The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Catalog of known exploited vulnerabilities (KEV)including a very serious security flaw affecting Delta Electronics’ industrial automation software.
The problem, followed as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and earlier. A successful exploitation of the flaw can lead to the execution of arbitrary code.
“Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (incorrect input validation), resulting in out-of-bounds writes that allow code execution”, CISA said in an alert.
It should be noted that CVE-2021-38406 was originally disclosed as part of an Industrial Control Systems (ICS) Advisory published in September 2021.
However, no patch fixes the vulnerability, with CISA noting that “the affected product is end of life and should be disconnected if still in use.” Federal Civilian Executive Branch (FCEB) agencies are required to follow the directive by September 15, 2022.
Little information is available on the nature of the attacks that exploit the security bug, but a recent report from Palo Alto Networks Unit 42 underline cases of in-the-wild attacks taking advantage of the flaw between February and April 2022.
The development adds weight to the idea that adversaries exploit newly released vulnerabilities faster when they are first disclosed, leading to indiscriminate and opportunistic scanning attempts that aim to take advantage of delayed patches.
These attacks often follow a specific exploit sequence that involves web shells, crypto-miners, botnets, and remote access Trojans (RATs), followed by initial access brokers (IABs) that open then the way to ransomware.
Other actively exploited flaws added to the list include the following –
- CVE-2022-26352 – Unrestricted dotCMS file download vulnerability
- CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability
- CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability
- CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
- CVE-2022-2294 – WebRTC heap buffer overflow vulnerability
- CVE-2021-39226 – Grafana authentication bypass vulnerability
- CVE-2020-36193 – Improper Link Resolution Vulnerability in PEAR Archive_Tar
- CVE-2020-28949 – PEAR Archive_Tar Deserialization Rogue Data Vulnerability
iOS and macOS flaw added to list
Another high-severity flaw added to the KEV catalog is CVE-2021-31010 (CVSS score: 7.5), a deserialization issue in Apple’s Core Telephony component that could be exploited to circumvent sandbox restrictions.
The tech giant patched the gap in iOS 12.5.5, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6 (and security update 2021-005 Catalina) and watchOS 7.6. 2 released in September 2021.
Although there was no indication that the flaw was being exploited at the time, the tech giant appears to have silently revised its advisories on May 25, 2022 to add the vulnerability and confirm that it had indeed been abused during of attacks.
“Apple was aware of a report that this issue may have been actively exploited at the time of publication,” the tech giant noted, attributing the discovery to Citizen Lab and Google Project Zero.
The September update is also notable for fixing CVE-2021-30858 and CVE-2021-30860, both of which were employed by NSO Group, makers of Pegasus spyware, to bypass system security features. operating.
This raises the possibility that CVE-2021-31010 could have been combined with the two aforementioned flaws in an attack chain to evade the sandbox and achieve arbitrary code execution.