On Friday March 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a whopping number of 95 new known exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog.
This catalog provides Federal Civilian Executive Branch (FCEB) agencies with a list of vulnerabilities that are known to be exploited in the wild and gives the agencies a due date by when the vulnerability needs to be patched in their organization.
But even if your organization isn't a FCEB agency that needs to follow the Binding Operation Directive 22-01, the CISA list can act as a good guide for your patch managementstrategy.
95 new ones?
CISA normally sends out a mail every few days in which it details a few important vulnerabilities it's added to the Catalog. However, on March 3 it didn’t even enumerate the list. Instead, it just emailed a link to the Catalogand included instructions on how to find the most recently added vulnerabilities. If you're looking yourself, you need to click on the arrow on the of the "Date Added to Catalog" column, which will sort by descending dates.
Not so new
The first thing that jumped out at me is that these vulnerabilities were not all very new at all. The oldest vulnerability on that list is CVE-2002-0367, an almost 20 year old vulnerability in Windows NT and Windows 2000. In fact, only 5 vulnerabilities were patched in 2022. All these applied to Cisco’s Small Business RV160, RV260, RV340, and RV345 series routers by the way.
This brings me to the next thing that is remarkable. 38 of the 95 added vulnerabilities are for Cisco products. Other products include those by Microsoft (27), Adobe (16), and Oracle(7).
Of the Adobe vulnerabilities, nine were found in Flash Player. Adobe Flash Player reached End of Life (EOL) on December 31, 2020, after being first announced in 2017. Since Adobe no longer supports Flash Player, on January 12, 2021, the company started blocking Flash content from running. In fact, Adobe strongly recommendsall users immediately uninstall Flash Player to help protect their systems.
Pondering the reason for CISA to suddenly add 95 vulnerabilities to their list, I came up with the following options:
- It suddenly became aware of several old vulnerabilities that were nonetheless still being exploited.
- It suddenly decided to list vulnerabilities in software that has long reached EOL but could still be used a lot.
- The nature of actively exploited vulnerabilities has changed.
Personally, I suspect that the nature of the actively exploited vulnerabilities has changed. Last year, you would typically see exploited vulnerabilities that would allow an attacker to breach a network or compromise a system to gain a foothold. This allows attackers to exfiltrate data, plant ransomware, and other criminal activities that could lead to financial gain.
However, looking at some of the vulnerabilities that were included in this list of 95, I noticed that many could lead to Denial-of-Service (DoS) attacks.
- A vulnerabilityin Siemens SIMATIC CP 1543-1 versions before 2.0.28 allows remotely authenticated users to cause a denial of service by modifying SNMP variables.
- Multiple Cisco vulnerabilities on this list which could result in a DoS condition or cause an affected system to reload.
Other vulnerabilities could allow attackers to run arbitrary code or cause a denial of service. For example, a PowerPointvulnerability that has been around since 2015 and was found to be used by the Russian state-sponsored team APT28 (aka Fancy Bear) in 2018.
Some Flash Player vulnerabilitieswere found to be used in targeted attacks. The suspect in this case was APT37, also known as the North Korean “Lazarus” group.
A vulnerability in older Windows versions (Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1) would allow remote attackers to execute arbitrary code via a crafted OLE object in an Office document. The use of this exploit was attributedto the Russian “SANDWORM” operation.
I also found an Elevation of Privilege (EoP) vulnerability in a Windows Installeron the CISA list that would allow an attacker to delete targeted files on a system. However, they would NOT gain privileges to view or modify file contents.
Other interesting items on the list are some IoTvulnerabilities that got some fame in 2020 under the name Ripple20. Successful exploitation of these vulnerabilities could result in denial of service, information disclosure or remote code execution.
So, is it just me or is there a trend here that shows vulnerabilities that were previously hard to exploit for financial gain, but are perfectly usable to disrupt operations? Could it be that, no surprise, the war in Ukraine has changed the nature of the actively exploited vulnerabilities?
According to Adam Kujawa, Security Evangelist and Director of Malwarebytes' Threat Intel team:
"In 2007, we observed Russian sympathizers online utilizing hacking tools to launch disruption attacks against Georgian news networks and government networks, to prevent information from flowing to the public while Russia had troops roll in. Similar events have happened in Estonia, and Russian sponsored hackers are known to utilize Ukrainian networks as a kind of “playground” for their attacks, shutting off power grids and other critical infrastructure, launching massive supply chain attacks against them (as in the case of NotPetya). And those are just some of the attacks we know about.
With that in mind, I believe that while many of these vulnerabilities are useless against actual intrusion and espionage, the exploits developed from them will be used to disrupt and degrade rather than collect.
I am not sure how many of these have been used in the wild, and while it is great to see CISA be proactive in spreading this information, I must wonder how much of the information will get to those protecting networks in Ukraine? Could it be that CISA may have just handed over the knowledge about various disruptive exploits that will work on unpatched systems, to be used against those who don’t have endpoint patching as their top priority?"
Given the varied nature of the list, the most actionable advice is to keep an eye on the known exploited vulnerabilities catalog. To make things easier, you can subscribeto receive the updates. Besides the usual security advice, now seems to be a good time to invest in clever patch management, and ditch that software which has reached EOL and no longer receives security updates.
Stay safe, everyone!