CISA adds Owl Labs, Samsung, Realtek bugs to exploited vulnerability list

The Cybersecurity and Infrastructure Security Agency (CISA) added eight bugs on Monday and another on Tuesday to its list of known exploited vulnerabilities, giving federal civilian agencies three weeks to patch the issues which affect products from MinIO, Samsung, Realtek, Zyxel, Laravel and Owl Labs.

Cybersecurity experts focused in on the vulnerabilities affecting Owl Labs, which made up nearly half of the new additions.

Owl Labs produces smart devices that enable video conferencing and more. All four vulnerabilities – CVE-2022-31459, CVE-2022-31461, CVE-2022-31462, and CVE-2022-31463 – affect the company’s Meeting Owl product, which is placed in meeting rooms and comes with a camera, speaker and microphone.

When asked about whether they knew their products were attacked or exploited, an Owl Labs spokesperson disputed the addition to the list and said they have not heard from CISA about why these vulnerabilities were added to the catalog.

"We have not seen any evidence of attacks or exploitation, and customers have not reported anything to us,” a spokesperson told Recorded Future News.

“We were surprised to find the advisories online yesterday as we have not been notified about anything on this matter, and all the vulnerabilities referenced were resolved with our software updates in 2022. We've reached out to CISA for further explanation but we have not yet received a response.”

CISA did not respond to requests for comment for this story.

Ryan Cribelar, vulnerability research engineer at Nucleus Security, said that in looking into the issues, he found a report released by the experts who discovered the Owl Labs vulnerabilities.

The report, from Modzero, said they disclosed the issues to Owl Labs on January 19, 2022 and didn’t hear back from the company until February 28. The fixes were eventually applied in the middle of March 2022.

“This definitely doesn’t give Owl Labs the best look, to find such egregious security issues like the hardcoded password (CVE-2022-31462), or the fact that it allows for forwarding of traffic through it, essentially begging for a bored attacker to make it a rogue access point, and then to clearly show little regard for the (responsible!) disclosure being attempted by Modzero,” Cribelar said.

“One of the other issues also related to abusing access to Owl Lab’s own AWS environment, meaning that these same bored attackers could theoretically have price-jacked the crap out of Owl Labs cloud costs. I’m sure Owl Labs would prefer the disclosure in the form of Modzero’s communication, and not a sudden $20k upward cost in cloud spending.”

Cribelar went on to say the Owl Labs response should be a lesson to other manufacturers – who he said need to think about what team is responsible for dealing with vulnerabilities disclosures.

He noted that in Owl Labs' own report in November 2022, the company claimed its own researchers discovered the issue. Although he said he wasn’t aware of any exploitation evidence, CISA might have wanted to ensure “that these really simple security issues were fixed.”

John Gallagher, vice president at security firm Viakoo Labs, said the Meeting Owl product was the perfect IoT security case study because like many products, security “was either an afterthought or consciously neglected in order to meet time to market pressures.”

He warned that the vulnerabilities added to CISA’s list allowed for data exfiltration, personal information theft, and the ability to find and impact other devices on the network.

“Leveraging the Meeting Owl’s use of the interprocess communication channel allows it to interact with other devices on the network, and the ability to turn the device into a rogue access point into an organization’s network are both examples of how the native communication capabilities of IoT devices can be used for more devastating attacks,” he said.

‘Mountains upon mountains’

Gallagher explained that the Owl Labs’ additions and several others were an example of the now rampant issue of insecure IoT devices being adopted by government agencies and businesses.

He noted that the Realtek vulnerability – CVE-2014-8361 – is particularly troubling because its chipsets are present in multiple products, meaning multiple vendors will have to issue patches and end users will have to patch each product containing Realtek chips.

Cribelar said there are “mountains upon mountains of data that exist which point to exploitation of these vulnerabilities.” The issues added have long been exploited by hackers and CISA is likely glad that they can add the vulnerabilities to the list that will force agencies to take action.

“Many in the community are already aware of that activity, and CISA is going to look odd sometimes for additions like these, however it still sets a better precedent for the folks bound by the KEV’s power than CISA has had in the past,” he said.

“I’m sure it's something they have in the past used to direct patching initiatives to align with their observations of security events to ensure the federal space is aligned in protection from a certain issue. The Ignition vuln that got added makes me think of it in this light as well. Knowingly exploited, but there could be technical debt left out there to solve.”