Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

CISA Adds 7 New Actively Exploited Vulnerabilities to Catalog

Actively Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA)
on Thursday moved to add a critical SAP security flaw[1] to its Known Exploited Vulnerabilities
Catalog[2], based on evidence of
active exploitation.

The issue in question is CVE-2022-22536[3], which has received the
highest possible risk score of 10.0 on the CVSS vulnerability
scoring system and was addressed by SAP as part of its Patch
Tuesday updates for February 2022.

CyberSecurity

Described as an HTTP request smuggling vulnerability, the
shortcoming impacts the following product versions –

  • SAP Web Dispatcher (Versions – 7.49, 7.53, 7.77, 7.81, 7.85,
    7.22EXT, 7.86, 7.87)
  • SAP Content Server (Version – 7.53)
  • SAP NetWeaver and ABAP Platform (Versions – KERNEL 7.22, 8.04,
    7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22,
    7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)

“An unauthenticated attacker can prepend a victim’s request with
arbitrary data, allowing for function execution impersonating the
victim or poisoning intermediary web caches,” CISA said in an
alert.

“A simple HTTP request, indistinguishable from any other valid
message and without any kind of authentication, is enough for a
successful exploitation,” Onapsis, which discovered[4]
the flaw, notes[5]. “Consequently, this
makes it easy for attackers to exploit it and more challenging for
security technology such as firewalls or IDS/IPS to detect it (as
it does not present a malicious payload).”

Additionally, the agency has added new flaws disclosed by Apple
(CVE-2022-32893, and
CVE-2022-32894[6]) and Google (CVE-2022-2856[7]) this week as well as
previously documented Microsoft-related bugs (CVE-2022-21971[8]
and CVE-2022-26923[9]) and a remote code
execution vulnerability in Palo Alto Networks PAN-OS (CVE-2017-15944[10], CVSS score: 9.8) that
was disclosed in 2017.

CyberSecurity

CVE-2022-21971 (CVSS score: 7.8) is a remote code execution
vulnerability in Windows Runtime that was resolved by Microsoft in
February 2022. CVE-2022-26923 (CVSS score: 8.8), fixed in May 2022,
relates to a privilege escalation flaw in Active Directory Domain
Services.

“An authenticated user could manipulate attributes on computer
accounts they own or manage, and acquire a certificate from Active
Directory Certificate Services that would allow elevation of
privilege to System,” Microsoft describes in its advisory for
CVE-2022-26923.

The CISA notification, as is traditionally the case, is light on
technical details of in-the-wild attacks associated with the
vulnerabilities to avoid threat actors taking further advantage of
them.

To mitigate exposure to potential threats, Federal Civilian
Executive Branch (FCEB) agencies are mandated to apply the relevant
patches by September 8, 2022.

References

  1. ^
    critical
    SAP security flaw     (www.cisa.gov)
  2. ^
    Known
    Exploited Vulnerabilities Catalog
    (www.cisa.gov)
  3. ^
    CVE-2022-22536
    (dam.sap.com)
  4. ^
    discovered
    (onapsis.com)
  5. ^
    notes
    (onapsis.com)
  6. ^
    CVE-2022-32893, and CVE-2022-32894
    (thehackernews.com)
  7. ^
    CVE-2022-2856
    (thehackernews.com)
  8. ^
    CVE-2022-21971
    (msrc.microsoft.com)
  9. ^
    CVE-2022-26923
    (msrc.microsoft.com)
  10. ^
    CVE-2017-15944
    (nvd.nist.gov)

Read more