The US Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its list of actively exploited security issues, including those in Microsoft, Linux, and Jenkins.
The ‘Catalog of Known Exploited Vulnerabilities’ is a list of vulnerabilities that are known to be actively exploited in cyber attacks and are required to be patched by Federal Civilian Executive Branch (FCEB) agencies.
“Binding Operating Directive (BOD) 22-01: Reducing Significant Risk of Known Exploited Vulnerabilities established the Catalog of Known Exploited Vulnerabilities as a living list of known CVEs that carry significant risk to the federal enterprise,” CISA explains.
“BOD 22-01 requires FCEB agencies to patch identified vulnerabilities by the expiration date to protect FCEB networks from active threats. See the BOD 22-01 fact sheet for more information.”
“The vulnerabilities listed in the catalog allow threat actors to perform a variety of attacks, including stealing credentials, gaining network access, remotely executing commands, downloading and executing malware, or stealing device information.”
With the addition of these seven vulnerabilities, the catalog now contains 654 vulnerabilities, including the date that associated security patches and updates are required to be applied by federal agencies.
The seven new vulnerabilities added this week are listed below, and CISA requires all of them to be patched by May 16, 2022.
|CVE number||Vulnerability Title||Expiration dates|
|CVE-2022-29464||Unrestricted File Upload Vulnerability in Multiple WSO2 Products||2022-05-16|
|CVE-2022-26904||Microsoft Windows User Profile Service Privilege Escalation Vulnerability||2022-05-16|
|CVE-2022-21919||Microsoft Windows User Profile Service Privilege Escalation Vulnerability||2022-05-16|
|CVE-2022-0847||Linux Kernel Privilege Escalation Vulnerability||2022-05-16|
|CVE-2021-41357||Microsoft Win32k Privilege Escalation Vulnerability||2022-05-16|
|CVE-2021-40450||Microsoft Win32k Privilege Escalation Vulnerability||2022-05-16|
|CVE-2019-1003029||Jenkins Script Security Plugin Sandbox Bypass Vulnerability||2022-05-16|
How are these bugs used in attacks?
While it is useful to know that a bug is being exploited, it is even more useful to understand how they are actively used in attacks.
The WSO2 vulnerability tracked as CVE-2022-29464 was disclosed on April 18, 2022, and a public exploit was released a few days later. Rapid7 researchers soon saw the public PoC used in attacks to implement web shells and coinminers.
Windows ‘User Profile Service Privilege Escalation’ vulnerabilities tracked as CVE-2022-21919 and CVE-2022-26904 were discovered by Abdel Hamid Naceri and are subsequent omissions from an original CVE-2021-34484 vulnerability patched in August 2021. All of these vulnerabilities have had a public PoC disclosed, and BleepingComputer has been told that they are used by ransomware gangs to spread laterally through a Windows domain.
The Linux privilege escalation vulnerability known as ‘DirtyPipe’ is tracked as CVE-2022-0847 and was disclosed in March 2022. Shortly after its disclosure, numerous proof-of-concept exploits were released, allowing users to gain root privileges quickly, as illustrated below.
The CVE-2021-40450 and CVE-2021-41357 ‘Microsoft Win32k Privilege Escalation’ vulnerabilities were patched in October 2021 and are an interesting addition to the list as there is no public mention of them being exploited in the wild.
Finally, the oldest vulnerability is the ‘Jenkins Script Security Plugin Sandbox Bypass’ bug tracked as CVE-2019-1003029, which Capoae Malware has used in the past to deploy XMRig cryptominers.
It is strongly recommended that all security professionals and administrators review the Catalog of Known Exploited Vulnerabilities and patch any within their environment.