CISA warns about 15 actively exploited vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 15 more vulnerabilities to its catalog of flaws that are actively exploited in the wild by hackers. Some are older dating back to 2014, but two are from the past two years and are in Windows components.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” the agency said in its advisory. The CISA Known Exploited Vulnerabilities Catalog is updated regularly based on observations from real world attacks and each flaw receives a deadline by which federal agencies have an obligation to patch it on their systems.

SeriousSAM and privilege escalation

One of the flaws that were just added to the list is CVE-2021-36934, which is also known in the security community as SeriousSAM because it’s located in the ​​Microsoft Windows Security Accounts Manager (SAM). This vulnerability has a CVSS severity score of 8 out of 10 and its impact is described as privilege escalation on Windows 10 systems.

The flaw stems from improper file access permissions on the file that stores the SAM database, allowing attackers with low privilege access to extract password hashes for other accounts, including the SYSTEM one and execute code with elevated privileges. The flaw was reported publicly in July 2021, forcing Microsoft to issue an out-of-band patch at the time.

Researchers also showed that it’s possible to exploit CVE-2021-36934 to extract hashes which could then allow the remote execution of code with SYSTEM privileges on other systems, making the flaw a serious risk for lateral movement inside environments.

CISA assigned a patch deadline of February 24 for it despite being the newest vulnerability on the list and despite the other ones receiving a patch deadline of August 10. This suggests that the agency sees this as an immediate high risk even though it’s a privilege escalation flaw.

Privilege escalation vulnerabilities have lower severity scores than remote code execution ones because they require the attacker to already obtain some level of access to a system. However, this is a low bar considering the multitude of ways in which attackers could get their code to execute on a system: email phishing, drive-by downloads, exploitation of vulnerabilities in low-privileged apps and services, social engineering, etc. Privilege escalation flaws are an essential part of modern exploit chains and should be treated just as seriously as remote code execution ones.

SMB remote code execution

The second most recent flaw added to the list by CISA is CVE-2020-0796 and is rated critical. This flaw was patched by Microsoft in March 2020 and stems from the way the SMBv3 protocol handles certain requests with compression. It can result in remote code execution, both from clients to a server or from a server to clients and impacts Windows 10 and Windows Server core installations.

SMB remote code execution flaws are dangerous because SMB is the main protocol that sits at the core of all Windows networks, enabling file sharing, printer sharing, network browsing and service-to-service communication. In the past, SMB exploits like EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0145) enabled global ransomware warms like WannaCry that caused billions in damages. In fact, EternalBlue and EternalRomance are also among the 15 flaws that were added to the catalog.

The other flaws

The list of vulnerabilities added to the catalog impact a variety of common enterprise software, from operating systems like Windows and Apple’s OS X, to automation servers like Jenkins, development frameworks like Apache Struts, web application servers like Oracle WebLogic, the Apache ActiveMQ open-source message broker and even router firmware. The full list is:

• CVE-2021-36934 – Microsoft Windows SAM Local Privilege Escalation Vulnerability
• CVE-2020-0796 – Microsoft SMBv3 Remote Code Execution Vulnerability
• CVE-2018-1000861 – Jenkins Stapler Web Framework Deserialization of Untrusted Data Vulnerability
• CVE-2017-9791 – Apache Struts 1 Improper Input Validation Vulnerability
• CVE-2017-8464 – Microsoft Windows Shell (.lnk) Remote Code Execution Vulnerability
• CVE-2017-10271 – Oracle Corporation WebLogic Server Remote Code Execution Vulnerability
• CVE-2017-0263 – Microsoft Win32k Privilege Escalation Vulnerability
• CVE-2017-0262 – Microsoft Office Remote Code Execution Vulnerability
• CVE-2017-0145 – Microsoft SMBv1 Remote Code Execution Vulnerability
• CVE-2017-0144 – Microsoft SMBv1 Remote Code Execution Vulnerability
• CVE-2016-3088 – Apache ActiveMQ Improper Input Validation Vulnerability
• CVE-2015-2051 – D-Link DIR-645 Router Remote Code Execution
• CVE-2015-1635 – Microsoft HTTP.sys Remote Code Execution Vulnerability
• CVE-2015-1130 – Apple OS X Authentication Bypass Vulnerability
• CVE-2014-4404 – Apple OS X Heap-Based Buffer Overflow Vulnerability