The US Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of actively exploited security issues, including those in Microsoft, Linux and Jenkins.
The “Catalog of Known Exploited Vulnerabilities” is a list of vulnerabilities known to be actively exploited in cyberattacks and to be remediated by Federal Civilian Executive Branch (FCEB) agencies.
“Binding Operational Directive (BOD) 22-01: Reduce Significant Risk of Known Exploited Vulnerabilities established the Catalog of Known Exploited Vulnerabilities as a living list of known CVEs that pose significant risk to the Federal enterprise,” CISA explains.
“BOD 22-01 requires FCEB agencies to patch identified vulnerabilities by the due date to protect FCEB networks from active threats. See BOD 22-01 Information Sheet for more information.”
“The vulnerabilities listed in the catalog allow threat actors to perform various attacks, including stealing credentials, gaining access to networks, executing remote commands, downloading and executing malware or stealing information from devices.”
With the addition of these seven vulnerabilities, the catalog now contains 654 vulnerabilities, including the date by which federal agencies should apply associated security patches and updates.
The seven new vulnerabilities added this week are listed below, with CISA requiring that they all be patched by May 16, 2022.
| CVE number | Vulnerability Title | Due date |
|---|---|---|
| CVE-2022-29464 | WSO2 Unrestricted Download Multiple File Vulnerability Products | 2022-05-16 |
| CVE-2022-26904 | Microsoft Windows User Profile Service Privilege Escalation Vulnerability | 2022-05-16 |
| CVE-2022-21919 | Microsoft Windows User Profile Service Privilege Escalation Vulnerability | 2022-05-16 |
| CVE-2022-0847 | Linux Kernel Privilege Escalation Vulnerability | 2022-05-16 |
| CVE-2021-41357 | Microsoft Win32k Privilege Escalation Vulnerability | 2022-05-16 |
| CVE-2021-40450 | Microsoft Win32k Privilege Escalation Vulnerability | 2022-05-16 |
| CVE-2019-1003029 | Jenkins Script Security Plugin Sandbox Bypass Vulnerability | 2022-05-16 |
How are these bugs used in attacks?
While it’s useful to know that a bug is being exploited, it’s even more useful to understand how it’s being actively used in attacks.
The WSO2 vulnerability identified as CVE-2022-29464 was disclosed on April 18, 2022, and a few days later a public exploit was released. Rapid7 researchers soon saw the public PoC used in attacks to deploy web shells and coinminers.
Windows “User Profile Service Privilege Escalation” vulnerabilities tracked as CVE-2022-21919 and CVE-2022-26904 were both discovered by Abdelhamid Naceri and are subsequent workarounds of an original CVE-2021-34484 vulnerability patched in August 2021. All of these vulnerabilities were subject to public disclosure of PoC exploits, and BleepingComputer has been advised that gangs of ransomware uses them to spread laterally across a Windows domain.
The Linux privilege escalation vulnerability known as “DirtyPipe” is tracked as CVE-2022-0847 and was disclosed in March 2022. Shortly after its disclosure, numerous proof-of-concept exploits have been released, allowing users to quickly gain root privileges, as shown. below.
Source: BleepingComputer
The CVE-2021-40450 and CVE-2021-41357 “Microsoft Win32k Privilege Escalation” vulnerabilities were patched in October 2021 and are a nice addition to the list, as there is no public mention of them being exploited in the wild.
Finally, the oldest vulnerability is the ‘Jenkins Script Security Plugin Sandbox Bypass’ bug tracked as CVE-2019-1003029, which was used in the past by Capoae Malware to deploy XMRig cryptominers.
It is strongly recommended that all security professionals and administrators review the catalog of known exploited vulnerabilities and patch any that are in their environment.
