microsoft, cisa adds 7 vulnerabilities to list of bugs exploited by hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its list of bugs actively exploited by hackers, with the new flaws disclosed by Apple. Microsoft, SAP, and Google.

The ‘Known Exploited Vulnerabilities Catalog’ is a list of vulnerabilities shared by CISA that are known to be actively exploited in cyberattacks and must be patched by Federal Civilian Executive Branch (FCEB) agencies.

“Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known CVEs that carry significant risk to the federal enterprise,” explains CISA.

“BOD 22-01 requires FCEB agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.”

With the addition of these seven vulnerabilities, the catalog now contains 801 CVEs and the date that agencies must have already applied associated patches.

The seven new vulnerabilities added yesterday are listed below, with CISA requiring all of them to be patched by September 8th, 2022.

CVE Number Vulnerability Title
CVE-2017-15944 Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
CVE-2022-21971 Microsoft Windows Runtime Remote Code Execution Vulnerability
CVE-2022-26923 Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
CVE-2022-2856 Google Chrome Intents Insufficient Input Validation Vulnerability
CVE-2022-32893 Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-32894 Apple iOS and macOS Out-of-Bounds Write Vulnerability
CVE-2022-22536 SAP Multiple Products HTTP Request Smuggling Vulnerability

How are these bugs used in attacks?

While it’s helpful to know what vulnerabilities are being exploited, no details have been provided on how threat actors use them in attacks. Below we have provided the details we could find about the newly added bugs.

The critical SAP CVE-2022-22536 vulnerability was disclosed by Onapsis in February and assigned a 10/10 severity rating. CISA quickly warned admins to patch the bug as it could lead to data theft, financial fraud risks, disruptions of mission-critical business processes, ransomware attacks, and a halt of all operations.

At this time, it is not known how attackers exploit this bug, but details of the flaw were disclosed at the BlackHat security conference last week and appear to be quickly used by threat actors after the technical details were revealed.

“Yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA) added a critical SAP vulnerability–CVE-2022-22536–to its Known Exploited Vulnerabilities Catalog less than one week after details were disclosed at the Black Hat by Onapsis Research Labs,” explains a new warning on Onapsis’ advisory.

“Though this vulnerability was discovered earlier this year, this validation from CISA shows that organizations should prioritize action immediately.”

Apple released macOS and iOS/iPadOS security updates on Wednesday for the CVE-2022-32893 and CVE-2022-32894 vulnerabilities, explaining that they could be exploited to perform code execution on vulnerable devices.

Apple did not provide details on how they are being abused, but as CVE-2022-32894 allows code to be executed with Kernel privileges, it would allow the complete takeover of the device.

The Google CVE-2022-2856 vulnerability was fixed in Google Chrome 104.0.5112.101, released on Tuesday. While no information has been shared on how hackers exploited it in attacks, vulnerability researcher Hossein Lotfi discovered more details about the bug.

Google Chrome (In-The-Wild) Zero day (CVE-2022-2856) fix. If an intent contains any extras or a data URI and it targets another browser, Google Chrome would open that browser with that URL without prompting:https://t.co/iiDhLShhJv

— Hossein Lotfi (@hosselot) August 18, 2022

Microsoft fixed the CVE-2022-21971 remote code execution vulnerability in the February 2022 Patch Tuesday, but no details are available about how it is being exploited in the wild.

However, CVE-2022-26923 is an Active Directory Domain Services privilege elevation vulnerability fixed in May with technical details about the ‘Certifried’ bug revealed.

These details have allowed researchers, and likely threat actors, to reproduce the exploit.

FWIW, Certifried CVE-2022–26923 works quite well on a default Active Directory configuration. Normal user -> Domain Admin in a few steps.
There are a few steps after this screenshot. But you can see that I have a certificate for the domain controller, so you get the gist… https://t.co/MYWGxrPJDM pic.twitter.com/XJ6VHWa1YW

— Will Dormann (@wdormann) May 11, 2022

Finally, the oldest vulnerability added yesterday is the Palo Altos Networks CVE-2017-15944 remote code execution vulnerability disclosed in 2017.

This vulnerability was disclosed with full tech details, and while it’s surprising that devices are still vulnerable after five years, it’s not surprising that threat actors are abusing the flaw.

