CISA Known Exploited Vulnerabilities Breakdown
August 25, 2022 – 11 New Vulns
With CISA’s BOD 22-01, CISA maintains a catalog of CVEs which have been known to be exploited. Within the catalog, CISA mandates that the most urgent vulnerabilities be patched within 2 weeks, and the least urgent within 6 months. The recent releases included 11 new additions from August 22nd to present day.
In this Breakdown, our team of Nucleus vulnerability experts have found four notable additions included in this release: dotCMS file upload vulnerability, PAN OS TCP Reflected Amplification vulnerability, Apache APISIX Admin API restriction bypass vulnerability, Spring Cloud Function RCE. To get a better understanding of each component of our Breakdown, including what we determine to be a notable release, please see our Frequently Asked Questions section below.
Also be sure to follow Nucleus Security on Twitter where we will posting each time a new Breakdown is released.
|wdt_ID||CVE ID||Software||Vendor||Exploitation Result||Due Date||EPSS Probability||EPSS Percentile|
|1||CVE-2022-0028||PAN OS||Palo Alto Networks||Denial of Service||9/12/2022||0.00885||0.26091|
|5||CVE-2022-22963||Spring Cloud||VMware Tanzu||Remote Execution||9/15/2022||0.94581||0.99952|
|7||CVE-2021-39226||Grafana||Grafana Labs||Authentication Bypass||9/15/2022||0.01183||0.60365|
|8||CVE-2021-38406||DOPSoft 2||Delta Electronics||Input Validation||9/15/2022||0.01036||0.41149|
|9||CVE-2021-31010||iOS, macOS, watchOS||Apple||Sandbox Bypass||9/15/2022||0.01018||0.38702|
|CVE ID||Software||Vendor||Exploitation Result||Due Date||EPSS Probability||EPSS Percentile|
Notable Vulnerability Additions
How long does hacking into a bank take? According to Shubham Shah and Hussein Daher, half a day of source-code auditing. CVE-2022-26352 is an Unrestricted Upload of File Vulnerability which was discovered as a 0day in dotCMS, which is a content management system written in Java.
Their blog post from May 3 of this year walks through understanding how to audit whitebox source-code to arrive at the discovery of the file upload vulnerability. The blog is a great example of responsible disclosure. As well as developing the PoC to make it exploitable, they also explain what made it possible to use this vulnerability against a real-world environment. While the story itself was disclosed a few months ago, it was added to the KEV 08/25 with a due date of remediation of 09/15.
CVE-2022-0028 | PAN OS TCP Reflected Amplification vulnerability
While CVE-2022-0028 is considered more of a misconfiguration than a vulnerability, the mechanisms that exist in the product still allow for exploitation to exist. CVE-2022-0028 scores rather lower according to EPSS, which may come as no surprise to some due to the fact that it is only exploitable when applying URL filtering incorrectly in your network.
As Palo Alto explains in their security advisory, “Such URL filtering is not meant to be used in the other direction for traffic coming from the Internet to the protected network. URL filtering in that direction offers no benefits. Hence any firewall configuration that is doing this is likely unintentional and considered a misconfiguration.”
The discovery of this reflected amplification attack via TCP comes after a research paper released discussing the ways in which middleboxes can be utilized to perform such attacks. One particular problem revealed in this research is the way in which nation-states that apply censorship mechanisms to traffic flowing inside borders can be utilized by attackers seeking to pivot off of this technology as a middlebox when conducting TCP DoS attacks. The full research paper can be found here.
CVE-2022-24112 | Apache APISIX Admin API Restriction Bypass Vulnerability
While in the headlines some time ago, CVE-2022-24112 reveals a historically less-popular but upward trending form of 0day disclosure, through a CTF utilizing the most up-to-date version of the software.
An API restriction bypass vulnerability in Apache APISIX was discovered by LiveOverflow’s team during the Real World CTF event. Through an exposed plugin in the default configuration of APISIX, they were able to craft a PoC via a Lua script which can be used to send a request to create a malicious route in which they could grab the flag for the CTF. It is always important to remember responsible disclosure when the purpose of the proposed CTF is to work with up-to-date software in which the solution likely aligns with discovery of a 0day.
For newer members of the security community and security researchers looking for more hands-on practice at hacking, CTFs were and still are a great form of learning, problem-solving and teamwork while elevating your skillset immensely. Understanding how attackers perform threat surface analysis can massively improve the decision-making and actioning in DevSecOps pipelines.
CVE-2022-22963 | Spring Cloud Function RCE
CVE-2022-22963, not to be confused with Spring4Shell, couldn’t have arrived at a more confusing time for the security community. As media was frenzied for another headliner at the height of log4shell, some saw an opportunity in what was identified as CVE-2022-22965. What is arguably an even less severe vulnerability than CVE-2022-22963, it quickly dawned a copycat name and was plastered across headlines.
Once the security community digested the existing workarounds and began applying patches, it was realized that the aftermath of spring4shell was not as severe as log4shell for most. While CVE-2022-22965 (spring4shell) proposed a threat to a larger set of organizations, CVE-2022-22963 (our SCF RCE friend) would arguably be of higher threat to the organizations it did affect. So, without proper threat intelligence incorporated in your vulnerability management program, you may have considered spring4shell to be of higher priority than the closely-released SCF RCE added to the KEV 08/25, even if you were affected by both. It is important to remember personal risk of your organization in the short aftermath of large disclosures such as CVE-2022-22963 and CVE-2022-22965, as well as how that can easily differ from the perceived threat within the security community as a whole.
Frequently Asked Questions
- What makes for a notable addition?
- A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
- When is the Breakdown released?
- We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
- I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
- CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild.
- What is EPSS?
- EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild.
- See the EPSS home page on FIRST for more information here.
- What is the difference between EPSS probability and EPSS percent?
- EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat.
- For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.