The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 95 vulnerabilities to its list of actively exploited security issues, the largest number since issuing the binding operational directive (BOD) last year.
Despite some of them being known for almost two decades, the agency notes that the bugs “pose significant risk to the federal enterprise.”
Recent critical bugs on the list
As per BOD 22-01 for reducing the risk from known exploited vulnerabilities, federal agencies are given a little over three weeks to patch the newly added 95 security flaws, the due date for most of them being March 24th.
For 27 of the vulnerabilities, there is a shorter deadline for patching, March 17th, mainly because they are more recent and affect systems that give access to sensitive information or allow moving to devices on the network. Eight of these bugs come with a high critical severity score of at least 9.8.
| CVE | Vendor/Project | Product |
|---|---|---|
| CVE-2022-20708 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers |
| CVE-2022-20703 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers |
| CVE-2022-20701 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers |
| CVE-2022-20700 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers |
| CVE-2022-20699 | Cisco | Small Business RV160, RV260, RV340, and RV345 Series Routers |
| CVE-2020-1938 | Apache | Tomcat |
| CVE-2019-16928 | Exim | Exim Internet Mailer |
| CVE-2018-0151 | Cisco | IOS and IOS XE Software |
The latest entries in CISA’s catalog of known exploited vulnerabilities impact products mostly from Microsoft (Windows, Office) and Cisco.
However, products from other vendors or projects - Oracle, Adobe, Mozilla, Siemens, Apache, Exim, Linux, Treck TCP/IP stack, and ChakraCore are also present.
Ancient flaws still present
Oddly enough, it looks like federal agencies are still running systems with Adobe Flash Player, although support for the product stopped on the last day of 2020.
Adobe at the beginning of 2021 also blocked Flash content from running in Flash Player and the company “strongly recommends all users immediately uninstall” it due to inherent security risks.
Some of the Flash Player bugs CISA identified come with a critical-severity score of 9.8 out of 10 and are from more than five years old (e.g. CVE-2016-4117 and CVE-2016-1019).
The oldest vulnerability in the list is from 2002, though, a privilege escalation vulnerability tracked as CVE-2002-0367 that affects the smss.exe debugging subsystem in Windows NT and Windows 2000 Windows.
The table below lists the oldest 10 vulnerabilities that CISA added this week to its Known Exploited Vulnerabilities Catalog:
| CVE | Vendor/Project | Product | Vulnerability Name | Short Description |
|---|---|---|---|---|
| CVE-2011-0611 | Adobe | Flash Player | Adobe Flash Player Remote Code Execution Vulnerability | Adobe Flash Player contains a vulnerability which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content. |
| CVE-2010-3333 | Microsoft | Office | Microsoft Office Stack-based Buffer Overflow Vulnerability | A stack-based buffer overflow vulnerability exists in the parsing of RTF data in Microsoft Office and earlier allows an attacker to perform remote code execution. |
| CVE-2010-0232 | Microsoft | Windows Kernel | Microsoft Windows Kernel Exception Handler Vulnerability | The kernel in Microsoft Windows, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges. |
| CVE-2010-0188 | Adobe | Reader and Acrobat | Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability | Unspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code. |
| CVE-2009-3129 | Microsoft | Excel | Microsoft Excel Featheader Record Memory Corruption Vulnerability | Microsoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset. |
| CVE-2009-1123 | Microsoft | Windows | Microsoft Windows Improper Input Validation Vulnerability | The kernel in Microsoft Windows does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application. |
| CVE-2008-3431 | Oracle | VirtualBox | Oracle VirtualBox Insufficient Input Validation Vulnerability | An input validation vulnerability exists in the VBoxDrv.sys driver of Sun xVM VirtualBox which allows attackers to locally execute arbitrary code. |
| CVE-2008-2992 | Adobe | Acrobat and Reader | Adobe Reader and Acrobat Input Validation Vulnerability | Adobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution. |
| CVE-2004-0210 | Microsoft | Windows | Microsoft Windows Privilege Escalation Vulnerability | A privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system. |
| CVE-2002-0367 | Microsoft | Windows | Microsoft Windows Privilege Escalation Vulnerability | smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges. |
With the 95 vulnerabilities added this week, CISA's catalog of actively exploited bugs for federal agencies to address has a total of 478 entries.
Applying security updates in as they become available should be a priority for organizations in both the public and the private sector.
The U.S. cybersecurity agency encourages all entities to remediate all security issues added to its catalog to reduce their exposure to cyberattacks.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now