The Cybersecurity & Infrastructure Security Agency, or CISA, maintains a database of known security vulnerabilities. The goal is to reveal which security flaws are of the highest priority so that federal agencies know how and when to remediate them. But this same information can be used by private sector businesses to get a better handle on their patch management. Toward that end, CISA has added eight new security vulnerabilities that are actively being exploited and should be patched as soon as possible.
SEE: Mobile device security policy (TechRepublic Premium)
On Monday, CISA announced the addition of the new security flaws to its Known Exploited Vulnerabilities Catalog. These vulnerabilities are a tempting attack target for exploitation by cybercriminals, thus posing risk to federal agencies. The catalog itself displays key data on each vulnerability, including the CVE number, product vendor and name, vulnerability name, date added to catalog, short description, the action required to patch the flaw, and the due date by which federal agencies are required to patch it.
Although the catalog and especially the due dates apply only to certain federal agencies, CISA said that it urges all organizations to prioritize the patching of the most critical vulnerabilities in the list.
To see the eight new vulnerabilities at the catalog’s website, click the heading for Date Added to Catalog until you see the list in descending order by date. The eight new ones all carry a date of April 11, 2022, and are described as follows:
- CVE-2022-23176–WatchGuard Firebox and XTM Privilege Escalation Vulnerability. WatchGuard Firebox and XTM appliances allow a remote attacker with unprivileged credentials to access the system with a privileged management session via exposed management access.
- CVE-2021-42287–Microsoft Active Directory Domain Services Privilege Escalation Vulnerability. Microsoft Active Directory Domain Services contains an unspecified vulnerability which allows for privilege escalation.
- CVE-2021-42278–Microsoft Active Directory Domain Services Privilege Escalation Vulnerability. Microsoft Active Directory Domain Services contains an unspecified vulnerability which allows for privilege escalation.
- CVE-2021-39793–Google Pixel Out-of-Bounds Write Vulnerability. Google Pixel contains a possible out-of-bounds write due to a logic error in the code that could lead to local escalation of privilege.
- CVE-2021-27852–Checkbox Survey Deserialization of Untrusted Data Vulnerability. Deserialization of Untrusted Data vulnerability in CheckboxWeb.dll of Checkbox Survey allows an unauthenticated remote attacker to execute arbitrary code. Versions 6 and earlier for this product are end-of-life and must be removed from agency networks. Versions 7 and later are not considered vulnerable.
- CVE-2021-22600–Linux Kernel Privilege Escalation Vulnerability. Linux Kernel contains a flaw in the packet socket (AF_PACKET) implementation, which could lead to incorrectly freeing memory. A local user could exploit this for denial-of-service or possibly for privilege escalation.
- CVE-2020-2509–QNAP Network-Attached Storage (NAS) Command Injection Vulnerability. QNAP NAS devices contain a command injection vulnerability that could allow attackers to perform remote code execution.
- CVE-2017-11317–Telerik UI for ASP.NET AJAX Unrestricted File Upload Vulnerability. Telerik.Web.UI in Progress Telerik UI for ASP.NET AJAX allows remote attackers to perform arbitrary file uploads or execute arbitrary code.
Each CVE contains links to the vendor’s website with further details and instructions on how to patch or otherwise resolve the specified vulnerability. CISA has given federal agencies a due date of May 2, 2022, for resolving each of the eight new security flaws. Though that date is obviously not binding on the private sector, business and other organizations may still want to use that deadline for their own patch management planning.
Commenting on the WatchGuard Firebox and XTM Privilege Escalation vulnerability, Scott Williamson, VP of Information Services for cybersecurity provider Cerberus Sentinel, explained how it works and who would be affected.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
“While this exploit is serious for people whose firewalls were vulnerable and did not take proper precautions in implementation, those who followed best practices were not impacted and will have been able to install a WatchGuard patch to address the vulnerability without having been exploited,” Williamson said.
“This exploit required management access open to the internet,” Williamson added. “Though directly in conflict with industry best practices, many companies left that access open and were impacted. The seriousness of the successful exploits stresses the importance of following best practices and having regular firewall audits to ensure adherence to best practices.”