CISA Adds 7 New Actively Exploited Vulnerabilities to Catalog

Cyber Security

Products You May Like

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday moved to add a critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

The issue in question is CVE-2022-22536, which has received the highest possible risk score of 10.0 on the CVSS vulnerability scoring system and was addressed by SAP as part of its Patch Tuesday updates for February 2022.

CyberSecurity

Described as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions –

  • SAP Web Dispatcher (Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)
  • SAP Content Server (Version – 7.53)
  • SAP NetWeaver and ABAP Platform (Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)

“An unauthenticated attacker can prepend a victim’s request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary web caches,” CISA said in an alert.

“A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation,” Onapsis, which discovered the flaw, notes. “Consequently, this makes it easy for attackers to exploit it and more challenging for security technology such as firewalls or IDS/IPS to detect it (as it does not present a malicious payload).”

Aside from the SAP weakness, the agency added new flaws disclosed by Apple (CVE-2022-32893, and CVE-2022-32894) and Google (CVE-2022-2856) this week as well as previously documented Microsoft-related bugs (CVE-2022-21971 and CVE-2022-26923) and a remote code execution vulnerability in Palo Alto Networks PAN-OS (CVE-2017-15944, CVSS score: 9.8) that was disclosed in 2017.

CyberSecurity

CVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was resolved by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022, relates to a privilege escalation flaw in Active Directory Domain Services.

“An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege to System,” Microsoft describes in its advisory for CVE-2022-26923.

The CISA notification, as is traditionally the case, is light on technical details of in-the-wild attacks associated with the vulnerabilities so as to avoid threat actors taking further advantage of them.

To mitigate exposure to potential threats, Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the relevant patches by September 8, 2022.

Products You May Like

Articles You May Like

Beats Solo Buds, Beats Solo 4 and Beats Pill Launched in India: Price, Specifications
APT-C-60 Group Exploit WPS Office Flaw to Deploy SpyGlace Backdoor
OpenAI ‘Strawberry’ AI Model With Advanced Mathematics, Reasoning Capabilities to Launch Soon: Report
iPhone 16 Pro Max Leaked Dummy Unit Offers Glimpse at New Desert Titanium Colourway
French Authorities Charge Telegram CEO with Facilitating Criminal Activities on Platform

Leave a Reply

Your email address will not be published. Required fields are marked *