Google Chrome, D-Link bugs among twelve added to CISA’s list of known exploited vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) added twelve vulnerabilities to its catalog of known exploited bugs this week, highlighting several issues found in Google Chrome as well as tools from QNAP, D-Link, Apple, Oracle and more.

Federal civilian agencies have until September 29 to patch the vulnerabilities and as with all additions to the list, CISA said there is evidence of active exploitation.

“These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise,” CISA said in its notice. 

Several experts pointed to CVE-2022-3075 – a high-severity bug affecting web browsers that utilize Chromium like Google Chrome and Microsoft Edge – as the most serious of the additions due to its ubiquity. 

CISA explained that Google Chromium Mojo “contains an insufficient data validation vulnerability” but noted that the impacts from exploitation “are not yet known.” 

Despite how widespread it might be, several experts said Google makes it relatively easy to update Chrome, reducing the likelihood of rampant abuse. 

Qualys security engineer Saeed Abbasi told The Record that attention will focus around the Chrome bug because it is of extremely high severity and because it is known to be actively exploited in the wild.

“With over 65% of internet users browsing via Chrome, the scope and scale of risk that a vulnerability like this presents is massive,” Abbasi said. 

“While users are grateful for the urgent patch released by Google, it came to fruition just before the Labor Day weekend holiday, when many IT and cybersecurity staffers were on vacation and unable to respond in a timely manner.” 

Abbasi added that the rate at which Google has disclosed vulnerabilities — a reflection of the speed at which they are weaponized — is overwhelming security teams. This is the sixth zero-day Google has released in 2022.

“Paired with the severe talent shortage, these pain points could be detrimental to businesses,” Abbasi said. 

Ryan Cribelar, vulnerability research engineer at Nucleus Security, agreed that CVE-2022-3075 has the widest potential reach in this round of additions to CISA’s list. 

“Not only did this vulnerability affect a fresh version of Chrome right off of a large security update, but it was also given its own emergency update cycle and pushed out with a warning from Google to get on version 105.0.5195.102,” he said. Cribelar also spotlighted several other additions to the list that concerned him, including CVE-2018-2628 — a bug targeting the often-compromised Oracle WebLogic.  

Cribelar said it was the only observed vulnerability by security researcher company GreyNoise to be actively scanned opportunistically on the internet.

“The Oracle WebLogic CVE-2018-2628 RCE is also a widespread and reoccurring issue in that WebLogic servers are ripe in opportunity for attackers to install things such as cryptominers,” he explained. “It is often that WebLogic servers are capable of consuming a ton of resources in an environment. This is what makes it a great target candidate for such activity.”

Vulcan Cyber’s Mike Parkin said that the Apple vulnerability — CVE-2020-9934 — was also an issue because of the widespread use of Apple iOS, iPadOS, and macOS. 

Like Google, however, Apple offers paths to automatically update vulnerable versions, Parkin noted.

One of the listed vulnerabilities affects QNAP’s Photo Station tool and was warned about last week by the company, which told users not to connect the product directly to the internet.

QNAP released the warning following the most recent spate of Deadbolt ransomware attacks over the Labor Day long weekend. Deadbolt ransomware actors have repeatedly targeted QNAP network-attached storage devices connected to the internet. 

“The lesson from this one is to look from time to time at your scans of Internet-facing devices, ignoring the vulnerabilities, and just looking at the devices themselves. Look for something that shouldn't be there,” Cribelar said. 

“And if you find something that shouldn't be there, get it out of there before you end up with a bigger problem.”

End-of-life software

One of the other major trends Cribelar referenced was the prevalence of end-of-life software. The latest additions to CISA’s list include multiple vulnerabilities affecting D-Link routers that were end-of-life, meaning the company would no longer be servicing them. In April, CISA added several bugs found in such routers.

Cribelar lauded the agency for adding the bugs, knowing that end-of-life products are often still utilized in many environments. 

“Those who have been in this situation often understand when some end-of-life devices/software are still in use in an environment, but it has to be clear that the plan to move away from this must continue to stay in motion,” he said.