Catalog product

CISA expands vulnerability catalog with old exploits

The Cybersecurity and Infrastructure Security Agency (CISA) added six known vulnerabilities to its catalog of known exploited vulnerabilities on September 15, 2022.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” the agency said. wrote.

The six issues include three that affect the Linux kernel, one in the Code Aurora ACDB audio driver (which is present in third-party products including Qualcomm and Android), and one a remote code execution risk in Microsoft Windows.

While CISA regularly updates its catalog of vulnerabilities, newly added flaws are noticeable because some of them are quite old.

“What concerns me is that four of the CVEs have published [yesterday] one is from 2013 and the other is from 2010,” said Paul Baird, technical director of UK security at Qualys. Infosecurity Magazine.

Only one of the new exploited vulnerabilities is a 2022 CVE. According to the executive, this shows that several companies are struggling to fully understand their information technology (IT) infrastructure, keep these IT assets up to date, or mitigate adequately the problems so that there is no risk of exploitation.

“Fixing known vulnerabilities is one of the best ways to prevent attacks, but many companies struggle to keep up,” Baird added. “Similarly, end-of-life systems should be replaced or migrated if they are still needed by businesses.”

The addition of the six known flaws to CISA’s catalog comes days after the agency added approximately two zero-day attacks affecting Microsoft Windows Common Log File System driver and Apple iOS/iPadOS/macOS Monterey and Big Sur, respectively.

CISA also recently released new guidelines to help developers improve software supply chain security. The document is the result of a collaboration between CISA, the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI).