March 30 – 10 New Vulns | CVE-2013-3163, CVE-2014-1776, CVE-2017-7494, CVE-2021-30900, CVE-2022-3038, CVE-2022-38181, CVE-2022-39197, CVE-2022-42948, CVE-2022-22706, CVE-2023-0266

In this CISA KEV Breakdown, ten vulnerabilities from vendors such as Fortra and Linux to Apple, Microsoft and Google, ranging in disclosure from 10 years ago to just 6 days were added to the Catalog. A majority of KEV additions appear related to Google’s Threat Analysis Group’s report about Spyware actors abusing multiple o-day and n-day vulnerabilities in two separate campaigns targeting Apple and Android devices.

CVE-2014-1776 and CVE-2013-3163 are Internet Explorer vulnerabilities. In the past, CISA has given guidance related to patching as far as Internet Explorer is concerned, however their action for this addition includes the fact that it is EOL, and should be disconnected.

CVE-2017-7494 may be recognized by some as SambaCry, a play-on-words of the famous WannaCry ransomware. This vulnerability was known to be exploited just days after the disclosure of the vulnerability by the Samba team themselves in 2017.

CVE-2022-39197 and CVE-2022-42948 are two vulnerabilities observed in Cobalt Strike which occurred shortly after one another. The 4.7.1 release of Cobalt Strike included a fix for CVE-2022-39197 however a later-discovered remote code execution vulnerability which was addressed in a follow-up security patch was given CVE-2022-42948.

Notable Vulnerability Additions

CVE-2021-30900 | iOS and iPadOS Sandbox Escape Privilege Escalation

A vulnerability exists in iOS before version 14.8.1 and iPadOS 15.1  that could allow an attacker to escalate privileges and execute code with kernel privileges. CVE-2021-30900 was patched by Apple in January of 2021, however a report from Google’s Threat Analysis Group (TAG) indicates the vulnerability was described in an exploit in 2020. Brandon Azad writes in the 2020 GitHub repo,

command type 2 corresponds to kIOAccelKernelCommandCollectTimeStamp, which actually *writes* into the OOB memory rather than just
parsing data from it. (The IOAccelKernelCommand is being parsed from shared memory, so the write is
visible to userspace.) This makes it possible to overwrite the first 1-8 bytes of the subsequent
page of memory with timestamp data.

Security Advisory:

https://support.apple.com/en-us/HT212868, https://support.apple.com/kb/HT212872

CVE-2022-3038 | Chrome Use After Free RCE

A vulnerability exists in Chrome prior to release 105.0.5195.52 that could allow an attacker to exploit heap corruption via a crafted HTML page which could allow for remote code execution. Exploitation of the vulnerability could also allow for the system to crash. CVE-2022-3038 was also observed in the same TAG report as CVE-2021-30900, related to campaigns observed on Android devices. The vulnerability was patched by Samsung for their browser in December 2022, with version 19.0.6. Google released their patch in August of 2022.

Security Advisory:

https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html

CVE-2022-38181 | ARM Remote Code Execution

A vulnerability in the ARM Mali GPU kernel driver could allow for an attacker to access freed memory and execute arbitrary code. Exploitation of the vulnerability could also allow for the system to crash. The vulnerability was also observed in the same TAG report referenced above, as part of the exploit chain used by Spyware actors to exploit Samsung and Google devices. A GitHub blog post by Man Yue Mo explores disclosing CVE-2022-38181 to Samsung and ARM and how they were able to discover a non-Google bug in the first ‘all-Google’ phone. The blog post goes into extensive detail about how the vulnerability was discovered on several difference devices. The vulnerability was reported in August of 2022 with patches released as recent as January of this year for Pixel phones. View the full disclosure timeline here.

Security Advisory:

https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

CVE-2022-22706 | ARM Remote Code Execution

A vulnerability exists in ARM Mali GPU Kernel Driver that could allow a non-privileged user to achieve write access to read-only memory pages. This vulnerability was also observed in the same TAG report referenced above, as part of the exploit chain used by Spyware actors to exploit Samsung and Google devices. A patch was released for the vulnerability by ARM in January of 2022.

Security Advisory:

https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

CVE-2023-0266 | ALSA PCM Use After Free Privilege Escalation

A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel due to the fact that excess memory which is missing locks can be used in a use-after-free attack that could result in privilege escalation. CVE-2023-0266 was one of the 0-days observed by Google in their TAG report observing a spyware campaign targeting the Samsung Internet Browser. The vulnerability was reported by Google to ARM and Samsung, with a fix pushed to the Linux Kernel.

Security Advisory:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-5.10/alsa-pcm-move-rwsem-lock-inside-snd_ctl_elem_read-to-prevent-uaf.patch?id=72783cf35e6c55bca84c4bb7b776c58152856fd4

← March 15, 2023 CISA Kev Breakdown

Click here to expand our CISA KEV Breakdown Frequently Asked Questions
  • What makes for a notable addition?
    • A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
  • When is the Breakdown released?
    • We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
  • I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
    • CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
  • What is EPSS?
    • EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
  • What is the difference between EPSS probability and EPSS percent?
    • EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
  • What is GreyNoise?
    • GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
  • Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
    • Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
      • The vulnerability may not be remotely exploitable
      • Vulnerability exploitation may require authentication (and result in privilege escalation)
      • The impacted software may not be exposed to the internet
      • Mass scanning/exploitation is not occurring yet