Posted on September 9, 2022 at 8:43 PM
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned agencies to apply patches to 12 security vulnerabilities, which includes Google zero-day. CISA also warned that the bugs have been exploited in attacks.
The directive from CISA noted that all organizations that are part of the Federal Civilian Executive Branch (FCEB) should apply patches to the vulnerabilities before September 29, 2022.
The Vulnerabilities Represent Serious Threats
The agency has also warned that the vulnerabilities represent a serious threat to federal enterprises and have become a common attack vector for several threat actors.
The vulnerabilities include CVE-2011-1823 , CVE-2011-4723, CVE-2017-5521, CVE-2018-13374, CVE-2018-2628, CVE-2018-6530, CVE-2018-7445, CVE-2020-9934, CVE-2022-26258, CVE-2022-27593, CVE-2022-28958, and CVE-2022-3075.
For users of Linux, Mac, and Windows, Google has addressed CVE-2022-3075 after releasing Chrome 105.0.5195.102 last week. The vulnerability was actively exploited in the wild before the latest update.
Google, via a security advisory, noted that it knows about the exploit for CVE-2022-3075, and was aware that it existed in the wild.
CVE-2022-27593 is another series of vulnerabilities that have been added to the KEV catalog, which affects QNAP Photo Station software.
A Zero-Day Bulg Have Been Seen In Photo Station
The maker of the QNAP network-attached storage (NAS) appliances advised its customers that there was a zero-day vulnerability in Photo Station. The company also warned that the flaw is being exploited in DeadBold ransomware attacks, although it had been patched.
QNAP also noted that the vulnerability was utilized by the threat actors to encrypt QNAP NAS devices that are connected online. The vulnerability creates an opportunity for hackers to get into the devices and carry out their malicious activities within the impacted device.
Another report from MooBot about critical security bugs in D-Link hardware was also released this week. According to the report, the threat actors in the attack aim to achieve remote code execution and gain control of devices that have not been patched.
All The Vulnerabilities Have Been Patched
D-Link says all the vulnerabilities have been patched, although some users are yet to install the patches. Last November, CISA issued a legally binding operational directive to all agencies. It required FCEB agencies to protect their systems against flaws that have been added to the KEV Catalogue to minimize the risk of known exploitable faults across US government networks.
The security experts have also advised American enterprises in both commercial and public sectors to prioritize fixing the issues even though the DHS’ BOD 22-01 applies primarily to US FCEB agencies.
After the directive was issued in November, CISA has since added more than 600 vulnerabilities to its KEV catalog that are exploited in attacks. This means federal agencies now have a stronger need to patch them to avoid being targets of malicious actors.
The Google Chrome zero-day was patched on September 2 through an emergency security update after the firm was informed about the exploitation in the wild.
CISA has also told the agencies to hasten their patch of the vulnerabilities, stating that applying the patches as soon as possible will likely significantly reduce the attack surface threat actors could use to compromise their networks.
CISA Recommends Swift Patches To The Vulnerabilities
The US cybersecurity agency also explained that the types of bugs are regular attack vectors for malicious threat actors and they are serious security threats to these agencies. Apart from the agencies CISA has warned, the type of vulnerability can also expose other organizations to malicious actors.
As a result, CISA has recommended that admins and security professionals review its KEV catalog and apply patches to the listed vulnerabilities within its environment.
Similarly, CISA has taken the unusual step of removing a flaw from its catalog of vulnerabilities that are known to be exploited.
The cybersecurity agency stated that it is “temporarily removing” Microsoft’s May 2022 patch for the security flaw CVE-2022-26925.
CISA said there is a risk of authentication failures after admins apply Microsoft’s May 10, 2022 security fixes to Windows servers. The vulnerability was taken off from CISA’s must-patch list on Friday.
Microsoft said it informed CISA of the issue. According to the tech giant, the issue is linked to how certificates are mapped to machine accounts and how they are been handled by the domain controller.
However, it noted that the problem only has an impact on the update on Windows Servers utilized as domain controllers.