With these 15 new additions to CISA KEV, the catalog has officially grown to cover more than 1,000 vulnerabilities – a feat that we’ve been keeping an eye on for the last month, and even created a special piece of KEV-inspired artwork to commemorate the occasion, titled “A Picture is Worth 1,000 Vulns.” But, what does this milestone mean? And what have we learned along the way? Check out CISA’s recent 1,000 vulnerabilities blog post marking this moment to find out.
September 12-19: 15 New Vulns
In this CISA KEV Breakdown, we cover several days of additions to the KEV starting from the 12th to the one added today, the 19th. To kick it off, CISA blows the dust off CVE-2014-8361 and CVE-2017-6884, recognizing the exploitation these vulnerabilities have attributed to for nearly a decade. Botnet campaigns and mass-scanning tools alike will continue to utilize these bugs, so long as they continue to see that it works. The addition of these bugs to the KEV is a bit of a sobering reminder that there is a lot of technical debt left to cover out there.
With already-known exploits in mind, the PHP Ignition RCE from 2021 joins the battle. Since the vulnerability is contained within the Ignition package itself, any application built using Laravel was found to be vulnerable. This was one of many disclosures in 2021 surrounding supply-chain security risks that continued to shine light on the potential for danger in dependency vulnerabilities. We’ll let you guess the other ones.
CVE ID | Vendor/Project | Software | Exploitation Consequence | GreyNoise Traffic | EPSS Score | EPSS Percentile | Due Date |
CVE-2023-26369 | Adobe | Acrobat and Reader | Code Execution | 0.00055 | 21.03% | 10/05/2023 | |
CVE-2023-35674 | Android | Framework | Privilege Escalation | 0.00064 | 26.46% | 10/04/2023 | |
CVE-2023-4863 | WebP | Code Execution | 0.0015 | 50.44% | 10/04/2023 | ||
CVE-2023-20269 | Cisco | Adaptive Security Appliance and Firepower Threat Defense | Security Bypass | 0.02588 | 89% | 10/04/2023 | |
CVE-2023-36802 | Microsoft | Streaming Service Proxy | Privilege Escalation | 0.00051 | 17.81% | 10/03/2023 | |
CVE-2023-36761 | Microsoft | Word | Information Disclosure | 0.49532 | 97.08% | 10/03/2023 | |
CVE-2022-31459 | Owl Labs | Meeting Owl | Security Bypass | 0.00059 | 23.26% | 10/09/2023 | |
CVE-2022-31461 | Owl Labs | Meeting Owl | Security Bypass | 0.00053 | 19.34% | 10/09/2023 | |
CVE-2022-31462 | Owl Labs | Meeting Owl | Security Bypass | 0.00056 | 21.75% | 10/09/2023 | |
CVE-2022-31463 | Owl Labs | Meeting Owl | Security Bypass | 0.00059 | 23.26% | 10/09/2023 | |
CVE-2022-22265 | Samsung | Mobile Devices | Code Execution | 0.00063 | 25.14% | 10/09/2023 | |
CVE-2017-6884 | Zyxel | EMG2926 Routers | Command Injection | 0.96953 | 99.62% | 10/09/2023 | |
CVE-2021-3129 | Laravel | Ignition | Remote Code Execution | 0.97515 | 99.98% | 10/09/2023 | |
CVE-2014-8361 | Realtek | SDK | Remote Code Execution | 0.97246 | 99.76% | 10/09/2023 |
Notable Vulnerability Additions
CVE-2023-4863 | WebP Code Execution
A vulnerability in the WebP code library, libwebp, prior to this commit (902bc9190331343b2017211debcec8d2ab87e17a) could allow an attacker to cause code execution, or in other cases denial of service. The bug is specifically within the BuildHuffmanTable function which is used during the decoding of webp images. This vulnerability was reported by Google and affects any application built utilizing WebP, which goes far beyond just Chrome itself. Many applications today, such as Chromium and Electron, utilize certain libraries and frameworks that depend on libwepb, as you can see from some of the listings in this Stackdiary blog by Alex Ivanovs.
The Google Chrome Release update notes that the vulnerability was reported by Apple’s Security Engineering And Architecture (SEAR) and Citizen Lab on September 6. This indicates it is possible that evidence of exploitation in the WebP framework was found during their joint investigation of the BLASTPASS exploitation recently discussed in our September 11 Breakdown post. At this time, public exploit code or PoCs do not appear to be readily available. It’ll be important to keep an eye on the affected technologies in a vulnerability such as this overtime, as supply-chain software risks such as this historically trickle exposure in until a full picture is painted of the breadth of the problem.
Security Advisory(s):
https://www.mozilla.org/en-US/security/advisories/mfsa2023-40/
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023-4863
https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html
CVE-2023-20269 | Cisco ASA & FTD Security Bypass
A vulnerability in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) could allow a remote attacker to establish an unauthorized VPN session. From the Cisco advisory on why it is exploitable:
“This vulnerability is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features. An attacker could exploit this vulnerability by specifying a default connection profile/tunnel group while conducting a brute force attack or while establishing a clientless SSL VPN session using valid credentials.”
