The US Cybersecurity and Infrastructure Security Agency (CISA) is adding new vulnerabilities to its catalog of known exploited vulnerabilities, including the bug used in the Stuxnet attacks.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added six new vulnerabilities to its catalog of known exploited vulnerabilities.
Below is the list of vulnerabilities added to the catalog:
- CVE-2022-40139: Trend Micro Apex One and Apex One as a Service – Trend Micro Apex One and Apex One as a Service contain incorrect rollback mechanism component validation that could lead to remote code execution .
- CVE-2013-6282: Linux kernel – Linux kernel API functions get_user and put_user fail to validate target address when used on ARM v6k/v7 platforms. This allows an application to read and write to kernel memory, which could lead to privilege escalation.
- CVE-2013-2597 Aurora Code ACDB Audio Driver – The Aurora Code Audio Calibration Database (acdb) audio driver contains a stack-based buffer overflow vulnerability that allows elevation of privilege. Aurora code is used in third-party products such as Qualcomm and Android.
- CVE-2013-2596 Linux Kernel – The Linux kernel fb_mmap function in drivers/video/fbmem.c contains an integer overflow vulnerability that allows elevation of privilege.
- CVE-2013-2094 Linux kernel – Linux kernel fails to verify 64 bits of attr.config passed by userspace, resulting in out of bounds access of perf_swevent_enabled array in sw_perf_event_destroy(). The exploit allows privilege escalation.
- CVE-2010-2568 Microsoft Windows – Microsoft Windows incorrectly parses shortcuts in such a way that malicious code can be executed when the operating system displays the icon of a malicious shortcut file. An attacker who successfully exploited this vulnerability could run code as a logged-in user.
According to Binding Operational Directive (BOD) 22-01: Significant Risk Reduction of Known Exploited Vulnerabilities, FCEB agencies must address identified vulnerabilities by the due date to protect their networks from attacks exploiting catalog vulnerabilities.
Experts also recommend that private organizations review the catalog and address vulnerabilities in their infrastructure.
Interestingly, only CVE-2022-40139 is a publicly disclosed vulnerability this year, it is a improper validation vulnerability affecting Trend Micro’s Apex One platform.
The oldest issue added to the catalog this round is CVE-2010-2568 which is the issue used in the Stuxnet attack.
CISA is giving federal agencies until October 6 to address the above vulnerabilities.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, CISA)