CISA adds 7 vulnerabilities to list of bugs exploited by hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of bugs actively exploited by hackers, with the new flaws disclosed by Apple. Microsoft, SAP, and Google.

The ‘Known Exploited Vulnerabilities Catalog’ is a list of vulnerabilities shared by CISA that are known to be actively exploited in cyberattacks and must be patched by the Federal Civilian Executive Branch (FCEB) agencies.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise,” explains CISA.

“BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.”

With these seven vulnerabilities, the catalog now contains 801 CVEs, and the date agencies must have already applied associated patches.

The seven new vulnerabilities added yesterday are listed below, with CISA requiring all of them to be patched by September 8th, 2022.

CVE Number Vulnerability Title
CVE-2017-15944 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2022-21971 Microsoft Windows Runtime Remote Code Execution Vulnerability
CVE-2022-26923 Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2022-2856 Google Chrome Intents Insufficient Input Validation Vulnerability
CVE-2022-32893 Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-32894 Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-22536 SAP Multiple Products HTTP Request Smuggling Vulnerability

How are these bugs used in attacks?

While it’s helpful to know what vulnerabilities are being exploited, no details have been provided on how threat actors use them in attacks. Below we have provided the details we could find about the newly added bugs.

The critical SAP CVE-2022-22536 vulnerability was disclosed by Onapsis in February and assigned a 10/10 severity rating. CISA quickly warned admins to patch the bug as it could lead to data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.

At this time, it is unknown how attackers exploit this bug. Still, details of the flaw were disclosed at the BlackHat security conference last week and appear to be quickly used by threat actors after the technical details were revealed.

“Yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog less than one week after details were disclosed at the Black Hat by Onapsis Research Labs,” explains a new warning on Onapsis’ advisory.

“Though this vulnerability was discovered earlier this year, this validation from CISA shows that organizations should prioritize action immediately.”

Apple released macOS and iOS/iPadOS security updates on Wednesday for the CVE-2022-32893 and CVE-2022-32894 vulnerabilities, explaining that they could be exploited to perform code execution on vulnerable devices.

Apple did not provide details on how they are being abused, but as CVE-2022-32894 allows code to be executed with Kernel privileges, it would allow the complete takeover of the device.

The Google CVE-2022-2856 vulnerability was fixed in Google Chrome 104.0.5112.101, released on Tuesday. While no information has been shared on how hackers exploited it in attacks, vulnerability researcher Hossein Lotfi discovered more details about the bug.

Microsoft fixed the CVE-2022-21971 remote code execution vulnerability in the February 2022 Patch Tuesday, but no details are available about how it is being exploited in the wild.

However, CVE-2022-26923 is an Active Directory Domain Services privilege elevation vulnerability fixed in May with technical details about the ‘Certifried’ bug revealed.

These details have allowed researchers, and likely threat actors, to reproduce the exploit.

Finally, the oldest vulnerability added yesterday is the Palo Altos Networks CVE-2017-15944 remote code execution vulnerability disclosed in 2017.

This vulnerability was disclosed with full tech details, and while it’s surprising that devices are still vulnerable after five years, it’s not surprising that threat actors are abusing the flaw.

It is strongly recommended that all security professionals and admins review the Known Exploited Vulnerabilities Catalog and patch listed bugs within their environment.

Source: Bleeping Computer by Lawrence Abrams