8 Vulnerabilities Added to CISA’s Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has added a further 8 actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog. These 8 vulnerabilities are known to have been exploited by threat actors in real-world attacks, and as such these vulnerabilities pose a significant risk to organizations. The vulnerabilities are a mix of old and new, with the earliest vulnerabilities dating back to 2014 and the most recent disclosed this year.

The flaws are a mix of memory corruption, stack-based buffer overflow, improper privilege management, use-after-free, SQL injection, privilege escalation, and code execution vulnerabilities. If exploited, threat actors could take control of Apple devices, access networks, and remotely execute code on vulnerable systems. Even though some of the vulnerabilities are more than 7 years old, they are still being successfully exploited due to the failure to apply patches.

For each of the 8 vulnerabilities, CISA has provided a date by which Federal Civilian Executive Branch (FCEB) agencies must apply the patches to fix the vulnerabilities, with two of the vulnerabilities requiring immediate action. The most recent vulnerabilities affect iOS, iPad OS, macOS Monterey, and SonicWall SMA 100 Appliances. Both of these flaws are being actively exploited and immediate patching is required, with the maximum date for FCEB agencies to patch the two flaws being February 11, 2022. The 8 flaws, listed in the table below, bring the total number of vulnerabilities in the Catalog up to 351.

While the Binding Operational Directive (BOD) 22-01 that established the Known Exploited Vulnerabilities Catalog only applies to FCEB agencies, CISA is encouraging all organizations to prioritize the patches in the Known Exploited Vulnerabilities Catalog to reduce their exposure to cyberattacks.

CVE Number CVE Title Latest Patch Date
CVE-2022-22587 Apple IOMobileFrameBuffer Memory Corruption Vulnerability 2/11/2022
CVE-2021-20038 SonicWall SMA 100 Appliances Stack-Based Buffer Overflow Vulnerability 2/11/2022
CVE-2014-7169 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability 7/28/2022
CVE-2014-6271 GNU Bourne-Again Shell (Bash) Arbitrary Code Execution Vulnerability 7/28/2022
CVE-2020-0787 Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management Vulnerability 7/28/2022
CVE-2014-1776 Microsoft Internet Explorer Use-After-Free Vulnerability 7/28/2022
CVE-2020-5722 Grandstream Networks UCM6200 Series SQL Injection Vulnerability 7/28/2022
CVE-2017-5689 Intel Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability Privilege Escalation Vulnerability 7/28/2022

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news