CISA adds 7 vulnerabilities to list of bugs exploited in attacks

The US Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of actively exploited security issues, including those in Microsoft, Linux and Jenkins.

The “Catalog of Known Exploited Vulnerabilities” is a list of vulnerabilities known to be actively exploited in cyberattacks and to be remediated by Federal Civilian Executive Branch (FCEB) agencies.

“Binding Operational Directive (BOD) 22-01: Reduce Significant Risk of Known Exploited Vulnerabilities established the Catalog of Known Exploited Vulnerabilities as a living list of known CVEs that pose significant risk to the Federal enterprise,” CISA explains.

“BOD 22-01 requires FCEB agencies to patch identified vulnerabilities by the due date to protect FCEB networks from active threats. See BOD 22-01 Information Sheet for more information.”

“The vulnerabilities listed in the catalog allow threat actors to perform various attacks, including stealing credentials, gaining access to networks, executing remote commands, downloading and executing malware or stealing information from devices.”

With the addition of these seven vulnerabilities, the catalog now contains 654 vulnerabilities, including the date by which federal agencies should apply associated security patches and updates.

The seven new vulnerabilities added this week are listed below, with CISA requiring that they all be patched by May 16, 2022.

CVE number Vulnerability Title Due date
CVE-2022-29464 WSO2 Unrestricted Download Multiple File Vulnerability Products 2022-05-16
CVE-2022-26904 Microsoft Windows User Profile Service Privilege Escalation Vulnerability 2022-05-16
CVE-2022-21919 Microsoft Windows User Profile Service Privilege Escalation Vulnerability 2022-05-16
CVE-2022-0847 Linux Kernel Privilege Escalation Vulnerability 2022-05-16
CVE-2021-41357 Microsoft Win32k Privilege Escalation Vulnerability 2022-05-16
CVE-2021-40450 Microsoft Win32k Privilege Escalation Vulnerability 2022-05-16
CVE-2019-1003029 Jenkins Script Security Plugin Sandbox Bypass Vulnerability 2022-05-16

How are these bugs used in attacks?

While it’s useful to know that a bug is being exploited, it’s even more useful to understand how it’s being actively used in attacks.

The WSO2 vulnerability identified as CVE-2022-29464 was disclosed on April 18, 2022, and a few days later a public exploit was released. Rapid7 researchers soon saw the public PoC used in attacks to deploy web shells and coinminers.

Windows “User Profile Service Privilege Escalation” vulnerabilities tracked as CVE-2022-21919 and CVE-2022-26904 were both discovered by Abdelhamid Naceri and are subsequent workarounds of an original CVE-2021-34484 vulnerability patched in August 2021. All of these vulnerabilities were subject to public disclosure of PoC exploits, and BleepingComputer has been advised that gangs of ransomware uses them to spread laterally across a Windows domain.

The Linux privilege escalation vulnerability known as “DirtyPipe” is tracked as CVE-2022-0847 and was disclosed in March 2022. Shortly after its disclosure, numerous proof-of-concept exploits have been released, allowing users to quickly gain root privileges, as shown. below.

Demonstration of CVE-2022-0847 Dirty Pipe Vulnerability
Demonstration of CVE-2022-0847 Dirty Pipe Vulnerability
Source: BleepingComputer

The CVE-2021-40450 and CVE-2021-41357 “Microsoft Win32k Privilege Escalation” vulnerabilities were patched in October 2021 and are a nice addition to the list, as there is no public mention of them being exploited in the wild.

Finally, the oldest vulnerability is the ‘Jenkins Script Security Plugin Sandbox Bypass’ bug tracked as CVE-2019-1003029, which was used in the past by Capoae Malware to deploy XMRig cryptominers.

It is strongly recommended that all security professionals and administrators review the catalog of known exploited vulnerabilities and patch any that are in their environment.

Previous Soul Hackers 2 for PS5, PS4, Xbox, and PC gets a new Breaking Mart Convenience Store-focused trailer
Next Santander issues 13 scams customers need to be aware of in urgent fraud warning