The bug was disclosed to Cisco by Rapid7 as a 0-day, and currently there still only exists workarounds. Cisco’s primary recommendations surrounding the vulnerability while a fix is still being worked on are the following:
- Ensure you have VPN access limited by MFA. While attackers are finding ways to circumvent the control, Cisco advises that it significantly reduces the risk of complete takeover or successful ransomware attacks.
- Enable logging. This is a critical step for any network device, especially those that sort out authorization, like VPNs. The truth of what systems are up to is often in the logs.
While these steps may be obvious to many, the reminder of importance in MFA across multiple layers of your network, not just SSO, shine here. Rapid7’s report from August 29 speaks to the exploitation resulting in intrusions that attempt to deploy and execute Akira or Lockbit ransomware. See their post for more information on indicators of compromise, as well as further mitigation tips. For more information on the current workarounds and recommendation from Cisco, see the below advisory.
Security Advisory(s):
CVE-2023-36802 | Streaming Service Proxy Privilege Escalation
A vulnerability within the Streaming Service Proxy component of Microsoft Windows Server 2022 and earlier as well as multiple versions of Windows 10 & 11 could allow a local, authenticated attacker to escalate privileges. At time of writing, little information exists as to what steps an attacker must take to exploit this vulnerability, and evidence of active exploitation does not appear to be publicly available. Exploitation of the vulnerability would allow the attacker to escalate to SYSTEM privileges.
Security Advisory(s):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36802
CVE-2023-36761 | Word Information Disclosure
A vulnerability affecting Microsoft Word 2016 and earlier could allow an attacker to disclose NTLM hashes. The Microsoft advisory states that the Preview Pane is an attack vector for this vulnerability, but does not state exactly how or what service’s preview pane can or can’t be exploited. An attacker would have to be locally logged on to the vulnerable machine to exploit this vulnerability.
The disclosing of NTLM hashes is nothing new as an information-disclosure risk, and many organizations have adopted detection or compensating controls to prevent this from being a dire situation. Since this vulnerability purely discloses the NTLM hashes to the attacker and nothing more, the risk can be considered lower. At time of writing, little information exists publicly as to the exploitation activity or any proof-of-concept code.
Security Advisory(s):
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36761
Meeting Owl Vulns | Why Can’t I Hold All These Security Bypasses?
Multiple security issues affecting Meeting Owl devices by Owl Labs were disclosed publicly in their patches released March of 2022. The vulnerabilities were ranging in severe security issues from a hardcoded backdoor access password (CVE-2022-31462) to the ability to turn the Meeting Owl itself into a rogue access point by forwarding traffic through it. Exploitation of these vulnerabilities would be trivial for an attacker within Bluetooth range of a vulnerable device, and some others added to the KEV painted enough of an information-exposure picture to be concerning. While any public information on how these vulnerabilities were exploited and ended up on the KEV does not exist currently, it is yet another opportunity for CISA to ensure through the KEV that even the smallest scoped vulnerabilities are prevented from being exposed to an attacker.
The Meeting Owl vulnerabilities were discovered by the Modzero team and reported in a PDF which you can view here. The timeline of events leaves little wiggle room for disappointment, as not only were these glaringly important security issues that affected a device used in meeting rooms all over the globe, but the vendor took over a month to respond to Modzero’s attempt to responsibly disclose. While this could have been for many reasons, it highlights an important lesson for leadership. Align your entire organization on vulnerability disclosure policies and playbooks, especially those that may be likely to receive such reports like help desk, IT support, marketing, legal, etc. Short descriptions about each CVE added to the KEV can be found below:
- CVE-2022-31459: Owl Labs Meeting Owl 5.2.0.15 allows attackers to retrieve the passcode hash via a certain c 10 value over Bluetooth.
- CVE-2022-31461: Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain c 11 message.
- CVE-2022-31462: Owl Labs Meeting Owl 5.2.0.15 allows attackers to control the device via a backdoor password (derived from the serial number) that can be found in Bluetooth broadcast data.
- CVE-2022-31463: Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used.
https://resources.owllabs.com/blog/owl-labs-update#:~:text=Update%20as%20of%20June%2023%2C%202022
CVE-2023-28434 | MinIO Security Bypass
A vulnerability in MinIO could allow an authenticated attacker to upload objects to any bucket accessible via MinIO due to the PostPolicyBucket function bypassing bucket name checking. An attacker would first need to find proper arn:aws:s3:* permissions and also have enabled console API access which would allow for the remote code execution path to succeed. The vulnerability appears to be part of a known exploit chain involving CVE-2023-28432, which was discussed in our April 21 Breakdown post of this year. At the time, this vulnerability mostly shone a light on the usage of an older Docker container hosting a vulnerable version of MinIO in OpenAI’s example code. It was mostly seen for the risk in exposure of information and tossed to the side. What we see now is maturity in the identification of vectors post-information disclosure in which an attacker was able to bypass security functionality and achieve RCE.
