vuln of the Month Series

Feb 10, 2021
Jerry Gamblin
Director of Security Research at Kenna Security

Share with Your Network

Yesterday was Patch Tuesday, so we’re calling today Exploit Wednesday. And with that, today we launch a new monthly blog series from Kenna Security. We call it Vuln of the Month. It’s an opportunity for those of us on the data science research team to spotlight a named CVE that may not already be on your radar screen, but probably should be. 

Every month, we’ll call out a vuln of special interest that we’re following here at Kenna, and why you should be paying attention as well. We’re basing our assessment on various factors, including evidence of actual exploits, gleaned from data-driven threat and vulnerability intelligence, as well as our assessment of the vuln’s potential for widespread impact. In other words, all the things that make a vuln worthy of a closer look.

This month’s vuln: CVE-2021-1647

Kenna Security’s research team is following closely a remote code execution vulnerability in Microsoft Defender (CVE-2021-1647). Our research shows that CVE-2021-1647 meets most of the criteria we look for to be widely exploited. We’ve listed these criteria by their significance in assessing the risk of this vuln.

  • Exploit code published: Yes
  • Active exploits observed: Yes
  • Attack volume: High
  • Attack velocity: High
  • Malware exploitable: Yes
  • Potential attack surface: > 1 billion
  • Potential impact on availability: Complete
  • Access complexity: Low
  • Authentication/privilege requirements: Low
This graph illustrates that 4.62% of observed vulnerabilities have a higher risk score than CVE-2021-1647.

As the graph above illustrates, only 4.62% of observed vulnerabilities have a higher risk score than CVE-2021-1647.

Why CVE-2021-1647 matters

This past month, security execs and media outlets have paid a lot of attention to recent vulnerabilities in software from SonicWall (CVE-2021-20016), SAP (CVE-2020-6207), Oracle (CVE-2021-2109), and SUDO (CVE-2021-3156). So chances are, you’re already either working to remediate those vulns or at least assess whether they are likely to create a risk to your environment.

We believe CVE-2021-1647 is deserving of the same attention. This vuln has the potential to have a widespread impact. For instance, the bar is low for both attack complexity and privileges required to exploit the vuln. Microsoft notes that a successful exploit, which can be executed remotely or simply by phishing an unsuspecting user into opening the wrong file, can result in “the attacker being able to fully deny access to resources in the impacted component.” 

Windows Defender is installed by default on the more than 1 billion Windows 10 devices, making it a massive target. And with POC code known to be released, we have already seen it actively used by bad actors.  

Bottom line

We would not be surprised to see this Windows Defender vulnerability find its way into most offensive toolkits and used in malware and ransomware in the future.

Mitigation status

Microsoft published security updates to address CVE-2021-1647 on Patch Tuesday, Jan. 12, 2021. 

Watch this space for future Vuln of the Month spotlights. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our real-time vulnerability intelligence powered by machine learning. 

Read the Latest Content

Threat Intelligence

CVE 2020 0601 FAQ

A major vulnerability CVE-2020-0601 in the Windows CryptoAPI (crypt32.dll) component has generated has brought a lot of questions to Kenna. Learn more!...
READ MORE
Research

10-Year Cybersecurity Wrap-up and 2021 Trends to Watch

The pandemic dominates current conversations, but events of the last decade and their impact on cybersecurity can reveal insights into the future.
READ MORE
Trending Vulns

Are We Patching CVE-2020-0688 (the Microsoft Exchange RCE) Fast Enough?

Understand how remediation teams were doing against cve-2020-0688. Get tips now on how to deal with CVE 2020 0688.
READ MORE
FacebookLinkedInTwitterYouTube

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.