CISA Adds 10 New Known Actively Exploited Vulnerabilities to its Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
on Friday added 10 new actively exploited vulnerabilities to its
Known Exploited Vulnerabilities (KEV)
Catalog^[1], including a
high-severity security flaw affecting industrial automation
software from Delta Electronics.

The issue, tracked as CVE-2021-38406^[2]
(CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A
successful exploitation of the flaw may lead to arbitrary code
execution.

“Delta Electronics DOPSoft 2 lacks proper validation of
user-supplied data when parsing specific project files (improper
input validation) resulting in an out-of-bounds write that allows
for code execution,” CISA said in an alert.

It’s worth noting that CVE-2021-38406 was originally disclosed
as part of an industrial control systems (ICS) advisory published^[3]
in September 2021.

However, there are no patches that address the vulnerability,
with CISA noting that the “impacted product is end-of-life and
should be disconnected if still in use.” Federal Civilian Executive
Branch (FCEB) agencies are mandated to follow the guideline by
September 15, 2022.

Not much information is available about the nature of the
attacks that exploit the security bug, but a recent report from
Palo Alto Networks Unit 42 pointed out^[4]
instances of in-the-wild attacks leveraging the flaw between
February and April 2022.

The development adds weight to the notion that adversaries are
getting faster at exploiting newly published vulnerabilities when
they are first disclosed, leading to indiscriminate and
opportunistic scanning attempts that aim to take advantage of
delayed patching.

These attacks often follow a specific sequence for exploitation
that involves web shells, crypto miners, botnets, and remote access
trojans (RATs), followed by initial access brokers (IABs) that then
pave the way for ransomware.

Among other actively exploited flaws added to the list are as
follows –

• CVE-2022-26352^[5] – dotCMS Unrestricted
  Upload of File Vulnerability
• CVE-2022-24706^[6] – Apache CouchDB
  Insecure Default Initialization of Resource Vulnerability
• CVE-2022-24112^[7] – Apache APISIX
  Authentication Bypass Vulnerability
• CVE-2022-22963^[8] – VMware Tanzu Spring
  Cloud Function Remote Code Execution Vulnerability
• CVE-2022-2294^[9] – WebRTC Heap Buffer
  Overflow Vulnerability
• CVE-2021-39226^[10] – Grafana
  Authentication Bypass Vulnerability
• CVE-2020-36193^[11] – PEAR Archive_Tar
  Improper Link Resolution Vulnerability
• CVE-2020-28949^[12] – PEAR Archive_Tar
  Deserialization of Untrusted Data Vulnerability

iOS and macOS flaw added to the list

Another high-severity flaw added to the KEV Catalog is CVE-2021-31010^[13] (CVSS score: 7.5), a
deserialization issue in Apple’s Core Telephony component that
could be leveraged to circumvent sandbox restrictions.

The tech giant addressed the shortcoming in iOS 12.5.5, iOS
14.8, iPadOS 14.8, macOS Big Sur 11.6 (and Security Update 2021-005
Catalina), and watchOS 7.6.2 released in September 2021.

While there were no indications that the flaw was being
exploited at the time, the tech giant appears to have silently
revised its advisories on May 25, 2022 to add the vulnerability and
confirm that it had indeed been abused in attacks.

“Apple was aware of a report that this issue may have been
actively exploited at the time of release,” the tech giant noted,
crediting Citizen Lab and Google Project Zero for the
discovery.

The September update is also notable for remediating^[14] CVE-2021-30858 and
CVE-2021-30860, both of which were employed by NSO Group^[15], the makers of the
Pegasus spyware, to get around the operating systems’ security
features.

This raises the possibility that CVE-2021-31010 may have been
stringed together with the aforementioned two flaws in an attack
chain to escape the sandbox and achieve arbitrary code
execution.