The US Cybersecurity and Infrastructure Security Agency (CISA) has added six new vulnerabilities to its catalog of known exploits.
The US Cybersecurity and Infrastructure Security Agency (CISA) has identified six new security flaws. Catalog of Known Exploited Vulnerabilities.
Here is a list of issues that have been added to the catalog.
- CVE-2023-32434: Apple Multiproduct Integer Overflow Vulnerability – Apple iOS. iPadOS, macOS, and watchOS contain integer overflow vulnerabilities that could allow applications to execute code with kernel privileges.
- CVE-2023-32435: Apple iOS and iPadOS WebKit Memory Corruption Vulnerability – Apple iOS and iPadOS WebKit contain a memory corruption vulnerability leading to code execution when processing web content.
- CVE-2023-32439: Apple Multiple Products WebKit Type Confusion Vulnerability – Apple iOS, iPadOS, macOS, and Safari WebKit contain type confusion vulnerabilities leading to code execution when processing maliciously crafted web content.
- CVE-2023-20867: VMware Tools authentication bypass vulnerability – VMware Tools includes an authentication bypass vulnerability in the vgauth module. A fully compromised ESXi host can prevent VMware tools from authenticating operations between the hosts, affecting the confidentiality and integrity of guest virtual machines. An attacker must have root access to ESXi to exploit this vulnerability.
- CVE-2023-27992: Zyxel Multi-NAS Device Command Injection Vulnerability – Several Zyxel Network Attached Storage (NAS) devices contain a pre-authentication command injection vulnerability that could allow an unauthenticated attacker to execute commands remotely via a crafted HTTP request.
- CVE-2023-20887: VMware Aria Operations for Networks Command Injection Vulnerability: VMware Aria Operations for Networks (formerly vRealize Network Insight) contains a command injection vulnerability that could allow a malicious actor with network access to perform an attack to execute remote code.
According to Binding Operational Directive (BOD) 22-01: Critical Risk Reduction of Known Exploited VulnerabilitiesThe FCEB agency must address the identified vulnerabilities by the deadline to protect the network from attacks exploiting flaws in the catalog.
Experts also recommend looking at private organizations. List Address vulnerabilities in your infrastructure.
CISA mandates federal agencies to fix these vulnerabilities by July 14, 2023.
CISA this week also added three more flaws. Catalog of Known Exploited Vulnerabilities It was used by the Russian-linked APT28 group to hack Roundcube email servers used by Ukrainian organizations.
In recent campaigns, threat actors have used news about the ongoing conflict between Russia and Ukraine as bait. Cyber spying exploits the Roundcube Webmail vulnerability (CVE-2020-35730, CVE-2020-12641and CVE-2021-44026) can be triggered to hack vulnerable servers.
CISA mandates federal agencies to fix these three deficiencies by July 14, 2023.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(security work – hacking, Catalog of Known Exploited Vulnerabilities)
share