At time of writing, there does not appear to exist publicly any information for achieving full RCE without first exploiting CVE-2023-28432. For an extensive look at the exploit chain, attacker infrastructure, and indicators of compromise surrounding the exploitation of CVE-2023-28434, see this report from Security Joes. So long as you have upgraded your MinIO beyond RELEASE.2023-03-20T20-16-18Z, the attacker would not be able to expose credentials from the /verify endpoint.
In totally unrelated news, Microsoft recently released a new version of their cloud storage threat matrix, which you can read more about here.
Security Advisory(s):
https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
CVE-2023-35674 | Android Privilege Escalation
A vulnerability in Google Android Framework version 13 and earlier could allow a local attacker to escalate privileges. The 0-day was reported on September 5 by Google and addressed in the Android September security bulletin. It was noted in the security bulletin that CVE-2023-35674 was under limited, targeted exploitation. At time of writing, little information exists as to the steps an attacker would take to exploit the vulnerability, and to any proof-of-concept code.
Security Advisory(s):
https://source.android.com/docs/security/bulletin/2023-09-01
CVE-2023-26369 | Acrobate & Reader Code Execution
A vulnerability in Acrobat Reader versions 23.003.20284 (and earlier), 20.005.30516 (and earlier) and 20.005.30514 (and earlier) could allow an attacker to execute arbitrary code. This vulnerability affects Acrobat & Reader for both Windows and macOS. An attacker would have to convince a user to load a maliciously crafted PDF into Acrobat or Reader. Adobe noted in their advisory for the CVE that they were aware of reports that limited exploitation was occurring. At time of writing, there doesn’t appear to be exploit code or evidence of exploitation publicly available.
Security Advisory(s):
https://helpx.adobe.com/security/products/acrobat/apsb23-34.html
CVE-2022-22265 | Samsung Mobile Device Code Execution
A vulnerability in the NPU driver in SMR Jan-2022 Release 1 and earlier could allow a local, authenticated attacker to write arbitrary memory or execute code. A root-cause analysis was posted on behalf of Xingyu Jin on Google Project Zero’s blog. In the post, it is noted that the vulnerability was likely uncovered during analysis of CVE-2020-28343, as the exploit sample observed during the analysis of CVE-2022-22265 appeared to use modified PoC code from this vulnerability. Some other neat nuggets of information can be found within the blog around fuzzing, the exploit details itself and other next steps the author provides. As Maddie Stone points out on Twitter, the vulnerability was found by Google TAG as an in-the-wild exploit in early 2021.
Security Advisory(s):
https://source.android.com/docs/security/bulletin/2023-09-01
← September 11, 2023 CISA Kev Breakdown
Click here to expand our CISA KEV Breakdown Frequently Asked Questions
- What makes for a notable addition?
- A notable addition can arise from many different characteristics. If a particular vulnerability is notable to the security community or a subset of the security community or if the EPSS score reveals notable information about the vulnerability, this can constitute further analysis. It may also be the case that a particular vulnerability shines a light on everyday users and we will highlight important information and key takeaways to ensure users and readers have easy access to actionable information.
- When is the Breakdown released?
- We aim to have our analysis of each KEV update posted within 24 hours of the time in which the Catalog is updated. See CISA’s full catalog here
- I am not bound by BOD 22-01 or federal regulations, why should the KEV concern me?
- CISA encourages all organizations to utilize the Catalog as an attribute in your vulnerability prioritization framework. Organizations looking to lessen the scope on known dangerous vulnerabilities and make a goal to remediate them can understand where they currently stand against what CISA has confirmed as exploited vulnerabilities in the wild. See CISA’s section on “How should organizations use the KEV catalog?” here.
- What is EPSS?
- EPSS is the Exploit Prediction Scoring System. It is an open, data-driven effort for estimating the likelihood (probability) that a software vulnerability will be exploited in the wild. See the EPSS home page on FIRST for more information here.
- What is the difference between EPSS probability and EPSS percent?
- EPSS probability is the risk calculated by the model when determining the perceived threat of the vulnerability itself. Percentage is a relative comparison of the rest of the CVEs within the given sample. While the probability only changes upon refreshing the results from the model, the percentage can change purely based on the CVE sample given. In the case of the Breakdown, we use the percentage given by the pool of all CVEs with given EPSS data. Scores may vary post-release of the post given new information about the vulnerabilities and their perceived threat. For more information on applying and understanding EPSS data, see this article on the FIRST website, as well as their FAQ page.
- What is GreyNoise?
- GreyNoise is a platform that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. Through their sensor network, GreyNoise observes vulnerability exploitation attempts for vulnerabilities that are exploited in the wild over the Internet. These are arguably vulnerabilities that should be at the very top of your priority list to remediate.
- Why are GreyNoise exploitation attempts only observed on ~20% of KEV vulnerabilities?
- Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example:
- The vulnerability may not be remotely exploitable
- Vulnerability exploitation may require authentication (and result in privilege escalation)
- The impacted software may not be exposed to the internet
- Mass scanning/exploitation is not occurring yet
- Exploitation of many vulnerabilities in the CISA KEV will not be observed for many reasons that GreyNoise does a good job of explaining in this post. For example: