The Cybersecurity and Infrastructure Security Agency (CISA) added four new vulnerabilities to its catalog of exploited bugs, including the much-discussed “Spring4Shell” remote code execution (RCE) vulnerability.
In addition to CVE-2022-22965 affecting Spring Framework, CISA included CVE-2022-22675 and CVE-2022-22674, two vulnerabilities affecting macOS Monterey.
The fourth is CVE-2021-45382 – a remote code execution vulnerability affecting D-Link routers.
All four have a fix date of April 25 and come just days after CISA added seven more bugs to the list, which is compiled based on evidence of active exploitation.
The Spring framework affected by CVE-2022-22965 provides tools and utilities for Java-based enterprise applications, effectively serving as important “plumbing” used in Java web applications to help reduce the amount of effort required to produce a functional application.
On March 31, the company confirmed the zero-day vulnerability and released a patch resolving the issue.
Sonatype security company rated this week that even though a patch has been released, more than 80% of recent downloads are of potentially vulnerable versions. Cybersecurity firm Kasada has also found that cybercriminals use automated vulnerability scanning tools to test thousands of URLs and identify systems that have not yet been patched.
Apple’s vulnerabilities were highlighted by the tech giant last week. Apple released fixes for the two zero days, but noted that they “may have been actively exploited.”
In its advisory, CISA said that D-Link routers affected by the remote code execution vulnerability cannot be updated because they are end-of-life devices. They urged users to disconnect them if they are still in use.
Valtix security researcher Davis McCarthy said that when the routers reached end of life in December 2021, they “became a prime target for exploit development because they’re connected to the internet, always on. and will not receive updates”.
“Compromised routers are frequently used by threat actors to mask their location when launching attacks,” he said.
Viakoo CEO Bud Broomhead told The Record that the Spring4Shell and D-Link vulnerabilities stood out to him the most as issues that required significant attention and effort.
“By their nature, open source vulnerabilities (like Spring4Shell) are difficult for organizations to patch, especially with manual methods, due to the widespread use of Spring in Java development. This vulnerability will likely remain exploitable for a while. some time because it forces many organizations to take action to address it,” Broomhead said.
“End-of-life products, like last week’s Dasan routers or this week’s D-Link routers, are also difficult to fix quickly because these products are widespread and, like many IoT devices, are often ‘lost’ within an organization.”
Mike Parkin of Vulcan Cyber noted that it was interesting that Apple’s vulnerabilities were added to the list so quickly, but said they were likely included due to the “increased cybersecurity threats posed by the conflict.” in Ukraine”.
Exploitation brokers are willing to pay millions for a zero-day RCE and typically do so per product or operating system, according to McCarthy, who added that issues affecting Apple products would be “lucrative.”
“If CISA reports a large-scale exploit, it’s possible that this zero-day was sold to many users, or sold in a pre-packaged exploit kit made available in an underground market,” McCarthy said.
“When combined with CVE-2022-22674, which enables memory reading in macOS, an adversary could obtain a lot of sensitive information from their target.”