The US Cyber Security and Infrastructure Security Agency (CISA) has added 12 vulnerabilities – including Google Chrome Zero Day – to Known and exploited vulnerabilities (KEV), and warned that these flaws have been actively exploited in attacks.
All organizations that are part of the Federal Civil Executive Branch (FCEB) must patch all of these vulnerabilities by September 29, 2022, according to guidance from CISA.
According to CISAThese bugs represent a serious threat to the federal institution and are a common attack vector for malicious actors.
The vulnerabilities that have been added to the KEV catalog are as follows:
- CVE-2022-3075 – Data validation vulnerability in Google Chromium
- CVE-2011-1823 – Android OS Privilege Escalation Vulnerability
- CVE-2022-28958 – Remote Code Execution Vulnerability in D-Link DIR-816L
- CVE-2022-26258 – Remote Code Execution Vulnerability in D-Link DIR-820L
- CVE-2018-6530 – OS Command Injection Vulnerability for Multiple D-Link Routers
- CVE-2011-4723 – D-Link DIR-300 Router Cleartext Storage for Password Vulnerability
- CVE-2022-27593 – QNAP Image Station Externally Controlled Reference Vulnerability
- CVE-2020-9934 – Input Validation Vulnerability from Apple iOS, iPadOS, and macOS
- CVE-2018-7445 – MikroTik RouterOS buffer overflow vulnerability
- CVE-2018-2628 – Unspecified Vulnerability in Oracle WebLogic Server
- CVE-2018-13374 – Invalid Access Control Vulnerability in Fortinet FortiOS and FortiADC
- CVE-2017-5521 – NETGEAR exposes multiple devices to sensitive information
For Windows, Mac and Linux users, Google Chrome released 105.0.5195.102 last week to address CVE-2022-3075, a very serious bug in the Chrome web browser that is now being actively exploited in the wild.
Mojo, a set of runtime libraries that allow messages to be passed across arbitrary boundaries between and within processes, has a data validation issue that leads to CVE-2022-3075.
In a security advisory, Google said it was “aware of reports of an exploit of CVE-2022-3075 in the wild.”
Another serious bug added to the KEV catalog is CVE-2022-27593 affecting QNAP Photo Station software.
Network Attached Storage (NAS) maker QNAP issued a warning to customers Monday, informing them that a Photo Station zero-day bug has been exploited in DeadBolt ransomware attacks and that the version has now been patched.
According to QNAP, the attackers were using the flaw to encrypt QNAP NAS devices connected directly to the Internet.
The attacks were widespread, with a noticeable rise in requests for ID ransomware on Saturday and Sunday.
There have also been reports this week of Mirai-based MooBot attacking serious security bugs in D-Link devices. The goal of these attacks is to achieve remote code execution and seize control of unpatched devices.
D-Link has now fixed all of these vulnerabilities, although not all users have installed the patches yet.
. Legally Binding Operational Directive (BOD 22-01) CISA In November, FCEB required FCEB agencies to protect their systems against vulnerabilities that were added to the KEV catalog in order to reduce the risk of known exploits across US government networks.
Although DHS Board 22-01 applies only to US FCEB agencies, cybersecurity experts advise US companies in both the public and commercial sectors to prioritize fixing these issues.
Since issuing the binding directive in November, CISA has added more than 800 security vulnerabilities to its catalog of KEVs that are being exploited in attacks, necessitating a tighter schedule for federal agencies to fix in order to prevent security breaches.