CISA orders agencies to fix actively exploited VMware and Chrome bugs

The Cybersecurity and Infrastructure Security Agency (CISA) has added nine additional security flaws to its list of actively exploited bugs, including a VMware privilege escalation flaw and a Google Chrome zero-day that could be used to run remote code.

The VMware vulnerability (CVE-2022-22960) was patched on April 6 and allows attackers to escalate privileges to root vulnerable servers due to incorrect permissions in support scripts.

A Zero Day Chrome was also included in CISA’s Catalog of Known Exploited Vulnerabilities (KEVs), a bug tracked as CVE-2022-1364 and allowing remote code execution due to a V8-like confusing weakness .

All Federal Civilian Executive Branch (FCEB) agencies must patch their systems against these security bugs after being added to CISA’s KEV list pursuant to a November binding operational directive (BOD 22-01).

They were given three weeks to mitigate the flaws until May 6 to ensure that ongoing exploit attempts would be blocked.

CISA added seven more security vulnerabilities to its catalog today, all exploited in ongoing attacks.

CVE Vulnerability name Due date
CVE-2022-22960 Multiple VMware Product Privilege Escalation Vulnerability 2022-05-06
CVE-2022-1364 Google Chromium V8 Confusion Vulnerability 2022-05-06
CVE-2019-3929 Multiple Crestron Product Command Injection Vulnerability 2022-05-06
CVE-2019-16057 D-Link DNS-320 Remote Code Execution Vulnerability 2022-05-06
CVE-2018-7841 Schneider Electric U.motion Builder SQL Injection 2022-05-06
CVE-2016-4523 Trihedral Denial of Service VTScada (formerly VTS) 2022-05-06
CVE-2014-0780 InduSoft Web Studio NTWebServer Directory Traversal 2022-05-06
CVE-2010-5330 Ubiquiti AirOS Command Injection Vulnerability 2022-05-06
CVE-2007-3010 Alcatel OmniPCX Enterprise Remote Code Execution 2022-05-06

On Thursday, CISA also added the critical VMware remote code execution bug (CVE-2022-22954), now used in attacks to deploy cryptominer payloads.

All US organizations are urged to prioritize these security updates

Although BOD 22-01 only applies to US FCEB agencies, CISA also urges all US private and public sector organizations to give higher priority to fixing these actively exploited bugs.

Taking this advice to heart should significantly reduce the attack surface that threat actors can use to attempt to breach their networks.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose a significant risk to the federal enterprise,” says the US Cybersecurity Agency.

Since issuing binding directive BOD 22-01, CISA has added hundreds of flaws to its catalog of actively exploited bugs, ordering US federal agencies to patch them as soon as possible to block security flaws.

Previous Motorola Edge Plus 2022 new updates, bugs, issues and issue tracker
Next Ray Perryman: Data suggests fewer supply chain issues | Columnists