The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of bugs actively exploited by hackers, with the new flaws disclosed by Apple. Microsoft, SAP, and Google.
The ‘Known Exploited Vulnerabilities Catalog’ is a list of vulnerabilities shared by CISA that are known to be actively exploited in cyberattacks and must be patched by Federal Civilian Executive Branch (FCEB) agencies.
“Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise,” explains CISA.
“BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.”
With the addition of these seven vulnerabilities, the catalog now contains 801 CVEs and the date that agencies must have already applied associated patches.
The seven new vulnerabilities added yesterday are listed below, with CISA requiring all of them to be patched by September 8th, 2022.
CVE Number | Vulnerability Title |
---|---|
CVE-2017-15944 | Palo Alto Networks PAN-OS Remote Code Execution Vulnerability |
CVE-2022-21971 | Microsoft Windows Runtime Remote Code Execution Vulnerability |
CVE-2022-26923 | Microsoft Active Directory Domain Services Privilege Escalation Vulnerability |
CVE-2022-2856 | Google Chrome Intents Insufficient Input Validation Vulnerability |
CVE-2022-32893 | Apple iOS and macOS Out-of-Bounds Write Vulnerability |
CVE-2022-32894 | Apple iOS and macOS Out-of-Bounds Write Vulnerability |
CVE-2022-22536 | SAP Multiple Products HTTP Request Smuggling Vulnerability |
How are these bugs used in attacks?
While it’s helpful to know what vulnerabilities are being exploited, no details have been provided on how threat actors use them in attacks. Below we have provided the details we could find about the newly added bugs.
The critical SAP CVE-2022-22536 vulnerability was disclosed by Onapsis in February and assigned a 10/10 severity rating. CISA quickly warned admins to patch the bug as it could lead to data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.
At this time, it is not known how attackers exploit this bug, but details of the flaw were disclosed at the BlackHat security conference last week and appear to be quickly used by threat actors after the technical details were revealed.
“Yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog less than one week after details were disclosed at the Black Hat by Onapsis Research Labs,” explains a new warning on Onapsis’ advisory.
“Though this vulnerability was discovered earlier this year, this validation from CISA shows that organizations should prioritize action immediately.”
Apple released macOS and iOS/iPadOS security updates on Wednesday for the CVE-2022-32893 and CVE-2022-32894 vulnerabilities, explaining that they could be exploited to perform code execution on vulnerable devices.
Apple did not provide details on how they are being abused, but as CVE-2022-32894 allows code to be executed with Kernel privileges, it would allow the complete takeover of the device.
The Google CVE-2022-2856 vulnerability was fixed in Google Chrome 104.0.5112.101, released on Tuesday. While no information has been shared on how hackers exploited it in attacks, vulnerability researcher Hossein Lotfi discovered more details about the bug.
Google Chrome (In-The-Wild) Zero day (CVE-2022-2856) fix. If an intent contains any extras or a data URI and it targets another browser, Google Chrome would open that browser with that URL without prompting:https://t.co/iiDhLShhJv
— Hossein Lotfi (@hosselot) August 18, 2022
Microsoft fixed the CVE-2022-21971 remote code execution vulnerability in the February 2022 Patch Tuesday, but no details are available about how it is being exploited in the wild.
However, CVE-2022-26923 is an Active Directory Domain Services privilege elevation vulnerability fixed in May with technical details about the ‘Certifried’ bug revealed.
These details have allowed researchers, and likely threat actors, to reproduce the exploit.
FWIW, Certifried CVE-2022–26923 works quite well on a default Active Directory configuration.
Normal user -> Domain Admin in a few steps.
There are a few steps after this screenshot. But you can see that I have a certificate for the domain controller, so you get the gist… https://t.co/MYWGxrPJDM pic.twitter.com/XJ6VHWa1YW— Will Dormann (@wdormann) May 11, 2022
Finally, the oldest vulnerability added yesterday is the Palo Altos Networks CVE-2017-15944 remote code execution vulnerability disclosed in 2017.
This vulnerability was disclosed with full tech details, and while it’s surprising that devices are still vulnerable after five years, it’s not surprising that threat actors are abusing the flaw.
It is strongly recommended that all security professionals and admins review the Known Exploited Vulnerabilities Catalog and patch listed bugs within their environment.
Source: www.bleepingcomputer.com