7 New Exploited Vulnerabilities are Added to CISA Database

Based on the evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) decided to add a significant SAP security weakness to its list of known exploited vulnerabilities on Thursday.

The problem in question, CVE-2022-22536, was fixed by SAP as part of its Patch Tuesday updates for February 2022. It carries the highest risk score of 10.0 on the CVSS vulnerability scoring system. So, without any delay let’s talk about the 7 New Exploited Vulnerabilities Added to CISA Database.

Described as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions –

  • SAP Web Dispatcher (Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)
  • SAP Content Server (Version – 7.53)
  • SAP NetWeaver and ABAP Platform (Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)

An unauthenticated attacker has the ability to append arbitrary data to a victim’s request, enabling function execution while the victim is impersonated or poisoning intermediary web caches, according to a CISA notice.

According to Onapsis, which found the issue, “a simple HTTP request, indistinguishable from any other acceptable message and without any type of authentication, is adequate for a successful exploitation.” As a result, it is simpler for attackers to exploit it and more difficult for security technology like firewalls or IDS/IPS to identify it (as it does not present a malicious payload).

Aside from the SAP weakness, the agency added new flaws disclosed by Apple (CVE-2022-32893, and CVE-2022-32894) and Google (CVE-2022-2856) this week as well as previously documented Microsoft-related bugs (CVE-2022-21971 and CVE-2022-26923) and a remote code execution vulnerability in Palo Alto Networks PAN-OS (CVE-2017-15944, CVSS score: 9.8) that was disclosed in 2017.

CVE-2022-21971 (CVSS score: 7.8) is a remote code execution vulnerability in Windows Runtime that was resolved by Microsoft in February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022, relates to a privilege escalation flaw in Active Directory Domain Services.

According to Microsoft’s advisory for CVE-2022-26923, “An authorized user may modify properties on computer accounts they own or manage and get a certificate from Active Directory Certificate Services that would allow elevation of privilege to System.”

To prevent threat actors from exploiting the vulnerabilities further, the CISA notification, as is customary, is low on technical information about real-world assaults linked to them.

Federal Civilian Executive Branch (FCEB) organizations must implement the necessary fixes before September 8, 2022, in order to reduce exposure to potential threats.

We hope after reading this article you got complete knowledge about 7 New Exploited Vulnerabilities Added to CISA Database.

Leave a Reply

Your email address will not be published.