Connect with us

Business

CISA warns organizations to patch 95 actively exploited bugs

Published

on

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 95 vulnerabilities to its list of actively exploited security issues, the largest number since issuing the binding operational directive (BOD) last year.

Despite some  of them being known for almost two decades, the agency notes that the bugs “pose significant risk to the federal enterprise.”

Recent critical bugs on the list

As per BOD 22-01 for reducing the risk from known exploited vulnerabilities, federal agencies are given a little over three weeks to patch the newly added 95 security flaws, the due date for most of them being March 24th.

For 27 of the vulnerabilities, there is a shorter deadline for patching, March 17th, mainly because they are more recent and affect systems that give access to sensitive information or allow moving to devices on the network. Eight of these bugs come with a high critical severity score of at least 9.8.

CVEVendor/ProjectProduct
CVE-2022-20708CiscoSmall Business RV160, RV260, RV340, and RV345 Series Routers
CVE-2022-20703CiscoSmall Business RV160, RV260, RV340, and RV345 Series Routers
CVE-2022-20701CiscoSmall Business RV160, RV260, RV340, and RV345 Series Routers
CVE-2022-20700CiscoSmall Business RV160, RV260, RV340, and RV345 Series Routers
CVE-2022-20699CiscoSmall Business RV160, RV260, RV340, and RV345 Series Routers
CVE-2020-1938ApacheTomcat
CVE-2019-16928EximExim Internet Mailer
CVE-2018-0151CiscoIOS and IOS XE Software

The latest entries in CISA’s catalog of known exploited vulnerabilities impact products mostly from Microsoft (Windows, Office) and Cisco.

However, products from other vendors or projects – Oracle, Adobe, Mozilla, Siemens, Apache, Exim, Linux, Treck TCP/IP stack, and ChakraCore are also present.

Ancient flaws still present

Oddly enough, it looks like federal agencies are still running systems with Adobe Flash Player, although  support for the product stopped on the last day of 2020.

Adobe at the beginning of 2021 also blocked Flash content from running in Flash Player and the company “strongly recommends all users immediately uninstall” it due to inherent security  risks.

Some of the Flash Player bugs CISA identified come with a critical-severity score of 9.8 out of 10 and are from more than five years old (e.g. CVE-2016-4117 and CVE-2016-1019).

The oldest vulnerability in the list is from 2002, though, a privilege escalation vulnerability tracked as CVE-2002-0367 that affects the smss.exe debugging subsystem in Windows NT and Windows 2000 Windows.

The table below lists the oldest 10 vulnerabilities that CISA added this week to its Known Exploited Vulnerabilities Catalog:

CVEVendor/ProjectProductVulnerability NameShort Description
CVE-2011-0611AdobeFlash PlayerAdobe Flash Player Remote Code Execution VulnerabilityAdobe Flash Player contains a vulnerability which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content.
CVE-2010-3333MicrosoftOfficeMicrosoft Office Stack-based Buffer Overflow VulnerabilityA stack-based buffer overflow vulnerability exists in the parsing of RTF data in Microsoft Office and earlier allows an attacker to perform remote code execution.
CVE-2010-0232MicrosoftWindows KernelMicrosoft Windows Kernel Exception Handler VulnerabilityThe kernel in Microsoft Windows, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges.
CVE-2010-0188AdobeReader and AcrobatAdobe Reader and Acrobat Arbitrary Code Execution VulnerabilityUnspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code.
CVE-2009-3129MicrosoftExcelMicrosoft Excel Featheader Record Memory Corruption VulnerabilityMicrosoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset.
CVE-2009-1123MicrosoftWindowsMicrosoft Windows Improper Input Validation VulnerabilityThe kernel in Microsoft Windows does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application.
CVE-2008-3431OracleVirtualBoxOracle VirtualBox Insufficient Input Validation VulnerabilityAn input validation vulnerability exists in the VBoxDrv.sys driver of Sun xVM VirtualBox which allows attackers to locally execute arbitrary code.
CVE-2008-2992AdobeAcrobat and ReaderAdobe Reader and Acrobat Input Validation VulnerabilityAdobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution.
CVE-2004-0210MicrosoftWindowsMicrosoft Windows Privilege Escalation VulnerabilityA privilege elevation vulnerability exists in the POSIX subsystem. This vulnerability could allow a logged on user to take complete control of the system.
CVE-2002-0367MicrosoftWindowsMicrosoft Windows Privilege Escalation Vulnerabilitysmss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, which allows local users to gain administrator or SYSTEM privileges.

With the 95 vulnerabilities added this week, CISA’s catalog of actively exploited bugs for federal agencies to address has a total of 478 entries.

Applying security updates in as they become available should be a priority for organizations in both the public and the private sector.

The U.S. cybersecurity agency encourages all entities to remediate all security issues added to its catalog to reduce their exposure to cyberattacks.

Source: https://www.bleepingcomputer.com/news/security/cisa-warns-organizations-to-patch-95-actively-exploited-bugs/

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO