CISA Alerts Federal Agencies of Ancient Bugs Still Being Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of known exploited vulnerabilities with 15 new security issues that serve as a frequent attack vector against federal enterprises.
The latest additions vary in terms of severity and disclosure date, some of them being rated as medium risks while others are as old as 2013.
In combination with other factors such as a threat actor’s foothold on the network, old and unpatched devices, and/or device exposure on the public internet, the vulnerabilities are a serious security gap and an opportunity for adversaries.
Ancient bugs on the list
CISA compiled the new list after finding evidence that the security issues newly added to the Catalog of Known Exploited Vulnerabilities are used in ongoing attacks.
Of the 15 entries, only four are more recent, from 2021 and another from 2020. The rest are more than two years old, the oldest of them from 2013 – a bug in the WinVerifyTrust function tracked as CVE-2013-3900, which affects Windows versions starting XP SP2 to Server 2012.
Another aged vulnerability is from 2015, a remote code execution in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition, identified as CVE-2015-7450 and rated as critical (severity level 9.8 out of 10).
The table below shows all the vulnerabilities that CISA wants federal agencies to remediate this month to boost defenses against active threats. CISA recommends applying available updates as per vendor instructions.
|CVE identifier||Description||Remediation due date||NVD severity rating|
|CVE-2021-22017||VMware vCenter Server Improper Access Control Vulnerability||1/24/2022||5.3 (medium)|
|CVE-2021-36260||Hikvision Improper Input Validation Vulnerability||1/24/2022||9.8 (critical)|
|CVE-2021-27860||FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability||1/24/2022||8.8 (high)|
|CVE-2020-6572||Google Chrome prior to 81.0.4044.92 Use-After-Free Vulnerability||7/10/2022||8.8 (high)|
|CVE-2019-1458||Microsoft Win32K Elevation of Privilege Vulnerability||7/10/2022||7.8 (high)|
|CVE-2019-7609||Elastic Kibana Remote Code Execution Vulnerability||7/10/2022||10.0 (critical)|
|CVE-2019-2725||Oracle WebLogic Server, Injection Vulnerability||7/10/2022||9.8 (critical)|
|CVE-2019-9670||Synacor Zimbra Collaboration Suite Improper Restriction of XML External Entity Reference Vulnerability||7/10/2022||9.8 (critical)|
|CVE-2019-10149||Exim Mail Transfer Agent (MTA) Improper Input Validation Vulnerability||7/10/2022||9.8 (critical)|
|CVE-2019-1579||Palo Alto Networks PAN-OS Remote Code Execution Vulnerability||7/10/2022||8.1 (high)|
|CVE-2018-13383||Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability||7/10/2022||6.5 (medium)|
|CVE-2018-13382||Fortinet FortiOS and FortiProxy Improper Authorization Vulnerability||7/10/2022||7.5 (high)|
|CVE-2017-1000486||Primetek Primefaces Application Remote Code Execution Vulnerability||7/10/2022||9.8 (critical)|
|CVE-2015-7450||IBM WebSphere Application Server and Server Hy Server Hypervisor Edition Remote Code Execution Vulnerability||7/10/2022||9.8 (critical)|
|CVE-2013-3900||Elastic Kibana Remote Code Execution Vulnerability||7/10/2022||N/A|
CISA’s catalog of known exploited vulnerabilities is part of the Binding Operational Directive (BOD) 22-01 for reducing security risks and for better vulnerability management.
Under this directive, federal civilian agencies have to identify in their systems the security issues listed in the catalog, and to remediate them.
Although the catalog is aimed mainly at federal civilian agencies, it is a good reference for organizations of all types to reduce their exposure to cyber risks.