cisa-logos

CISA adds Google, Microsoft and QNAP bugs to exploited vulnerabilities list

CISA added eight vulnerabilities to its catalog of exploited bugs on Monday, with each given a remediation date of May 2.

All of the issues have patches or updates available except for CVE-2021-27852 – a deserialization of untrusted data vulnerability affecting Checkbox, a digital survey tool. Versions 7 and later of Checkbox Survey are not considered vulnerable to the issue but Version 6 and earlier are end-of-life and must be removed from agency networks, according to CISA.

2022-04-Screen-Shot-2022-04-12-at-1.46.14-PM-1024x724.png

2022-04-Screen-Shot-2022-04-12-at-1.46.32-PM-1024x210.png

CVE-2022-23176 concerns a privilege escalation vulnerability in WatchGuard Firebox and XTM appliances that allows remote attackers with unprivileged credentials to access the system with a privileged management session via exposed management access.

According to Ars Technica, WatchGuard fixed the issue in May 2021 but said they would not share technical details about it in order to keep threat actors from finding it. The vulnerability has a severity rating of 8.8 and WatchGuard faced significant backlash from security researchers because they waited months to give it a CVE. 

Last week, the vulnerability was implicated in a widespread botnet campaign disrupted by several US law enforcement agencies, bringing into question WatchGuard’s decision to effectively hide the vulnerability until this year. WatchGuard has estimated that the number of infected systems hovered around 250 devices.

The Microsoft issues – CVE-2021-42287 and CVE-2021-42278 – also concern privilege escalation vulnerabilities affecting Microsoft Active Directory Domain Services.

Google’s CVE-2021-39793 – patched in March – affects Pixel devices and patches address an out-of-bounds write vulnerability “due to a logic error in the code that could lead to local escalation of privilege.”

The Linux vulnerability, CVE-2021-22600, involves a privilege escalation vulnerability in the packet socket implementation which could lead to incorrectly freeing memory. “A local user could exploit this for denial-of-service or possibly for privilege escalation,” CISA said. 

CVE-2020-2509 concerns a QNAP zero-day vulnerability patched in April 2021. The command injection vulnerability, which affects legacy QNAP Systems storage hardware, could allow attackers to perform remote code execution.

Telerik’s vulnerability – CVE-2017-11317 – affects the Telerik UI for ASP.NET AJAX. It allows remote attackers to perform arbitrary file uploads or execute arbitrary code.

CISA has added 15 vulnerabilities to its catalog in April.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Dina Temple-Raston

Dina Temple-Raston

is the Host and Managing Editor of the Click Here podcast as well as a senior correspondent at Recorded Future News. She previously served on NPR’s Investigations team focusing on breaking news stories and national security, technology, and social justice and hosted and created the award-winning Audible Podcast “What Were You Thinking.”