The Cybersecurity and Infrastructure Security Agency (CISA) has added a massive set of 66 actively exploited vulnerabilities to its catalog of ‘Known Exploited Vulnerabilities.’
These flaws have been observed in real cyberattacks against organizations, so they are published to raise awareness to system administrations and serve as official advisories for applying the corresponding security updates.
In this case, CISA gives federal agencies until April 15, 2022, to patch the listed vulnerabilities and reduce the risk of falling victim to cyberattacks.
The new set of 66 actively exploited vulnerabilities published by CISA spans disclosure dates between 2005 and 2022, covering a broad spectrum of software and hardware types and versions.
The Mitel CVE-2022-26143 and Windows CVE-2022-21999 vulnerabilities disclosed in February are two particularly interesting bugs.
Microsoft fixed the CVE-2022-21999 Windows Print Spooler bug in the February 2022 Patch Tuesday updates, and threat actors had not actively exploited it at the time. The vulnerability allows attackers to achieve code execution as SYSTEM, the highest Windows privileges when exploited.
The Mitel CVE-2022-26143 bug affects devices using a vulnerable driver (TP-240), including MiVoice Business Express and MiCollab.
This flaw allows a record-breaking DDoS amplification ratio of about 4.3 billion to 1, using a method of internal reflection.
Akamai, the company that discovered the Mitel bug, has already reported attacks in the wild beginning last February, targeting governments, financial institutions, and internet service providers.
Additionally, the set contains a 2005 RCE flaw on Hewlett Packard OpenView, a 2009 buffer overflow on Adobe Reader and Acrobat, a 2009 RCE on phpMyAdmin, and another 23 flaws dating between 2010 and 2016.
The addition of these 66 vulnerabilities at this time doesn’t necessarily mean that CISA’s analysts just spotted their active exploitation in the wild.
Quite possibly, the agency is publishing new sets with intervals between them to not overwhelm system administrators, striving for a balance between practical constraints and best security practices.
Another possible explanation for the addition of such old vulnerabilities in the catalog could be that they’re leveraged in new exploit chains that are applicable today, suddenly transcending from obsolescence to relevance.
However, the list shows us how quickly threat actors begin targeting a vulnerability once a vendor discloses it.
For example, the Windows Print Spooler CVE-2022-21999 vulnerability, the Mitel DDoS CVE-2022-26143 amplification vulnerability, and the CVE-2022-26318 WatchGuard vulnerabilities were disclosed in February and were quickly exploited by threat actors.
Due to this, it is critical for admins to apply security updates as soon as possible to prevent their exploitation, especially on internet-exposed devices.
Due to the large number of flaws comprising the latest set, CISA hasn’t supplied the usual summary table, so system administrators will have to review the new entries on the catalog, which now counts a total of 570 vulnerabilities.
Once at the catalog, you can click on the ‘Date Added’ column header to sort by the most recently added vulnerabilities.