CISA alerts federal agencies to old, still-exploited bugs

The U.S. Cyber ​​and Infrastructure Security Agency (CISA) has updated its list of known exploited vulnerabilities with 15 new security issues that are a common attack vector against federal businesses.

The latest additions vary in severity and date of disclosure, with some rated as medium risk while others date back to 2013.

In combination with other factors such as the presence of a threat actor on the network, old and unpatched devices, and / or device exposure on the public Internet, the vulnerabilities constitute a serious security breach. and an opportunity for the adversaries.

Old bugs on the list

CISA compiled the new list after finding evidence that security issues newly added to the catalog of known exploited vulnerabilities are being used in ongoing attacks.

Of the 15 entries, only four are newer, from 2021 and another from 2020. The rest are over two years old, the oldest of which is from 2013 – a bug in the WinVerifyTrust function followed as CVE-2013-3900, which affects versions of Windows from XP SP2 through Server 2012.

Another old vulnerability dates from 2015, remote code execution in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition, identified as CVE-2015-7450 and classified as critical (severity level 9.8 out of 10).

The table below shows all of the vulnerabilities the CISA wants federal agencies to address this month to strengthen defenses against active threats. CISA recommends apply available updates according to the vendor’s instructions.

CVE ID	The description	Correction due date	NVD Severity Rating
CVE-2021-22017	VMware vCenter Server incorrect access control vulnerability	01/24/2022	5.3 (medium)
CVE-2021-36260	Incorrect entry validation vulnerability at Hikvision	01/24/2022	9.8 (critical)
CVE-2021-27860	FatPipe WARP, IPVPN and MPVPN Privilege Escalation vulnerability	01/24/2022	8.8 (high)
CVE-2020-6572	Google Chrome before 81.0.4044.92 Vulnerability after free use	07/10/2022	8.8 (high)
CVE-2019-1458	Microsoft Win32K elevation of privilege vulnerability	07/10/2022	7.8 (high)
CVE-2019-7609	Elastic Kibana remote code execution vulnerability	07/10/2022	10.0 (critical)
CVE-2019-2725	Oracle WebLogic Server Injection Vulnerability	07/10/2022	9.8 (critical)
CVE-2019-9670	Synacor Zimbra Collaboration Suite Inappropriate restriction of XML External Entity Reference Vulnerability	07/10/2022	9.8 (critical)
CVE-2019-10149	Exim Mail Transfer Agent (MTA) Bad Entry Validation Vulnerability	07/10/2022	9.8 (critical)
CVE-2019-1579	Palo Alto Networks PAN-OS Remote Code Execution Vulnerability	07/10/2022	8.1 (high)
CVE-2018-13383	Fortinet FortiOS and FortiProxy incorrect authorization vulnerability	07/10/2022	6.5 (medium)
CVE-2018-13382	Fortinet FortiOS and FortiProxy incorrect authorization vulnerability	07/10/2022	7.5 (high)
CVE-2017-100486	Primetek Primefaces application remote code execution vulnerability	07/10/2022	9.8 (critical)
CVE-2015-7450	Remote code execution vulnerability in IBM WebSphere Application Server and Server Hy Server Hypervisor Edition	07/10/2022	9.8 (critical)
CVE-2013-3900	Elastic Kibana remote code execution vulnerability	07/10/2022	N / A

The CISA catalog of known exploited vulnerabilities is part of the Binding Operational Directive (BOD) 22-01 to reduce security risks and for better vulnerability management.

Under this directive, federal civilian agencies must identify and remedy the security issues listed in the catalog in their systems.

Although the catalog is primarily aimed at federal civilian agencies, it is a good reference for organizations of all types to reduce their exposure to cyber risks.