US Cybersecurity and Infrastructure Security Agency (CISA) added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including two recently patched zero-day issues affecting Adobe Commerce/Magento Open Source and Google Chrome. CISA orders all Federal Civilian Executive Branch Agencies (FCEB) agencies to address both security vulnerabilities by March 1st, 2022.
The ‘Known Exploited Vulnerabilities Catalog‘ is a list of known vulnerabilities that threat actors have abused in attacks and that are required to be addressed by Federal Civilian Executive Branch (FCEB) agencies.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts recommend also private organizations review the Known Exploited Vulnerabilities Catalog and address the vulnerabilities in their infrastructure.
“CISA has added nine new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence that threat actors are actively exploiting the vulnerabilities listed in the table below. These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.” reads the CISA’s announcement.
Below is the list of the vulnerabilities added to the catalog:
|CVE Number||CVE Title||Remediation Due Date|
|CVE-2022-24086||Adobe Commerce and Magento Open Source Improper Input Validation Vulnerability||3/1/2022|
|CVE-2022-0609||Google Chrome Use-After-Free Vulnerability||3/1/2022|
|CVE-2019-0752||Microsoft Internet Explorer Type Confusion Vulnerability||8/15/2022|
|CVE-2018-8174||Microsoft Windows VBScript Engine Out-of-Bounds Write Vulnerability||8/15/2022|
|CVE-2018-20250||WinRAR Absolute Path Traversal Vulnerability||8/15/2022|
|CVE-2018-15982||Adobe Flash Player Use-After-Free Vulnerability||8/15/2022|
|CVE-2017-9841||PHPUnit Command Injection Vulnerability||8/15/2022|
|CVE-2014-1761||Microsoft Word Memory Corruption Vulnerability||8/15/2022|
|CVE-2013-3906||Microsoft Graphics Component Memory Corruption Vulnerability||8/15/2022|
This week, Adobe rolled out security updates to address a critical security vulnerability, tracked as CVE-2022-24086, affecting its Commerce and Magento Open Source products that is being actively exploited in the wild.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.” reads the advisory published by Adobe.
The flaw is an “improper input validation” vulnerability that could be exploited by threat actors with administrative privileges to achieve arbitrary code execution on vulnerable systems.
The CVE-2022-24086 has received a CVSS score of 9.8 out of 10, it is classified as a pre-authentication issue which means that it could be exploited without credentials.
The vulnerability affects Adobe Commerce and Magento Open Source versions 2.4.3-p1/2.3.7-p2.
CISA also added CVE-2022-0609 to the catalog, it is a Chrome high-severity zero-day flaw fixed by Google this week, which is actively exploited. Google released a Chrome emergency update for Windows, Mac, and Linux. This is the first Chome zero-day fixed this year by Google.
The zero-day is a use after free issue that resides in Animation, the bug was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group.
One of the vulnerabilities is an elevation of privilege vulnerability in Microsoft Windows SAM (Security Accounts Manager) vulnerability. The US agency also added the CVE-2015-2051 remote code execution flaw impacting D-Link DIR-645 routers.
Among the issues added to the catalog there are also old vulnerabilities, such as the CVE-2014-4404 Apple OS X Heap-Based buffer overflow vulnerability. Another older issue added to the catalog is CVE-2020-0796 vulnerability in SMBv3 protocol that could be exploited by vxers to implement “wormable” malware.
(SecurityAffairs – hacking, CISA)