Search This Blog

Showing posts with label Critical Flaws. Show all posts

CISA’s vulnerabilities in KEV: Federal Agencies Have to Fix Them


CISA has included 6 vulnerabilities to its “Known Exploited Vulnerabilities Catalog” and has ordered the federal agencies to patch them with the help of vendor’s instructions. 

The CISA, U.S.-based cybersecurity and infrastructure security agency has given a deadline of 6th October to the government agencies to fix the security flaws that surfaced between 2010 and 2022. CISA has instructed the federal agencies to fix the newly added security vulnerabilities as per the directive. 

Exploiting the majority of the vulnerabilities that have been added to the list, gives cyber attackers local privilege escalation or admin-level access to the system, whereas the two of them permit to execution of a malicious code remotely, known as Remote Code Execution. 

These vulnerabilities that were found between the stretch of 2010 and 2022 comprise the most that were identified in 2013 and were engineered as spyware  especially for getting into the social media accounts of android users by using Tizi malware. 

The list of security flaws discovered in 2013 includes: 

  • CVE-2013-6282: it gives local privilege escalation and is used for rooting android devices.
  • CVE-2013-2597: it gives local privilege escalation and is used for overflow in Code Aurora audio driver.
  • CVE-2013-2596: it gives local privilege escalation and deals with Linux kernel integer overflow.
  • CVE-2013-2094: it gives local privilege escalation and manages Linux kernel privilege escalation. 

The CISA also added the oldest bug in KEV which was disclosed in 2010; this was the bug held responsible for spreading the Stuxnet worm, which caused a slowdown in the country’s development in the field of nuclear weapons by destroying the machines at the Natanz Uranium Enrichment Plant. 

The bug found in 2010 was named CVE-2010-2568,  it allows remote access to inject malicious code into the system. The latest security issue added to the vulnerability list was identified a month ago. It was also the only security flaw found this year. The cyber attackers exploited it and affected Trend Micro Apex One and Apex one as services. The recently identified bug was CVE-2022-40139, it was described as an improper validation issue. 

The list of all of the vulnerabilities is available publically on the official website of known exploited vulnerabilities. The directive from November 2021, “Binding operational directive 22-01”, legally states, that resolving all the vulnerabilities added by CISA and making them 'Known Exploited Vulnerabilities' is the responsibility of all federal civilian agencies to regulate a secure environment.

WatchGuard Firewall Exploit Threatens Appliance Takeover


WatchGuard has fixed multiple vulnerabilities in two major firewall brands, ranging in severity from medium to critical. Two of the flaws, when combined, permitted Ambionics security engineer Charles Fol to gain pre-authentication remote root on any WatchGuard Firebox or XTM appliance. 

Both the Firebox and XTM product lines were implicated in a number of hacking attacks earlier this year, with Russian state-sponsored threat actor Sandworm exploiting a privilege escalation vulnerability to build the Cyclops Blink botnet, which was shut down in April. 

WatchGuard released three firmware updates over a four-month period, patching a number of critical vulnerabilities.

Complete access as root

Fol told The Daily Swig, “By combining the two latter, a remote, unauthenticated attacker can get complete access to the firewall system as a super user, or root. This is the worst possible impact. He or she can now read or change the configuration, intercept traffic, et cetera. The first one, in some cases, allows an attacker to obtain the master credentials of the authentication servers, and possibly use this to connect as an administrator on the firewall.”

Fol believes that as a result of the numerous security alerts generated during his research, including those relating to Cyclops Blink, fewer WatchGuard users now have their administration interface exposed on the internet.

"The first vulnerability, Xpath, is accessible through the standard, client interface, and as such is much more likely to be exposed; a quick shodan search revealed around 350,000 instances," he said.

He recommends that users remove their administration interface from the internet and keep their systems up to date. Fol stated that he reported the flaws at the end of March and received a prompt response. A month later, the security team at WatchGuard confirmed that a patch would be available on June 21.

SonicWall Urges Admins to Fix SSLVPN SMA1000 Flaws


SonicWall is urging customers to fix multiple high-risk security vulnerabilities in its Secure Mobile Access (SMA) 1000 Series line of products, which might allow attackers to evade authorization and compromise unpatched devices. 

Enterprises utilise SonicWall SMA 1000 SSLVPN solutions to ease end-to-end secure remote access to business resources in on-premises, cloud, and hybrid data centre environments. The first bug (a high-severity unauthenticated access control bypass) has been assigned CVE-2022-22282, however, the other two (a hard-coded cryptographic key and an open redirect, both of medium severity) are currently awaiting a CVE ID. 

"SonicWall strongly urges that organizations using the SMA 1000 series products upgrade to the latest patch," the company says in a security advisory published this week. 

