Third Party Risk Management, Application Security, Business Continuity Management/Disaster Recovery
Many previously disclosed flaws listed, some dating back over a decade
Prajeet Nair (@prajeetspeaks) •
May 30, 2022
The US Cybersecurity and Infrastructure Security Agency has added 75 flaws to its catalog of known exploited software vulnerabilities. The vulnerabilities were disclosed in three separate batches over three consecutive days – it released batches of 21, 20, and 34 vulnerabilities on Monday, Tuesday and Wednesday respectively.
See also: On demand | Spotlight Discussion: Advanced Network Detection and Response
The Catalog of Known Exploited Vulnerabilities requires federal civilian agencies to patch vulnerabilities known to be actively exploited in the wild.
Experts say a “significant” number of the vulnerabilities listed are old flaws – some dating back a decade.
“Most of them are at least several years old and some even go back 12 years. It is curious that known vulnerabilities published by NIST more than ten years ago have only just been added to the CISA catalog” , says Matthew Gribben, independent cybersecurity expert. and former GCHQ cybersecurity consultant.
In fact, many of the flaws relate to technology that is well past its end of life and no longer supported, Gribben says.
But CISA’s addition of the vulnerabilities to its catalog highlights that “despite the considerable risks facing organizations, exploitable and risky vulnerabilities are still not addressed in a timely manner, even years after their initial disclosure,” says Chris Morgan. , Head of Cyber Threat Intelligence. analyst at Digital Shadows.
The vulnerabilities also affect very common software, including those managed by Cisco, Microsoft, Adobe and Oracle, adds Morgan.
Some of the older vulnerabilities include those in Adobe Flash Player, Kaseya Virtual System/Server Administrator, and Microsoft Silverlight. The fix for all of the following vulnerabilities is to discontinue their use as the products have reached their end of life.
- CVE-2018-5002for example, affects Adobe’s Flash Player, which has a stack-based buffer overflow vulnerability that could lead to remote code execution.
- CVE-2017-18362, a SQL injection vulnerability, affects Kaseya’s system administrator/virtual server. CISA states: “The ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database.”
- CVE-2013-0074 affects Microsoft’s Silverlight, which has a double dereferencing vulnerability, in which Silverlight does not properly validate pointers when rendering HTML objects. This allows remote attackers to execute code through a specially crafted Silverlight application.
- CVE-2013-3993 affects IBM InfoSphere BigInsights, which has an IBM InfoSphere BigInsights Invalid Input vulnerability. The agency claims that “certain BigInsights APIs may accept invalid input that could allow attackers unauthorized access to read, write, modify, or delete data.”
Unpatched systems are regularly exploited by criminals looking to gain a foothold in an organization. Additionally, “many of the vulnerabilities mentioned by CISA are remotely exploitable, making them an even higher priority to fix,” says security awareness advocate Javvad Malik, who works at KnowBe4, an education provider in cybersecurity.
CISA has taken steps to improve the state of enterprise cybersecurity, particularly with respect to vulnerability and patch management. Among its many milestones, one notable event took place earlier this month. The agency had to temporarily remove a Windows protection flaw from its catalog of known exploited vulnerabilities because applying the Microsoft-suggested fix posed a risk of authentication failure (see: CISA removes Windows flaw from exploited catalog list).
“Patching isn’t always easy, and sometimes patches can inadvertently disrupt systems. That’s why it’s important for all organizations to develop and maintain their own patching policies to ensure they’re stay on top of patches in a timely manner and don’t rush to advice from CISA or similar organizations,” Malik says.
In November 2021, a CISA-managed catalog of vulnerabilities was established, including flaws that needed to be patched within specific timeframes. About 200 vulnerabilities from 2017 and 2020, and 90 from 2021, made up the initial release. The agency at the time said it would regularly update the document with new vulnerabilities reaching specified thresholds, based on evidence of active exploitation (see: CISA orders federal agencies to patch known vulnerabilities).
While the vulnerabilities have always existed, with many users also being aware, CISA notifications have certainly led to increased awareness, says Pascal Geenens, director of threat intelligence at Radware.
“Over the past two years, we have seen a significant reduction in the time between public disclosure of a new vulnerability and its exploitation in the wild. Sometimes less than 24 hours notice is provided for the most widely affected vulnerabilities. and easy to exploit. This doesn’t leave a lot of time for organizations to educate themselves and plan an update. A 24-hour window to fix vulnerabilities is next to impossible, especially when critical business applications are affected,” says Geenens.