The US Cybersecurity and Infrastructure Security Agency (CISA) has added six new vulnerabilities to its Catalog of known exploited vulnerabilitiesincluding CVEs in Code Aurora ACDB Audio Driver, Linux Kernel, Microsoft Windows, and Trend Micro Apex One.
The CISA catalog serves as a focal point designed for US government agencies to keep their IT systems patched and protected against the most impactful vulnerabilities currently in circulation. List compliance is mandatory for these organizations, but any security team in any organization globally can benefit from staying current.
The newly added vulnerabilities are as follows:
- CVE-2022-40139 on Trend Micro Apex One and Apex One as a service. This is an incorrect validation vulnerability that leads to remote code execution (RCE);
- CVE-2013-6282 in Linux kernels. This is an incorrect input validation vulnerability that could allow an application to read and write kernel memory, leading to escalation of privileges;
- CVE-2013-2597 in Code Aurora ACDB Audio Driver, which is used in various third-party products, including Android devices. This is a stack-based buffer overflow vulnerability that allows privilege escalation;
- CVE-2013-2596 in Linux kernels. This is an integer overflow vulnerability that leads to privilege escalation;
- CVE-2013-2094, on Linux kernels. This is a privilege escalation vulnerability resulting from a failure of the kernel to check the 64 bits of attr.config passed by user space;
- CVE-2010-2568 in Microsoft Windows, an RCE vulnerability that arises from a situation where Windows incorrectly parses shortcuts in such a way that malicious code can be executed if the operating system displays a malicious shortcut file icon.
US government agencies have until Thursday, October 6, to patch the new vulnerabilities. As noted, other organizations are not subject to this timeline, but are encouraged to act quickly.
Commenting on the latest additions to the CISA list, Qualys UK Technical Security Director Paul Baird said: “Based on evidence of active exploitation, these types of vulnerabilities are a frequent attack vector for malicious cyber actors. and represent a significant risk.
“What worries me is that four of the CVEs published today are from 2013 and one is from 2010. Only one of the new vulnerabilities exploited is a CVE from 2022. This shows that there are many companies that have problems. around knowing your IT, keeping those IT assets up to date, or properly mitigating those issues so there’s no risk of exploitation.
“Fixing known vulnerabilities is one of the best ways to prevent attacks, but many businesses find it difficult to keep up. Similarly, end-of-life systems need to be replaced or migrated if they are still needed by businesses,” Baird said.
The latest additions come just a day after CISA added two other potentially serious vulnerabilities to its catalog.
the first of these CVE-2022-37969An elevation of privilege vulnerability in the Windows Common Log File System driver that affects all versions of Windows and, if successfully exploited, could allow an attacker to gain system-level privileges. This was addressed by Microsoft in its September Patch Tuesday update.
the second CVE-2022-32197is a vulnerability in Apple iOS, iPadOS, and macOS that, if left unchecked, allows an application to execute code with kernel privileges.