CISA has updated its Known Exploited Vulnerabilities Catalog with eight vulnerabilities, two of which have remediation dates of February 11.
The list includes an Apple IOMobileFrameBuffer Memory Corruption vulnerability, a SonicWall SMA 100 Appliances Stack-Based Buffer Overflow vulnerability, a Microsoft Internet Explorer Use-After-Free vulnerability, a Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management vulnerability and two GNU Bourne-Again Shell (Bash) Arbitrary Code Execution vulnerabilities.
The Apple and SonicWall vulnerabilities have a remediation date for February 11 and the rest have remediation dates of July 28.
Apple released patches for the vulnerability — tagged as CVE-2022-22587 — last week, noting that a malicious application may be able to execute arbitrary code with kernel privileges. Apple said it is “aware of a report that this issue may have been actively exploited” and added that it was discovered by a member of Mercedes-Benz Innovation Lab and two other researchers.
Rapid7 said earlier this month that CVE-2021-20038 — the SonicWall vulnerability — has a suggested CVSS score of 9.8 out of 10, explaining in a blog post that by exploiting this issue, “an attack can get complete control of the device or virtual machine that’s running the SMA 100 series appliance.”
“This can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack. Edge-based network control devices are especially attractive targets for attackers, so we expect continued interest in these kinds of devices by researchers and criminal attackers alike,” Rapid7 said.
Vulcan Cyber CEO Yaniv Bar-Dayan said digital business has a cyber debt problem, telling ZDNet that this latest batch of eight CVEs added by CISA “proves the adage that ‘vulnerabilities age like milk.'”
“Three of the eight vulnerabilities were first disclosed in 2014, and the average age of the CVEs added to the CISA database today is more than four years. Our IT security teams are struggling to mitigate decade-old risk, much less the threat du jour,” Bar-Dayan said.
Netenrich’s John Bambenek said he understood the need to quickly patch the iOS vulnerability but questioned some of the other additions.
“If the federal government needs another six months to patch an 8-year-old Bash shell vulnerability, then we might as well surrender our IT to North Korea now and save the taxpayers some money,” Bambenek said. “What I fail to understand is why ancient vulnerabilities are put on this list with such long periods of time to remediate.”