- 5 easy ways to transfer photos from your Android device to your Windows PC
- How to get Google's new Pixel 9a for free
- Just installed iOS 18.4? Changing these 3 features made my iPhone much better to use
- 7 strategic insights business and IT leaders need for AI transformation in 2025
- The most underrated robot vacuum I've ever tested is now 60% off
CISA Tells Organizations to Patch CVEs Dating Back to 2014
The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago.
The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.
The Binding Operational Directive (BOD) 22-01 that enabled it applies only to civilian federal agencies, but all organizations are encouraged to monitor the list on an ongoing basis as part of best practice security efforts.
The latest eight additions to the catalog include two that must be patched by February 11: a memory corruption vulnerability in Apple’s IOMobileFrameBuffer (CVE-2022-22587) and a stack-based buffer overflow bug SonicWall SMA 100 appliances (CVE-2021-20038).
Interestingly, while two of the remaining six CVEs were first discovered and published to the National Vulnerability Database (NVD) in 2020, four come from several years earlier.
These include two arbitrary code execution vulnerabilities in the GNU’s Bourne Again Shell (Bash) Unix shell and command language, from 2014 (CVE-2014-7169 and CVE-2014-6271).
Also, from 2014 is an Internet Explorer use-after-free bug (CVE-2014-1776).
The final CVE on the new list is a privilege escalation vulnerability in Intel’s Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability offerings. It was first published back in 2017.
Aside from the Apple and SonicWall flaws, all those on the list must be patched by July 28 2022.
Their inclusion in the catalog is proof again that threat actors often favor older CVEs that have been forgotten about rather than spending the time and resource researching zero-days.
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, argued that IT teams find it increasingly difficult to stay on top of a mounting patch-load, never mind fixing bugs from several years ago.
“We have a couple of options. Either we hire more people to remediate vulnerabilities and mitigate risk. Or we can be more efficient with the people, resources and tools we already have,” he added.
“The only way the cybersecurity industry will be able to reduce an increasingly concerning accumulation of risk and associated cyber-debt will be through a risk-based approach to vulnerability prioritization and a well-orchestrated approach to risk mitigation. It isn’t easy, but it is possible if leaders make cyber-hygiene and risk management a priority.”
CISA now has over 350 vulnerabilities in its “must-patch” catalog.
