CISA Warns Organizations to Fix 95 Actively Exploited Bugs

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 95 vulnerabilities to its list of actively exploited security issues, the most since the Binding Operational Directive (BOD) was issued last year.

Although some of them have been known for nearly two decades, the agency notes that the bugs “pose a significant risk to the federal enterprise.”

Recent critical bugs on the list

In accordance with BOD 22-01 to reduce the risk of known exploited vulnerabilities, federal agencies have just over three weeks to fix the newly added 95 security vulnerabilities, the deadline for most of them. being March 24.

For 27 of the vulnerabilities, the timeline for remediation is shorter, March 17, primarily because they are newer and affect systems that provide access to sensitive information or allow movement to devices on the network. Eight of these bugs have a high critical severity score of at least 9.8.

CVE Supplier/Project Product
CVE-2022-20708 Cisco RV160, RV260, RV340, and RV345 Series Small Business Routers
CVE-2022-20703 Cisco RV160, RV260, RV340, and RV345 Series Small Business Routers
CVE-2022-20701 Cisco RV160, RV260, RV340, and RV345 Series Small Business Routers
CVE-2022-20700 Cisco RV160, RV260, RV340, and RV345 Series Small Business Routers
CVE-2022-20699 Cisco RV160, RV260, RV340, and RV345 Series Small Business Routers
CVE-2020-1938 apache Matou
CVE-2019-16928 Exim Exim Internet Mail
CVE-2018-0151 Cisco IOS and IOS XE software

The latest entries in the CISA catalog of known exploited vulnerabilities primarily concern Microsoft (Windows, Office) and Cisco products.

However, products from other vendors or projects – Oracle, Adobe, Mozilla, Siemens, Apache, Exim, Linux, Treck TCP/IP stack and ChakraCore are also present.

Old faults still present

Interestingly, it appears that federal agencies are still using systems with Adobe Flash Player, although product support ended on the last day of 2020.

In early 2021, Adobe also blocked Flash content from running in Flash Player and the company “strongly recommends that all users uninstall it immediately” due to inherent security risks.

Some of the Flash Player bugs identified by CISA have a critical severity score of 9.8 out of 10 and are more than five years old (for example, CVE-2016-4117 and CVE-2016-1019).

The oldest vulnerability in the list dates from 2002, however, a privilege escalation vulnerability identified as CVE-2002-0367 that affects the smss.exe debugging subsystem in Windows NT and Windows 2000 Windows.

The table below lists the 10 oldest vulnerabilities that CISA added this week to its catalog of known exploited vulnerabilities:

CVE Supplier/Project Product Vulnerability name brief description
CVE-2011-0611 Adobe Flash Player Adobe Flash Player Remote Code Execution Vulnerability Adobe Flash Player contains a vulnerability that allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content.
CVE-2010-3333 Microsoft Office Microsoft Office Stack Based Buffer Overflow Vulnerability A stack-based buffer overflow vulnerability exists in RTF data parsing in Microsoft Office and earlier versions allow an attacker to remotely execute code.
CVE-2010-0232 Microsoft windows kernel Microsoft Windows Kernel Exception Handler Vulnerability The Microsoft Windows kernel, when 16-bit application access is enabled on a 32-bit x86 platform, does not properly validate some BIOS calls, allowing local users to gain privileges.
CVE-2010-0188 Adobe Reader and Acrobat Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability An unspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code.
CVE-2009-3129 Microsoft Excel Microsoft Excel Featheader Record Memory Corruption Vulnerability Microsoft Office Excel allows remote attackers to execute arbitrary code through a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset.
CVE-2009-1123 Microsoft the Windows Microsoft Windows Bad Input Validation Vulnerability The Microsoft Windows kernel does not properly commit changes to unspecified kernel objects, allowing local users to gain privileges through a specially crafted application.
CVE-2008-3431 Oracle VirtualBox Oracle VirtualBox Insufficient Input Validation Vulnerability An input validation vulnerability exists in the Sun xVM VirtualBox driver VBoxDrv.sys that allows attackers to locally execute arbitrary code.
CVE-2008-2992 Adobe acrobat and reader Adobe Reader and Acrobat Input Validation Vulnerability Adobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution.
CVE-2004-0210 Microsoft the Windows Microsoft Windows Privilege Escalation Vulnerability An elevation of privilege vulnerability exists in the POSIX subsystem. The vulnerability could allow a logged-in user to take full control of the system.
CVE-2002-0367 Microsoft the Windows Microsoft Windows Privilege Escalation Vulnerability The smss.exe debugging subsystem in Microsoft Windows does not properly authenticate programs that connect to other programs, allowing local users to gain administrator or SYSTEM privileges.

With the 95 vulnerabilities added this week, CISA’s catalog of actively exploited bugs that federal agencies need to fix has a total of 478 entries.

Applying security updates as soon as they are available should be a priority for public and private sector organizations.

The US Cybersecurity Agency encourages all entities to remediate all security issues added to its catalog to reduce their exposure to cyberattacks.

Previous Urbana FFA participates in the repair of tractors
Next Debt Consolidation vs Credit Card Refinancing: What's the Difference?