CISA Expands Vulnerabilities Catalog With Old, Exploited Flaws


The Cybersecurity and Infrastructure Security Agency (CISA) has added six known flaws to its Known Exploited Vulnerabilities Catalog on September 15, 2022.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose a significant risk to the federal enterprise,” the Agency wrote.

The six issues include three that affect the Linux kernel, one in the Code Aurora ACDB audio driver (which is present in third-party products including Qualcomm and Android), and one a remote code execution risk in Microsoft Windows.

While CISA is regularly updating its Vulnerability Catalog, the newly added flaws are noticeable as some of them are quite old.

“What is concerning me is that four of the CVEs posted [yesterday] are from 2013, and one is from 2010,” Paul Baird, chief technical security officer UK at Qualys, told Infosecurity Magazine.

Only one of the new exploited vulnerabilities is a CVE from 2022. According to the executive, this shows that several companies struggle to fully understand their information technology (IT) infrastructure, keep those IT assets up to date, or adequately mitigate issues so there is no risk of exploitation. 

“Patching known vulnerabilities is one of the best ways to prevent attacks, but many companies are finding it hard to keep up,” Baird added. “Similarly, end-of-life systems should be replaced or migrated if they are still needed for businesses.”

The addition of the six known flaws to CISA’s catalog comes days after the Agency added around two zero-day attacks affecting Microsoft Windows Common Log File System Driver and Apple iOS / iPadOS / macOS Monterey and Big Sur, respectively.

CISA has also recently published new guidelines to help developers improve the security of the software supply chain. The document was the result of a collaboration between CISA, the National Security Agency (NSA) and the Office of the Director of National Intelligence (ODNI).



Source link