SonicWall, on the other hand, stated that no evidence of these vulnerabilities being exploited in the field was discovered. The vulnerabilities do not affect SMA 1000 series devices running versions prior to 12.4.0, SMA 100 series products, CMS, or remote access clients, according to the company. The following SMA 1000 Series models are affected by security flaws: 6200, 6210, 7200, 7210, and 8000v (ESX, KVM, Hyper-V, AWS, Azure). 

The most serious of the three flaws is CVE-2022-22282, which allows unauthenticated attackers to bypass access control and obtain access to internal resources. This vulnerability can be remotely exploited in low-complexity attacks that don't involve any user input. If left unpatched and abused by attackers, the hard-coded cryptographic key flaw can have catastrophic repercussions, allowing them to get access to encrypted passwords. 

According to MITRE's CWE database, "The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered. If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question." 

Threat actors would most likely seek ways to compromise SMA 1000 series VPN appliances because they are utilised to protect remote connections into corporate networks. SonicWall also warned in July 2021 that end-of-life SMA 100 series and Secure Remote Access systems will be more vulnerable to ransomware assaults. 

SonicWall's products are used by over 500,000 commercial clients in 215 countries and territories across the world, with many of them deployed on the networks of government agencies and the world's major corporations.

11 High-Severity Flaws in Security Products Patched by Cisco


This week, Cisco released its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). 

The semiannual bundled advisories include a total of 19 flaws in Cisco security products, with 11 of them being classified as "high severity." 

CVE-2022-20746 (CVSS score of 8.8) is the most serious of these, an FTD security vulnerability that occurs because TCP flows aren't appropriately handled and might be exploited remotely without authentication to generate a denial of service (DoS) condition. 

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. 

With the introduction of FDT versions and, the IT giant has addressed the problem. Fixes will also be included in FDT releases and 7.0.2, which will be released next month. Several more DoS vulnerabilities, all rated "high severity," were fixed with the same FDT releases, including ones that affect ASA as well. They were addressed in ASA releases, 9.14.4,,, and Other problems fixed by these software upgrades could result in privilege escalation or data manipulation when using an IPsec IKEv2 VPN channel.

Cisco also fixed an ASA-specific flaw that allowed an attacker to access sensitive information from process memory. Firepower Management Center (FMC) releases and, as well as the future releases and 7.0.2, resolve a remotely exploitable security protection bypass flaw, as per the tech giant. 

Cisco stated, “An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."

Fixes for eight medium-severity vulnerabilities in these security products are included in the company's semiannual bundled publishing of security advisories. Cisco is not aware of any attacks that take advantage of these flaws.

Japanese Automation Firm Yokogawa Patches CENTUM, Exaopc Vulnerabilities


Yokogawa Electric Corp., of Japan, recently patched multiple critical flaws in its control system software that can be abused to suppress alarms, read or write files, crash the server, or execute arbitrary code. 

Researchers at cybersecurity firm Dragos have identified ten critical flaws in Yokogawa’s CENTUM VP distributed control system (DCS) and the Exaopc OPC server for CENTUM systems. The remotely exploitable vulnerabilities are related to hard-coded credentials, relative path traversal, improper output neutralization for logs, OS command injection, permissions, privileges, access controls, and uncontrolled resource consumption. 

The vulnerabilities, a lot of which have been assigned a “high severity” rating, require local access to the targeted device, while others can be abused by sending specially designed packets to the Consolidated Alarm Management Software (CAMS) for the human interface station (HIS or HMI).

“Most likely, the adversary would need access to the LAN for successful exploitation,” Sam Hanson, vulnerability expert in Dragos' Threat Operations Center, stated. “However, if the HIS is somehow internet-facing then exploitation from the internet is possible.” 

Thus far, Dragos researchers have no evidence to suggest that vulnerabilities are exploited in the wild. However, in a real-world attack, a malicious actor could abuse the security loopholes to secure access to the HIS or render it useless by causing a DoS condition. 

“An adversary could use these issues to affect a loss of control and loss of view. Depending on the configuration, the adversary could manipulate physical process controls,” Hanson added. 

Japanese automation giant has released patches and mitigations for affected products. However, CENTUM CS 3000 products, which have reached the end of life, will not receive updates and users have been recommended to update to CENTUM VP. The company released details about the flaws in January and February, and the US Cybersecurity and Infrastructure Security Agency (CISA) published its own advisory in late March. 

“CENTUM VP has been targeted in the past by security researchers. HIS operations involve many file system interactions and therefore there are plenty of places for bugs (such as directory traversals) to appear,” Hanson concluded. “While security has improved over time, Dragos expects more of this type of issue to surface until Yokogawa can find a way to mitigate these issues en masse (through file system permissions, sandboxing, or utilizing a common DLL for file access, etc.).” 

Earlier this year in February, Dragos reported that 1,703 ICS/OT vulnerabilities received a CVE identifier in 2021, more than twice as many as in the previous year. More than two-thirds of the security loopholes examined by the firm impacted systems located deep within the industrial network.

