The US Cybersecurity and Infrastructure Security Agency (CISA) has added 95 vulnerabilities to its list of actively exploited security issues, the most since the Binding Operational Directive (BOD) was issued last year.
Although some of them have been known for nearly two decades, the agency notes that the bugs “pose a significant risk to the federal enterprise.”
Recent critical bugs on the list
In accordance with BOD 22-01 to reduce the risk of known exploited vulnerabilities, federal agencies have just over three weeks to fix the newly added 95 security vulnerabilities, the deadline for most of them. being March 24.
For 27 of the vulnerabilities, the timeline for remediation is shorter, March 17, primarily because they are newer and affect systems that provide access to sensitive information or allow movement to devices on the network. Eight of these bugs have a high critical severity score of at least 9.8.
| CVE | Supplier/Project | Product |
|---|---|---|
| CVE-2022-20708 | Cisco | RV160, RV260, RV340, and RV345 Series Small Business Routers |
| CVE-2022-20703 | Cisco | RV160, RV260, RV340, and RV345 Series Small Business Routers |
| CVE-2022-20701 | Cisco | RV160, RV260, RV340, and RV345 Series Small Business Routers |
| CVE-2022-20700 | Cisco | RV160, RV260, RV340, and RV345 Series Small Business Routers |
| CVE-2022-20699 | Cisco | RV160, RV260, RV340, and RV345 Series Small Business Routers |
| CVE-2020-1938 | apache | Matou |
| CVE-2019-16928 | Exim | Exim Internet Mail |
| CVE-2018-0151 | Cisco | IOS and IOS XE software |
The latest entries in the CISA catalog of known exploited vulnerabilities primarily concern Microsoft (Windows, Office) and Cisco products.
However, products from other vendors or projects – Oracle, Adobe, Mozilla, Siemens, Apache, Exim, Linux, Treck TCP/IP stack and ChakraCore are also present.
Old faults still present
Interestingly, it appears that federal agencies are still using systems with Adobe Flash Player, although product support ended on the last day of 2020.
In early 2021, Adobe also blocked Flash content from running in Flash Player and the company “strongly recommends that all users uninstall it immediately” due to inherent security risks.
Some of the Flash Player bugs identified by CISA have a critical severity score of 9.8 out of 10 and are more than five years old (for example, CVE-2016-4117 and CVE-2016-1019).
The oldest vulnerability in the list dates from 2002, however, a privilege escalation vulnerability identified as CVE-2002-0367 that affects the smss.exe debugging subsystem in Windows NT and Windows 2000 Windows.
The table below lists the 10 oldest vulnerabilities that CISA added this week to its catalog of known exploited vulnerabilities:
| CVE | Supplier/Project | Product | Vulnerability name | brief description |
|---|---|---|---|---|
| CVE-2011-0611 | Adobe | Flash Player | Adobe Flash Player Remote Code Execution Vulnerability | Adobe Flash Player contains a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content. |
| CVE-2010-3333 | Microsoft | Office | Microsoft Office Stack Based Buffer Overflow Vulnerability | A stack-based buffer overflow vulnerability exists in RTF data parsing in Microsoft Office and earlier versions allow an attacker to remotely execute code. |
| CVE-2010-0232 | Microsoft | windows kernel | Microsoft Windows Kernel Exception Handler Vulnerability | The Microsoft Windows kernel, when 16-bit application access is enabled on a 32-bit x86 platform, does not properly validate some BIOS calls, allowing local users to gain privileges. |
| CVE-2010-0188 | Adobe | Reader and Acrobat | Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability | An unspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code. |
| CVE-2009-3129 | Microsoft | Excel | Microsoft Excel Featheader Record Memory Corruption Vulnerability | Microsoft Office Excel allows remote attackers to execute arbitrary code through a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset. |
| CVE-2009-1123 | Microsoft | the Windows | Microsoft Windows Bad Input Validation Vulnerability | The Microsoft Windows kernel does not properly commit changes to unspecified kernel objects, allowing local users to gain privileges through a specially crafted application. |
| CVE-2008-3431 | Oracle | VirtualBox | Oracle VirtualBox Insufficient Input Validation Vulnerability | An input validation vulnerability exists in the Sun xVM VirtualBox driver VBoxDrv.sys that allows attackers to locally execute arbitrary code. |
| CVE-2008-2992 | Adobe | acrobat and reader | Adobe Reader and Acrobat Input Validation Vulnerability | Adobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution. |
| CVE-2004-0210 | Microsoft | the Windows | Microsoft Windows Privilege Escalation Vulnerability | An elevation of privilege vulnerability exists in the POSIX subsystem. The vulnerability could allow a logged-in user to take full control of the system. |
| CVE-2002-0367 | Microsoft | the Windows | Microsoft Windows Privilege Escalation Vulnerability | The smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, allowing local users to gain administrator or SYSTEM privileges. |
With the 95 vulnerabilities added this week, CISA’s catalog of actively exploited bugs that federal agencies need to fix has a total of 478 entries.
Applying security updates as soon as they are available should be a priority for public and private sector organizations.
The US Cybersecurity Agency encourages all entities to remediate all security issues added to its catalog to reduce their exposure to cyberattacks.
