CISA Detects Many New Cyber Security Vulnerabilities

Uploaded on 2022-07-11 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

Cyber security issues are becoming a day-to-day issue for businesses, and the latest cyber security statistics reveal a huge increase in hacked and breached data. Attacks are now increasingly common in the workplace on mobile and IoT devices.

“Organisations around the world responded to the threat of COVID-19 by implementing stay-at-home policies. This resulted in a dramatic increase in employees collaborating using Microsoft Office 365 and other cloud-based software, while also accessing more resources through company VPNs.,” according to the 2021 Data Risk Report from Varonis.

“The abrupt nature of this transition forced many companies to step into the cloud without proper cyber security preparedness, inadvertently increasing their attack surface as employees logged in through unsecured networks and home computers... The risk increases exponentially when companies have obvious gaps like passwords that never expire and folders containing sensitive data open to every employee.” Varonis said.

Now, the United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new flaws to its catalog of vulnerabilities that are known to be exploited by cyber criminals. Flaws in Microsoft, Google, Adobe, Cisco, Netgear, QNAP and other products have been added to known exploited vulnerabilities catalog.

“CISA has added 36 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise."

The CISA Alert warns that the vulnerabilities are a frequent attack vector for malicious attackers and pose "significant risk". Organisations, particularly those associated with the US federal government, are urged to apply security updates as soon as possible.

"CISA strongly urges all organisations to reduce their exposure to cyberattacks by prioritising timely remediation of catalog vulnerabilities as part of their vulnerability management practice," said CISA.

Among the 36 vulnerabilities that have been added are vulnerabilities in software and products from Microsoft, Google, Adoble, Cisco, Netgear, QNAP and others. 

  • Microsoft:    Vulnerabilities in Microsoft products include CVE-2012-4969, a vulnerability in Internet Explorer that allows remote execution of code, and CVE-2013-1331, a buffer overflow vulnerability in Microsoft Office that allows cyber criminals to launch remote attacks.

CVE-2012-0151, a flaw in the Authenticode Signature Verification function in Microsoft Windows that allows user-assisted attackers to execute remote code, has also been added to the catalog.

  • Google:   The CISA alert also addresses several vulnerabilities in Google's Chromium V8 Engine, including CVE-2016-1646 and CVE-2016-5198, which allow remote attackers to cause a denial of service, as well as flaws like CVE-2018-17463 and CVE-2017-5070, which, if left unpatched, allow attackers to remotely execute code that they could exploit to access networks.
  • Adobe:   Several vulnerabilities in Adobe software have been added to the catalog, including CVE-2009-4324, a flaw in Adobe Acrobat and Reader, which allows remote attackers to execute code via a crafted PDF file, and CVE-2010-1297, a memory corruption vulnerability in Adobe Flash Player that allows remote attackers to execute code or cause denial of service.
  • Netgear:   Several flaws in routers and other Internet connected devices have also been added to CISA's catalog, including CVE-2017-6862, which is a buffer overflow vulnerability in multiple Netgear devices that allows for authentication bypass and remote code execution, and CVE-2019-15271, a flaw in Cisco RV series routers that could allow an attacker to execute code with root privileges.

CISA also warns about a number of vulnerabilities in QNAP products, including CVE-2019-7192, a flaw in QNAP Network Attached Storage (NAS) devices running Photo Station, which contains an improper access control vulnerability allowing remote attackers to gain unauthorised access to the system. 

The full list of all 36 vulnerabilities is detailed in CISA’s known exploited vulnerabilities catalog.and CISA strongly advise users to promptly apply updated patches as the best ways to stay protected from cyber attacks.

CISA:      CISA:      National Cybersecurity News:     ZDNet:      Varonis:     Forbes:  

You Might Also Read: 

CISA Detect Vulnerabilities In VMWare Products:

 

« Future Phishing Attacks Will Use Generative Machine Learning
Bluetooth Devices Can Covertly Track Mobile Users »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Renaissance

Renaissance

Renaissance is Ireland's premier value added distributor of IT security solutions and a leading independent provider of business continuity consultancy.

AllClear ID

AllClear ID

AllClear ID provides products and services that help protect people and their personal information from threats related to identity theft.

Managed Security Solutions (MSS)

Managed Security Solutions (MSS)

MSS deliver consultancy services and managed security services for IT departments who may lack the time, resources, or expertise themselves.

Sikur

Sikur

Sikur have developed a communication platform that sets new boundaries for corporate privacy and security.

Pryv

Pryv

Pryv is a Swissmade software for privacy, personal data collection, usage, sharing and storage.

BwCIRT

BwCIRT

BwCIRT is the Computer Incident Response Team (CIRT) for Botswana and provides an official point of contact for dealing with computer security incidents.

Google for Startups

Google for Startups

Google for Startups is Google’s initiative to help startups thrive across every corner of the world.

Accelerator Frankfurt

Accelerator Frankfurt

Accelerator Frankfurt is an independent go-to-market program focused on Fintech, Cybersecurity and Digital B2B startups.

ThriveDX

ThriveDX

ThriveDX, the world’s premier EdTech provider (formerly HackerU), champions digital transformation training as a means of empowering individuals to thrive in the age of digital disruption.

Securd

Securd

Securd takes opportunities away from your cyber adversaries. Cloud-delivered zero-trust DNS firewall and web filtering protection keep your business network and remote employees safe.

Quside

Quside

Quside, a spin-off from The Institute of Photonic Sciences in Barcelona, designs and manufactures innovative quantum technologies for a wide range of applications including cyber security.

r00tz Asylum

r00tz Asylum

r00tz Asylum is a nonprofit dedicated to teaching kids around the world how to love being white-hat hackers.

Capgemini

Capgemini

Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. Areas of expertise include Cybersecurity.

Bit Sentinel

Bit Sentinel

Bit Sentinel is an information security company. We help companies like yours discover, prioritize, and effectively remediate potential cybersecurity risks.

COGITANDA Dataprotect

COGITANDA Dataprotect

COGITANDA are a group of companies focused on dealing with cyber risks, managing them and insuring them.

Secolve

Secolve

Secolve is Australia’s next generation OT specialist cyber security firm, working with key industries to protect the nation’s critical infrastructure.