3rd Party Risk Management , Application Security , Business Continuity Management / Disaster Recovery
CISA Adds 75 Flaws to Known Vulnerability Catalog in 3 Days
Many Listed Flaws Previously Disclosed, Some More Than a Decade OldThe U.S. Cybersecurity and Infrastructure Security Agency added 75 flaws to its catalog of known exploited software vulnerabilities. The vulnerabilities were disclosed in three separate batches on three consecutive days. The agency released batches of 21, 20 and 34 vulnerabilities on Monday, Tuesday and Wednesday, respectively.
The Known Exploited Vulnerabilities Catalog requires federal civilian agencies to patch vulnerabilities known to be actively exploited in the wild.
Experts say that a "significant" number of the listed vulnerabilities are old flaws and some date back a decade.
"Most of these are several years old at the minimum and some even go back 12 years. It's curious that known vulnerabilities published by NIST over a decade ago are only just now being added to the CISA catalog," says Matthew Gribben, independent cybersecurity expert and former GCHQ cybersecurity consultant.
In fact, many of the flaws are related to technology that is well beyond end of life and no longer supported, Gribben says.
But CISA's addition of the vulnerabilities to its catalog highlights that "despite the considerable risk facing organizations, exploitable and risky vulnerabilities are still failing to be addressed in a timely manner, even years after their initial disclosure," says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
The vulnerabilities affect very common software too, including those run by Cisco, Microsoft, Adobe and Oracle, Morgan adds.
The Vulnerabilities
Some of the older vulnerabilities include those in Adobe's Flash Player, Kaseya's Virtual System/Server Administrator and Microsoft Silverlight. The remediation for all the following vulnerabilities is to discontinue their use, as the products have reached end of life.
- CVE-2018-5002, for instance, affects Adobe's Flash Player, which has a Stack-based buffer overflow vulnerability that could lead to remote code execution.
- CVE-2017-18362, an SQL Injection vulnerability, affects Kaseya's Virtual System/Server Administrator. CISA says: "ConnectWise ManagedITSync integration for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database."
- CVE-2013-0074 affects Microsoft's Silverlight, which has a double dereference vulnerability, in which Silverlight does not properly validate pointers during HTML object rendering. This allows remote attackers to execute code via a crafted Silverlight application.
- CVE-2013-3993 affects IBM's InfoSphere BigInsights, which has an IBM InfoSphere BigInsights Invalid Input vulnerability. The agency says that "certain APIs within BigInsights can take invalid input that might allow attackers unauthorized access to read, write, modify, or delete data."
Unpatched systems are routinely exploited by criminals looking to gain a foothold into an organization. Also, "many of the vulnerabilities mentioned by CISA are remotely exploitable, which makes it an even bigger priority to fix," says security awareness advocate Javvad Malik, who works at cybersecurity education provider KnowBe4.
CISA has been taking steps to improve the state of cybersecurity among companies, especially with respect to vulnerability and patch management. Among them, a notable event took place earlier this month. The agency had to temporarily remove a Windows protection defect from its known exploited vulnerability catalog because applying the suggested Microsoft patch resulted in authentication failure risk (see: CISA Removes Windows Flaw From Exploited Catalog List).
"Patching is not always easy, and sometimes patches can inadvertently disrupt systems. It's why it's important that all organizations develop and maintain their own patching policies to ensure they stay on top of patching in a timely manner and not rush to patch when advised by CISA or similar organizations," Malik says.
In November 2021, a CISA-managed catalog of vulnerabilities was established that comprised flaws that needed to be patched within specific time frames. Approximately 200 vulnerabilities from 2017 and 2020, and 90 from 2021, made up the initial publication. The agency at the time said that it would regularly update the document with new vulnerabilities that met specified thresholds, based on evidence of active exploitation (see: CISA Directs Federal Agencies to Patch Known Vulnerabilities).
While vulnerabilities have always existed, CISA's notifications have certainly allowed for increased awareness, says Pascal Geenens, director of threat intelligence at Radware.
"In the last couple of years, we have observed a significant reduction in the time between public disclosure of a new vulnerability and its exploitation in the wild. Sometimes less than 24-hour notice is provided for the more widely affecting and easy to exploit vulnerabilities. This does not leave organizations with much time to get informed and plan an update. A 24-hour window to patch vulnerabilities is nearly impossible, especially when critical business applications are affected," Geenens says.