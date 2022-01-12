



This week, the Cybersecurity and Infrastructure Security Agency (CISA) added 15 vulnerabilities to its known exploited vulnerability catalog. Three of the vulnerabilities need to be repaired by a federal private sector by January 24th, and the remaining vulnerabilities have a repair date of July 10th.

The list is “based on evidence that threat actors are actively exploiting vulnerabilities,” the CISA said. Vulnerabilities are “a frequent attack vector against malicious cyber actors of all kinds. It poses a significant risk to federal companies. “

The most urgent additions include VMware vCenter Server Improper Access Control Vulnerability, Hikvision Improper Input Validation Vulnerability, FatPipe WARP, IPVPN, and MPVPN Privilege Elevation Vulnerability.

The rest of the list includes Google Chrome, Microsoft Win32K, Microsoft WinVerify, Elastic Kibana, Primetek Primefaces, IBM WebSphere Application Server, Exim Mail Transfer Agent, Palo Alto Networks PAN-OS, Fortinet FortiOS and FortiProxy, Synacor Zimbra, Oracle WebLogic. Contains related vulnerabilities. server.

A known exploited vulnerability catalog was created last year through a binding directive that allows CISA to force federal private agencies to address specific vulnerabilities used by cyber attackers. rice field. The first version of the list contained 306 vulnerabilities commonly exploited during an attack, but has expanded since then.

Joshua Aagard, a vulnerability analyst on the Photon Research Team at Digital Shadows, told ZDNet that the addition of CISA is extensive and likely to have a knock-on effect on the infrastructure.

“As a result of successful abuse, malicious actions and remote execution are often cited, as is data entry with sanitization and proper logic,” Aagard said.

“What I’ve looked at tends to share the common theme of centralized commands and to embrace a single point of failure. From an attacker’s point of view, the server console or critical proxy is an accompanying infrastructure. It can act as a Jenga block that brings down all the rest of the structure.

The three most prominent for him were the VMware vCenter Server improper access control vulnerability, Hikvision’s improper input validation vulnerability, and the FatPipe WARP, IPVPN, and MPVPN privilege escalation vulnerabilities.

Aagard explained that the Hikvision CCTV camera and camera system vulnerabilities are associated with a lack of input validation, exposing the server to potentially malicious command injection attacks (also known as RCEs).

“Full control of the target device can be achieved through an unrestricted shell at the root level and replaces the specified owner level,” Aagard said.

A vulnerability in the FatPipe network affects WARP, IPVPN, and MPVPN products, allowing an attacker to gain access to the Servlet’s unlimited file upload capabilities in the URL path / fpui / uploadConfigServlet. You can use this to remove webshel ​​l / fpui / img. According to Aagard, / 1, jsp for access to root and subsequent elevated privileges.

“Successful exploitation of this vulnerability could lead to pivot access to the internal network. Software versions prior to releases 10.1.2r60p93 and 10.2.2r44p1 are affected by this issue,” Aagard said. I am saying.

Regarding the VMware vulnerability, Aagard said that a malicious attacker with general network access to vCenter Server port 443 could exploit this issue to perform a bypass and gain access to an internal endpoint. He explained.

Netenrich’s leading threat hunter, John Bambenek, reiterated Aagard’s concerns about VMWare vulnerabilities, using VMWare servers to control many of the key assets in an organization, not just one asset. Said that it will be done.

“This vulnerability provides an easy way to take over a vCenter instance and all the assets in it,” said Bambenek. “In another observation, some of these vulnerabilities are fairly old (one is from 2013). The federal government has another six months to patch the vulnerabilities eight years ago. Why you need it will tell you everything you need to know about how broken IT security is. Government. “

