On September 15, 2022, the Cybersecurity and Infrastructure Security Agency (CISA) added six critical vulnerabilities to its Known Exploited Vulnerabilities Catalog.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” the Agency wrote.
Three of the six issues involve the Linux kernel, one the Code Aurora ACDB audio driver (found in third-party products such as Qualcomm and Android), and one a remote code execution risk in Microsoft Windows.
While CISA's Vulnerability Catalog is regularly updated, the newly added flaws are noticeable because some of them are quite old.
“What is concerning me is that four of the CVEs posted [yesterday] are from 2013, and one is from 2010,” Paul Baird, chief technical security officer UK at Qualys, told Infosecurity Magazine.
Only one of the newly exploited vulnerabilities is a 2022 CVE. According to the executive, this demonstrates that many businesses struggle to fully understand their information technology (IT) infrastructure, keep those IT assets up to date, or adequately mitigate issues so that there is no risk of exploitation.
“Patching known vulnerabilities is one of the best ways to prevent attacks, but many companies are finding it hard to keep up,” Baird added. “Similarly, end-of-life systems should be replaced or migrated if they are still needed for businesses.”
The six known vulnerabilities were added to CISA's catalogue just days after the Agency added two zero-day attacks affecting Microsoft Windows Common Log File System Driver and Apple iOS / iPadOS / macOS Monterey and Big Sur, respectively.
In addition, CISA has recently published new guidelines to assist developers in improving the security of the software supply chain. CISA, the National Security Agency (NSA), and the Office of the Director of National Intelligence collaborated on the document (ODNI).
