The US Cybersecurity and Infrastructure Security Agency (CISA) has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalogue, including CVEs in Code Aurora ACDB Audio Driver, Linux Kernel, Microsoft Windows and Trend Micro Apex One.
CISA’s catalogue serves as a focal point designed for US government agencies to keep their IT systems patched and secured against the most impactful vulnerabilities currently circulating. Compliance with the list is mandated for these organisations, but any security team at any organisation globally can benefit from keeping up to date with it.
The newly added vulnerabilities are as follows:
- CVE-2022-40139 in Trend Micro Apex One and Apex One as a Service. This is an improper validation vulnerability leading to remote code execution (RCE);
- CVE-2013-6282 in Linux Kernel. This is an improper input validation vulnerability that could allow an application to read and write kernel memory leading to privilege escalation;
- CVE-2013-2597 in Code Aurora ACDB Audio Driver, which is used in multiple third-party products including Android devices. This is a stack-based buffer overflow vulnerability allowing for privilege escalation;
- CVE-2013-2596 in Linux Kernel. This is an integer overflow vulnerability leading to privilege escalation;
- CVE-2013-2094, in Linux Kernel. This is a privilege escalation vulnerability resulting from a failure by the kernel to check all 64 bits of attr.config passed by user space;
- CVE-2010-2568 in Microsoft Windows, an RCE vulnerability arising from a situation where Windows incorrectly parses shortcuts in such a way that malicious code can execute if the operating system displays the icon of a malicious shortcut file.
US government bodies have until Thursday 6 October to patch the new vulnerabilities. As already noted, other organisations are not bound to this schedule, but are advised to act quickly.
Commenting on the latest additions to CISA’s list, Qualys’ UK chief technical security officer, Paul Baird, said: “Based on evidence of active exploitation, these types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk.
“What is concerning me is that four of the CVEs posted today are from 2013, and one is from 2010. Only one of the new exploited vulnerabilities is a CVE from 2022. This shows that there are a lot of companies out there that have problems around knowing their IT, keeping those IT assets up to date, or adequately mitigating those issues so that there is no risk of exploitation.
“Patching known vulnerabilities is one of the best ways to prevent attacks, but many companies are finding it hard to keep up. Similarly, end of life systems should be replaced or migrated if they are still needed for businesses,” said Baird.
The latest additions come just a day after CISA added two other potentially serious vulnerabilities to its catalogue.
The first of these, CVE-2022-37969, a privilege elevation vulnerability in Windows Common Log File System Driver that affects all versions of Windows and, if successfully exploited, an attacker could gain system-level privileges. This was addressed by Microsoft in its September Patch Tuesday update.
The second, CVE-2022-32197, is a vulnerability in Apple iOS, iPadOS and macOS, which – left unchecked – enables an application to execute code with kernel privileges.