CISA Tells Organizations to Patch CVEs Dating Back to 2014
The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago.
The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.
The Binding Operational Directive (BOD) 22-01 that enabled it applies only to civilian federal agencies, but all organizations are encouraged to monitor the list on an ongoing basis as part of best practice security efforts.
The latest eight additions to the catalog include two that must be patched by February 11: a memory corruption vulnerability in Apple’s IOMobileFrameBuffer (CVE-2022-22587) and a stack-based buffer overflow bug SonicWall SMA 100 appliances (CVE-2021-20038).
Interestingly, while two of the remaining six CVEs were first discovered and published to the National Vulnerability Database (NVD) in 2020, four come from several years earlier.
These include two arbitrary code execution vulnerabilities in the GNU’s Bourne Again Shell (Bash) Unix shell and command language, from 2014 (CVE-2014-7169 and CVE-2014-6271).
Also, from 2014 is an Internet Explorer use-after-free bug (CVE-2014-1776).
The final CVE on the new list is a privilege escalation vulnerability in Intel’s Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability offerings. It was first published back in 2017.
Aside from the Apple and SonicWall flaws, all those on the list must be patched by July 28 2022.
Their inclusion in the catalog is proof again that threat actors often favor older CVEs that have been forgotten about rather than spending the time and resource researching zero-days.
Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, argued that IT teams find it increasingly difficult to stay on top of a mounting patch-load, never mind fixing bugs from several years ago.
“We have a couple of options. Either we hire more people to remediate vulnerabilities and mitigate risk. Or we can be more efficient with the people, resources and tools we already have,” he added.
“The only way the cybersecurity industry will be able to reduce an increasingly concerning accumulation of risk and associated cyber-debt will be through a risk-based approach to vulnerability prioritization and a well-orchestrated approach to risk mitigation. It isn’t easy, but it is possible if leaders make cyber-hygiene and risk management a priority.”
CISA now has over 350 vulnerabilities in its “must-patch” catalog.