The US Cybersecurity and Infrastructure Safety Company (CISA) has added six new vulnerabilities to its Recognized Exploited Vulnerabilities Catalogue, together with CVEs in Code Aurora ACDB Audio Driver, Linux Kernel, Microsoft Home windows and Development Micro Apex One.
CISA’s catalogue serves as a focus designed for US authorities businesses to maintain their IT programs patched and secured in opposition to probably the most impactful vulnerabilities at the moment circulating. Compliance with the record is remitted for these organisations, however any safety staff at any organisation globally can profit from retaining updated with it.
The newly added vulnerabilities are as follows:
- CVE-2022-40139 in Development Micro Apex One and Apex One as a Service. That is an improper validation vulnerability resulting in distant code execution (RCE);
- CVE-2013-6282 in Linux Kernel. That is an improper enter validation vulnerability that would permit an utility to learn and write kernel reminiscence resulting in privilege escalation;
- CVE-2013-2597 in Code Aurora ACDB Audio Driver, which is utilized in a number of third-party merchandise together with Android units. This can be a stack-based buffer overflow vulnerability permitting for privilege escalation;
- CVE-2013-2596 in Linux Kernel. That is an integer overflow vulnerability resulting in privilege escalation;
- CVE-2013-2094, in Linux Kernel. This can be a privilege escalation vulnerability ensuing from a failure by the kernel to verify all 64 bits of attr.config handed by consumer area;
- CVE-2010-2568 in Microsoft Home windows, an RCE vulnerability arising from a state of affairs the place Home windows incorrectly parses shortcuts in such a approach that malicious code can execute if the working system shows the icon of a malicious shortcut file.
US authorities our bodies have till Thursday 6 October to patch the brand new vulnerabilities. As already famous, different organisations aren’t certain to this schedule, however are suggested to behave shortly.
Commenting on the most recent additions to CISA’s record, Qualys’ UK chief technical safety officer, Paul Baird, stated: “Primarily based on proof of energetic exploitation, all these vulnerabilities are a frequent assault vector for malicious cyber actors and pose vital threat.
“What’s regarding me is that 4 of the CVEs posted as we speak are from 2013, and one is from 2010. Solely one of many new exploited vulnerabilities is a CVE from 2022. This exhibits that there are plenty of firms on the market which have issues round realizing their IT, retaining these IT property updated, or adequately mitigating these points in order that there isn’t any threat of exploitation.
“Patching recognized vulnerabilities is likely one of the finest methods to stop assaults, however many firms are discovering it exhausting to maintain up. Equally, finish of life programs must be changed or migrated if they’re nonetheless wanted for companies,” stated Baird.
The newest additions come only a day after CISA added two different probably critical vulnerabilities to its catalogue.
The primary of those, CVE-2022-37969, a privilege elevation vulnerability in Home windows Frequent Log File System Driver that impacts all variations of Home windows and, if efficiently exploited, an attacker might achieve system-level privileges. This was addressed by Microsoft in its September Patch Tuesday replace.
The second, CVE-2022-32197, is a vulnerability in Apple iOS, iPadOS and macOS, which – left unchecked – permits an utility to execute code with kernel privileges.