The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics.
The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful exploitation of the flaw may lead to arbitrary code execution.
“Delta Electronics DOPSoft 2 lacks proper validation of user-supplied data when parsing specific project files (improper input validation) resulting in an out-of-bounds write that allows for code execution,” CISA said in an alert.
It’s worth noting that CVE-2021-38406 was originally disclosed as part of an industrial control systems (ICS) advisory published in September 2021.
However, there are no patches that address the vulnerability, with CISA noting that the “impacted product is end-of-life and should be disconnected if still in use.” Federal Civilian Executive Branch (FCEB) agencies are mandated to follow the guideline by September 15, 2022.
Not much information is available about the nature of the attacks that exploit the security bug, but a recent report from Palo Alto Networks Unit 42 pointed out instances of in-the-wild attacks leveraging the flaw between February and April 2022.
The development adds weight to the notion that adversaries are getting faster at exploiting newly published vulnerabilities when they are first disclosed, leading to indiscriminate and opportunistic scanning attempts that aim to take advantage of delayed patching.
These attacks often follow a specific sequence for exploitation that involves web shells, crypto miners, botnets, and remote access trojans (RATs), followed by initial access brokers (IABs) that then pave the way for ransomware.
Among other actively exploited flaws added to the list are as follows –
- CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability
- CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability
- CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability
- CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
- CVE-2022-2294 – WebRTC Heap Buffer Overflow Vulnerability
- CVE-2021-39226 – Grafana Authentication Bypass Vulnerability
- CVE-2020-36193 – PEAR Archive_Tar Improper Link Resolution Vulnerability
- CVE-2020-28949 – PEAR Archive_Tar Deserialization of Untrusted Data Vulnerability
iOS and macOS flaw added to the list
Another high-severity flaw added to the KEV Catalog is CVE-2021-31010 (CVSS score: 7.5), a deserialization issue in Apple’s Core Telephony component that could be leveraged to circumvent sandbox restrictions.
The tech giant addressed the shortcoming in iOS 12.5.5, iOS 14.8, iPadOS 14.8, macOS Big Sur 11.6 (and Security Update 2021-005 Catalina), and watchOS 7.6.2 released in September 2021.
While there were no indications that the flaw was being exploited at the time, the tech giant appears to have silently revised its advisories on May 25, 2022 to add the vulnerability and confirm that it had indeed been abused in attacks.
“Apple was aware of a report that this issue may have been actively exploited at the time of release,” the iPhone maker noted, crediting Citizen Lab and Google Project Zero for the discovery.
The September update is also notable for remediating CVE-2021-30858 and CVE-2021-30860, both of which were employed by NSO Group, the makers of the Pegasus spyware, to get around the operating systems’ security features.
This raises the possibility that CVE-2021-31010 may have been stringed together with the aforementioned two flaws in an attack chain to escape the sandbox and achieve arbitrary code execution.