Cisco SD-WAN Security Flaw Allows Root Code Execution


Cisco SD-WAN implementations are vulnerable to a high-severity privilege-escalation flaw in the IOS IE operating system, which could result in arbitrary code execution. 

Cisco's SD-WAN portfolio enables enterprises of all sizes to link different office sites over the cloud utilising a variety of networking technologies, including standard internet connections. Appliances at each location allow advanced analytics, monitoring, application-specific performance specifications and automation throughout a company's wide-area network. Meanwhile, IOS XE is the vendor's operating system that runs those appliances. 

The vulnerability (CVE-2021-1529) is an OS command-injection flaw that allows attackers to execute unexpected, harmful instructions directly on the operating system that would otherwise be inaccessible. It exists especially in the command-line interface (CLI) for Cisco's IOS XE SD-WAN software, and it could permit an authenticated, local attacker to run arbitrary commands with root privileges. 

According to Cisco’s advisory, posted this week, “The vulnerability is due to insufficient input validation by the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges.” 

The alert further stated that the exploit method would comprise authenticating to a susceptible device and delivering "crafted input" to the system CLI. An attacker with successful compromise would be able to read and write any files on the system, execute operations as any user, modify system configurations, install and uninstall software, update the OS and/or firmware, and much more, including subsequent access to a corporate network. 

CVE-2021-1529 has a rating of 7.8 on the CVSS vulnerability-severity scale, and researchers and the Cybersecurity and Infrastructure Security Agency (CISA) have advised organisations to fix the problem as soon as possible. 

Greg Fitzgerald, the co-founder of Sevco Security, cautioned that some firms may still have outdated machines connected to their networks, which might provide a hidden threat with issues like these. 

He stated in the email, “The vast majority of organizations do an excellent job patching the vulnerabilities on the systems they know about. The problem arises when enterprises do not have complete visibility into their asset inventory, because even the most responsive IT and security teams can’t patch a vulnerability for an asset they don’t know is connected to their network. Abandoned and unknown IT assets are often the path of least resistance for malicious actors trying to access your network or data.”

This is solely the latest SD-WAN vulnerability addressed by Cisco this year. It patched many significant buffer-overflow and command-injection SD-WAN flaws in January, the most serious of which could be abused by an unauthenticated, remote attacker to execute arbitrary code with root privileges on the affected server.

F5 Security Patched Severe Vulnerabilities in its BIG-IP Networking Device


F5 Security has patched over a dozen critical-severity vulnerabilities in its BIG-IP networking device, including one which was classified as critical severity when exploited under certain conditions. 

A privilege escalation flaw, tracked as CVE-2021-23031 affects the BIG-IP Advanced Web Application Firewall (WAF) and Application Security Manager (ASM) Traffic Management User Interface (TMUI). 

An authorized attacker who has entry to the Configuration tool can exploit the issue to run arbitrary system commands, create or remove files, and/or discontinue services. Due to the flaw, an attacker can totally compromise the network device. 

The vulnerability was assigned a severity level of 8.8, but according to the security notice, users that use the Appliance Mode, which imposes some technical constraints, get a severity value of 9.9 out of 10. As per the security advisory for CVE-2021-23031, the problem is only affecting a small number of clients in critical condition. 

“When this vulnerability is exploited, an authenticated attacker with access to the Configuration utility can execute arbitrary system commands, create or delete files, and/or disable services. This vulnerability may result in complete system compromise.” states the advisory. 

“The limited number of customers using Appliance mode have Scope: Changed, which raises the CVSSv3 score to 9.9. For information about Appliance mode, refer to K12815: Overview of Appliance mode.” 

The vendor advises that the device should be updated; however, if this is not feasible, admins should restrict access to the Configuration utility to only 100% trusted users. 

The U. S. Cybersecurity and Infrastructure Security Agency (CISA) also issued a security notification advising users and administrators to examine the F5 security advisory and install updated software or implement adequate measures as soon as possible. 

F5 addressed 30 high-severity flaws in various products, including authenticated remote command execution vulnerabilities, cross-site scripting (XSS) issues, request forgery bugs, inadequate permission flaws, and denial-of-service flaws. 

The flaws were given a severity score ranging from 7.2 to 7.5. The following is a list of issues patched by the vendor, along with their CVE and CVSS scores: 
  •  CVE-2021-23025: High 7.2
  •  CVE-2021-23026: High 7.5
  •  CVE-2021-23027: High 7.5
  •  CVE-2021-23028: High 7.5
  •  CVE-2021-23029: High 7.5
  •  CVE-2021-23030: High 7.5
  •  CVE-2021-23031: High–Critical – Appliance mode only 8.8–9.9
  •  CVE-2021-23032: High 7.5
  •  CVE-2021-23033: High 7.5
  •  CVE-2021-23034: High 7.5
  •  CVE-2021-23035: High 7.5
  •  CVE-2021-23036: High 7.5
  •  CVE-2021-23037: High 7.5

Lastly, the vendor also fixed medium and low severity vulnerabilities.