• Matthew Spencer - Tech Journalist

Known Exploited Vulnerabilities Catalogue by the CISA: A must-patch active bug list

The Cybersecurity & Infrastructure Agency (CISA) published a few new sets of known vulnerabilities still waiting for a fix. Federal agencies are also given the notice to fix them as soon as possible, as some are still effective seven years later. The deadline is 15 February to patch a bug affecting all other Windows 10 unpatched versions. The zero-user interaction to exploit is given immediate attention this time around.

The news got traction quickly as some vulnerabilities remained as of old as seven years, still affecting agencies. Fifteen new vulnerabilities are added to the list of 315 pages that are must-patch. Senior VP of Policy, Gordon Bitko, in an interview with Government Matters said, the Log4j is still the most looked out vulnerabilities agencies and companies are trying to fix.

The Log4j lies on top of Apache, a widespread dependency for various reasons. Even if the organization's vulnerability is patched, the risk remains. It is tough to find exact exposure on Log4j, and if you're dependent on other services, it may lie there too.

The CVE-2021-27104 vulnerability is from the Accelliion FTA product, called "Accelliion FTA OS Command Injection Vulnerability." CISA described the Accelliion FTA 9_12_370 as a remote executing command that affects OS via a crafted POST request. The Department of Homeland Security's Cybersecurity & CISA prepared the catalogue and given agencies assignments to fix with a timeline.

Older vulnerability includes Microsoft Office, D-Link routers, Oracle WebLogic, and more. Four of those bugs are rated as critical under version three of CVSS. The Common Vulnerability Scoring System (CVSS) ranks vulnerabilities via "principal characteristics and produce a numerical score reflecting its severity." The critical bugs we mentioned earlier include CVE-2020-0768, Microsoft SMBv3, Jetkins DevOps, and CVE-2018-100861. They scored from 9.8 to 10.

ActiveMQ message broker and Struts framework, used to develop Java applications, are the other two vulnerabilities. Federal systems are not up to date, and this is another reason they are given a deadline to patch those bugs. If we look at the vulnerability stats, private companies or large originations will do it quicker than the federal government.

The rest of the vulnerabilities were classified as superior severity. They are either beneath CVSS3 or, in some cases, under version 2 for older bugs. Even though a timely assignment is given to federal agencies, some fixes will need more time. So, they are given another deadline for the patch till August 2022.

The CVE-2021-36934 affects Microsoft Windows Security Accounts Manager (SAM). They'll need a fix for user-level and work computers as early as possible. Even though a system is patched, the underlying hole will impact the system if dependencies do not get total attention.

Cyber attackers can use the remotely executable vulnerabilities for permissive access controls lists (ACLs) on the SAM database systems. At Tech News Hub, we covered some of the Log4j vulnerabilities when they first appeared as a threat in recent times. Be sure to check the stories below:

The significance of these vulnerabilities remained undetected for years. Even though they were vulnerable, many people didn't know much, which turned out to be this event. Vulnerabilities and bugs are commonly discovered, and the recent ones are the most severe in quite some time.

This time around, the catalogue of known vulnerabilities is a part of November 2021's Binding Operational Directive. CISA received praise from cyber security agencies as the vulnerabilities were discovered quickly and provided valuable instructions. CISA has been monitoring the vulnerabilities, and the "known" ones are the most severe to date. The current initiative for CISA is the Special Interest Group (SIG), as it is currently working on individual improvements in the CVSS standard.