The US Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Catalog of Known Exploited Vulnerabilities (KEV), including a high-severity security flaw that touch industrial automation software from Delta Electronics.
The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), affects versions 2.00.07 of DOPSoft 2 and earlier. A successful exploitation of the flaw could lead to arbitrary code execution.
“Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing certain project files (incorrect input validation) resulting in an out-of-bounds write that allows code execution,” CISA said in an alert .
It’s worth noting that CVE-2021-38406 was originally discovered as part of an Industrial Control Systems (ICS) advisory published in September 2021.
However, there are no patches that address the vulnerability, with CISA noting that “the affected product is end-of-life and should be removed if still in use.” Federal Civil Executive Branch (FCEB) agencies are mandated to follow the guidance by September 15, 2022.
Not much information is available about the nature of attacks exploiting the security flaw, but a recent report from Palo Alto Networks Unit 42 noted instances of wild-card attacks exploiting the flaw between February and April 2022.
The development adds weight to the notion that adversaries are becoming faster at exploiting newly published vulnerabilities when they are first discovered, leading to indiscriminate and opportunistic scanning efforts aimed at taking advantage of delayed patching.
These attacks often follow a specific exploit sequence that includes web shells, cryptominers, botnets, and remote access trojans (RATs), followed by initial access intermediaries (IABs) that then pave the way for ransomware.
Among the other actively exploited flaws added to the list are the following –
- CVE-2022-26352 – DotCMS Unlimited File Vulnerability Upload
- CVE-2022-24706 – Apache CouchDB Insecure default initialization of resources vulnerability
- CVE-2022-24112 – Apache APISIX authentication bypass vulnerability
- CVE-2022-22963 – VMware Tanzu Spring Cloud feature remote code execution vulnerability
- CVE-2022-2294 – WebRTC heap buffer overflow vulnerability
- CVE-2021-39226 – Grafana authentication bypass vulnerability
- CVE-2020-36193 – PEAR Archive_Tar Improper binding resolution vulnerability
- CVE-2020-28949 – PEAR Archive_Tar Untrusted data deserialization vulnerability
The iOS and macOS flaw was added to the list
Another high severity bug added to the KEV Catalog is CVE-2021-31010 (CVSS Score: 7.5), a deserialization issue in Apple’s Core Telephony component that can be used to bypass sandbox restrictions.
The tech giant addressed the flaws in iOS 12.5.5, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6 (and Security Update 2021-005 Catalina) and watchOS 7.6.2 released in September 2021.
While there were no indications that the flaw was being exploited at the time, the tech giant appears to have quietly revised its advisory on May 25, 2022 to add the vulnerability and confirm that it had indeed been exploited in attacks.
“Apple was aware of a report that this issue may have been actively exploited at the time of release,” the iPhone maker noted, crediting Citizen Lab and Google’s Project Zero for the discovery.
The September update is also notable for fixing CVE-2021-30858 and CVE-2021-30860, both of which were used by NSO Group, makers of the Pegasus spyware, to bypass security features of operating systems.
This raises the possibility that CVE-2021-31010 may have joined the two aforementioned flaws in an attack chain to escape the sandbox and achieve arbitrary code execution.