It is strongly recommended that all security professionals and admins review the Known Exploited Vulnerabilities Catalog and patch listed bugs within their environment.

Keyword: CISA adds 7 vulnerabilities to list of bugs exploited by hackers

TECH'S NEWS RELATED

Love Live! announced brand new game Love Live! School Idol Festival 2 Miracle Live!

During the SIF Series Thanksgiving Festival held on the 25th September, they announced a new game for the Love Live! franchise titled Love Live! School Idol Festival 2 Miracle Live! Love Live School Idol Festival 2 Miracle Live! Or SIF 2 for short is going to be a rhythm game ...

View more: Love Live! announced brand new game Love Live! School Idol Festival 2 Miracle Live!

Aether Gazer announced Global CBT starts October 11th

Yostar has announced that the Closed Beta Test for the global version Aether Gazer will begin on October 11th, 2022 at 10:00 AM (UTC -7). From the official global twitter of Aether Gazer, The CBT will last for 10 days and will end on October 20th, 2022. Email invitations for ...

View more: Aether Gazer announced Global CBT starts October 11th

Sky’s the limit: how to successfully embrace the cloud on your scale-up journey

Written by Paul Gampe, CTO of Console Connect When setting up a business, entrepreneurs are increasingly building their company operations on the cloud. In many cases, the first stage of bringing an innovative app or solution to life involves choosing a cloud provider that can do the job but ...

View more: Sky’s the limit: how to successfully embrace the cloud on your scale-up journey

Nexer Insight partners with SmartViz to create smart building solutions

Nexer Insight, an Elite Microsoft Azure, Internet of Things and Advanced Analytics partner, has announced a new collaboration with smart building digital twin company, SmartViz, to help organisations boost building performance and user experience. Nexer’s consulting and systems integration capabilities, combined with SmartViz’s unique proprietary technology, will enable building ...

View more: Nexer Insight partners with SmartViz to create smart building solutions

Code Ninjas celebrates summer of growth with new locations in the pipeline

Code Ninjas, the international coding franchise for kids, continues to expand across key areas of the UK, with the latest launches outside of the Greater London area. Following another summer of record enrolments for the brand’s coding and game-building camps, the support team and UK network are celebrating the ...

View more: Code Ninjas celebrates summer of growth with new locations in the pipeline

Zhamak Dehghani sparks debate over Data Mesh concept on day one of Big Data LDN

More than 170 exhibitors take to the show floor – double the show’s previous record One of the most talked about trends in data, the Data Mesh concept, took centre stage in the opening keynote from Zhamak Dehghani, on the first day of Big Data LDN (London) 2022 – ...

View more: Zhamak Dehghani sparks debate over Data Mesh concept on day one of Big Data LDN

Second Amazon Prime Day Sale to Kick Off on October 11, 12 For Early Holiday Shoppers

Amazon Prime Day Sale: Fall Edition Amazon Prime Day Early Access Sale Can We Expect Two Prime Day Sales Annually? Amazon confirmed that it would hold another Prime Day sale this year. For the first time, the e-commerce giant will be doing a two-day shopping spree after the first event last ...

View more: Second Amazon Prime Day Sale to Kick Off on October 11, 12 For Early Holiday Shoppers

Interpol Slaps Terra Co-Founder Do Kwon With Red Notice: Report

South Korean authorities said the international police organization had issued a red notice for Terraform Labs co-founder Do Kwon.

View more: Interpol Slaps Terra Co-Founder Do Kwon With Red Notice: Report

Jupiter's Galilean moons

PCI Pal launches open banking payments for contact centres

Can big data help sari-sari stores navigate the looming supply crisis?

Credential stuffing accounts for one-third of global login attempts, Okta finds

Hyundai nearly made a mid-engine supercar to launch its N brand

Perodua launches Ativa Hybrid leasing programme – RM500/month for 5 years

Samsung Has a Prototype Toilet That Can Turn Your Poop Into Ashes

Tianma Microelectronics speeds up investment in automotive display production

NVIDIA DLSS 2 is noticeably better than AMD FSR 2.1 in Lost Judgment

A new ‘common sense’ test for AI could lead to smarter machines

Apple rolls out firmware update for AirPods Pro 2

Ant Group’s Alipay to boost cashless travel in South Korea through alliance with Thai, Malaysian, Philippines payment providers

OTHER TECH NEWS

;