Back to Blog May 6, 2021

    Federal Government Cybersecurity Roundup - May 2021

    Staying on top of cybersecurity news can seem like a daunting task in today’s rapidly-evolving world of cyber threats. That’s why we’re summarizing the most relevant cybersecurity vulnerabilities, advisories, and news for our many U.S. federal government customers. This post also offers insight on how customers can use Axonius to easily find devices affected by these vulnerabilities.

    Vulnerabilities and Advisories

    RTOS Security Vulnerabilities

    This advisory details vulnerabilities found in multiple real-time operating systems and supporting libraries. Those operating systems and libraries are widely used in IoT and medical devices, OT devices, and industrial control systems. Threat actors could exploit these vulnerabilities (dubbed as BadAlloc) for remote code injection or execution.

    Investigating the RTOS Vulnerabilities With Axonius

    The vulnerabilities in this advisory span 25 different RTOS products and versions. Manually identifying devices running these products and the affected versions would be time consuming. There are many ways to go about discovering the devices with potentially vulnerable software with Axonius.

    It’s likely you’d  know which of the 25 affected products your organization owns and is running. This would help you narrow it down and take one of the above approaches to identifying the devices. 

    If you weren’t sure which products your organization had or wanted to double check, you could add all of these products and versions into a large complex query in Axonius. The results would bring back only the devices with the affected software and versions that you specify.

    SonicWall Vulnerabilities

    SonicWall published patches to mitigate three zero-day vulnerabilities affecting its hosted and on-premises email security products. An attacker could exploit these vulnerabilities (CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023) to take full control over a vulnerable system.

    Finding Devices Running Affected Versions of SonicWall Email Security With Axonius

    There are multiple ways to be able to identify devices affected by the SonicWall vulnerabilities with Axonius. The vulnerabilities affected versions of SonicWall email security products earlier than version 10.0.9. To find devices running these versions of SonicWall, you could conduct a complex query, which means that all of the query parameters need to be true in order for the query to return results.

    For this complex query, you could select “Installed Software” and search for SonicWall and versions earlier than 10.0.9. If there are any devices running SonicWall version 10.0.9 or earlier, they will be shown in the query results. 

    AQL: ("" == match([("name" == regex("SonicWall", "i")) and ("version_raw" < '0000000100000000000000009')]))

    Pulse Connect Secure Vulnerabilities

    Pulse Connect Secure resolved multiple vulnerabilities (including three new CVEs — CVE-2021-22894, CVE-2021-22899, and CVE-2021-22900) discovered in their products. According to a Reuters article, these vulnerabilities have been used to target U.S. government, defense, and financial organizations. Threat actors leveraged these vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and CVE-2021-22893, to gain initial access.

    Finding Pulse Connect Secure Vulnerabilities With Axonius

    An easy way to identify Pulse Connect Secure Vulnerabilities )if you’ve run a recent vulnerability scan and have connected vulnerability scanners in the Axonius platform) is to search for the new CVEs disclosed for Pulse Connect Secure.

    This query will return results if any of the vulnerabilities are observed on devices by any adapter connected in Axonius.

    AQL: ("" == "CVE-2019-11510") or ("" == " CVE-2020-8260") or ("" == " CVE-2020-8243") or ("" == " CVE-2021-22893")

    If you don’t have the ability to search by CVE but you’re tracking installed software applications in your Axonius dashboard, you can filter results and sift through all Pulse Connect Secure software without running a new query.

    VMWare Security Updates

    VMware released a security update to address a vulnerability (CVE-2021-21982) in VMware Carbon Black Cloud Workload appliance. A malicious actor could exploit this vulnerability to take control of an affected system.

    Finding VMware Carbon Black Cloud Workload Vulnerabilities With Axonius

    Based on the security alert from VMWare, it appears the affected Carbon Black Cloud Workload appliances are Linux-based. Since this information and the affected versions numbers are known, you can conduct a complex query in Axonius to find the devices with the affected versions running on the OS where the version was affected.

    You would select the complex query for “Installed Software” and add lines for “Software Vendor” equals VMWare, software name contains “Carbon Black Cloud”, and “Software Version” earlier than 1.0.1. This would return all devices that have VMWare Carbon Black meeting these parameters but wouldn’t only be Linux devices. To further narrow it down to only the affected devices, you could add a separate line for “OS:Type” equals Linux. This query would then return all Linux devices running the affected versions of VMWare Carbon Black Cloud Workload appliances.

    Fortinet FortiOS Vulnerability

    This Joint Cybersecurity Advisory from the FBI and CISA provides an overview of how ATP actors are actively exploiting known Fortinet FortiOS vulnerabilities (CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591) to gain initial access to multiple government, commercial, and technology services. It also offers mitigation strategies.

    Checking Fortinet FortiOS Vulnerability Mitigations With Axonius

    For the Fortinet FortiOS vulnerabilities, we want to show how to use Axonius to validate if mitigation measures have been taken after vulnerabilities have been discovered. 

    FBI and CISA recommended 15 mitigation actions that organizations affected by the FortiOS vulnerabilities should take. From these, there are multiple actions that can be validated using Axonius. Here are a couple example queries:

    • Identifying devices that haven’t installed the recommended patches:
      • FBI and CISA recommend to immediately patch CVEs 2018-13379, 2020-12812, and 2019-5591. Using the Axonius query wizard, you can conduct a query for devices with vulnerable software that haven’t installed security patches in a certain timeframe. This can be kept broad to identify devices with any vulnerable software that haven’t installed patches in the specified timeframe, or you could narrow it down to the specific software or patch by name or identifier.


    • Audit user accounts with administrative privileges and configure access controls with least privilege in mind: 
      • FBI and CISA recommend auditing admin users and their privileges, and to reconfigure access controls based on the findings. Axonius can identify users and specific user attributes based on the connected adapters that pull in user data. To identify all admin users, a simple “Is Admin” equals true query on the user table can be conducted.

      • After you have an inventory of all admin users, you can dive deeper into them and conduct queries looking at their specific privileges, password changes, associated devices, and more.

    Analysis Reports and Guidance

    • (4.22.2021) CISA Incident Response to SUPERNOVA Malware

      This report provides tactics, techniques, and procedures CISA observed during an incident response engagement following an APT actor’s long-time compromise of an entity’s enterprise network. The threat actor connected to the entity’s network via the Pulse Secure VPN appliance.

    Relevant News

    Want to learn more? Attend our next monthly demo.

    Live Walkthrough of the Axonius Cybersecurity Asset Management Platform

    Sign up to get first access to our latest resources