US Adds 17 Exploited Bugs to "Must Patch" List

A US government’s security agency has added 17 vulnerabilities currently being actively exploited in the wild to a database of bugs that federal agencies must fix.

The Known Exploited Vulnerabilities Catalog was launched in November last year as part of Binding Operational Directive (BOD) 22-01, designed to make civilian federal government agencies more cyber-resilient.

An initial list of just over 300 CVEs, some of which dated as far back as 2010, has been steadily added to since. The latest update includes vulnerabilities that could be exploited for various ends, including denial of service, privilege escalation, authentication bypass and information disclosure.

Attackers are using them to steal information and credentials, execute malware, access networks and more.

Among the most interesting are CVE-2021-32648, which came to light last week and is an improper authentication flaw in the October CMS. It was exploited in a wide-ranging campaign to hijack and deface Ukrainian government websites.

Another is CVE-2021-35247, listed as an improper input validation vulnerability in SolarWinds Serv-U file servers.

Microsoft researchers discovered it being exploited in Log4j attacks in an attempt to compromise Windows domain controllers. Such attacks failed because Windows domain controllers aren’t vulnerable to Log4Shell.

However, it must be patched by February 4, according to the order from the Cybersecurity and Infrastructure Security Agency (CISA).

There’s an even tighter time frame for CVE-2021-32648 and eight other CVEs listed: these must be fixed by February 1. The remaining seven bugs must be patched by July, according to the update.

While the BOD to patch any vulnerabilities added to the database is only mandatory for civilian federal agencies, the government wants other organizations to follow the same rules.

“While this directive applies to federal civilian agencies, we know that organizations across the country, including critical infrastructure entities, are targeted using these same vulnerabilities,” it said back in November.

“It is therefore critical that every organization adopt this directive and prioritize mitigation of vulnerabilities listed in CISA’s public catalog.”

What’s Hot on Infosecurity Magazine?