CISA warns of active exploitation of Chrome, D-Link flaws

CISA warns of active exploitation of Chrome, D-Link flaws. Image via iStock

Image:

CISA warns of active exploitation of Chrome, D-Link flaws. Image via iStock

Android, Oracle, Apple, QNAP, MikroTik, Fortinet and NETGEAR vulnerabilities also added to CISA's KEV catalogue

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 12 security vulnerabilities - including a Google Chrome zero day - to its Known Exploited Vulnerabilities (KEV) catalogue, and warned that these flaws have been actively exploited in attacks.

All organisations that are part of the Federal Civilian Executive Branch (FCEB) must patch all these vulnerabilities by September 29, 2022, according to a directive from CISA.

According to CISA, these bugs present a serious threat to the federal enterprise and are a common attack vector for malicious actors.

The vulnerabilities that have been added to the KEV catalogue are as follows:

CVE-2022-3075 - Google Chromium Insufficient Data Validation Vulnerability
CVE-2011-1823 - Android OS Privilege Escalation Vulnerability
CVE-2022-28958 - D-Link DIR-816L Remote Code Execution Vulnerability
CVE-2022-26258 - D-Link DIR-820L Remote Code Execution Vulnerability
CVE-2018-6530 - D-Link Multiple Routers OS Command Injection Vulnerability
CVE-2011-4723 - D-Link DIR-300 Router Cleartext Storage of a Password Vulnerability
CVE-2022-27593 - QNAP Photo Station Externally Controlled Reference Vulnerability
CVE-2020-9934 - Apple iOS, iPadOS, and macOS Input Validation Vulnerability
CVE-2018-7445 - MikroTik RouterOS Stack-Based Buffer Overflow Vulnerability
CVE-2018-2628 - Oracle WebLogic Server Unspecified Vulnerability
CVE-2018-13374 - Fortinet FortiOS and FortiADC Improper Access Control Vulnerability
CVE-2017-5521 - NETGEAR Multiple Devices Exposure of Sensitive Information

For users of Windows, Mac, and Linux, Google released Chrome 105.0.5195.102 last week to address CVE-2022-3075, a high-severity bug in the Chrome web browser that is now being actively exploited in the wild.

Mojo, a set of runtime libraries that enables message passing over arbitrary inter- and intra-process boundaries, has a data validation issue that leads to CVE-2022-3075.

In a security advisory, Google said that it was "aware of reports that an exploit for CVE-2022-3075 exists in the wild."

Another serious bug added to KEV catalogue is CVE-2022-27593 that affects QNAP Photo Station software.

QNAP network-attached storage (NAS) appliances maker issued a warning to customers on Monday, informing them that a zero-day bug in Photo Station software was being exploited in DeadBolt ransomware attacks and that the issued had now been patched.

According to QNAP, the flaw was being used by the attackers to encrypt QNAP NAS devices directly connected to the Internet.

The attacks were widespread, with a spike seen in submissions to the ID Ransomware service on Saturday and Sunday.

Reports of the Mirai-based MooBot attacking critical security bugs in D-Link hardware also emerged this week. The aim of these attacks is to achieve remote code execution and seize control of unpatched devices.

D-Link has now fixed all those weaknesses, although not all users have yet installed the patches.

A legally binding operational directive (BOD 22-01) issued by CISA in November requires FCEB agencies to safeguard their systems against vulnerabilities that are added to the KEV Catalogue in order to lessen the danger of known exploitable faults across US government networks.

Although DHS' BOD 22-01 solely applies to US FCEB agencies, the cybersecurity experts advise American enterprises in both the public and commercial sectors to prioritise fixing these issues.

Since issuing the binding directive in November, CISA has added more than 800 security weaknesses to its KEV catalogue that are exploited in attacks, necessitating tighter schedule for federal agencies to fix them in order to prevent security breaches.