CISA Detects Many New Cyber Security Vulnerabilities

Cyber security issues are becoming a day-to-day issue for businesses, and the latest cyber security statistics reveal a huge increase in hacked and breached data. Attacks are now increasingly common in the workplace on mobile and IoT devices.

“Organisations around the world responded to the threat of COVID-19 by implementing stay-at-home policies. This resulted in a dramatic increase in employees collaborating using Microsoft Office 365 and other cloud-based software, while also accessing more resources through company VPNs.,” according to the 2021 Data Risk Report from Varonis.

“The abrupt nature of this transition forced many companies to step into the cloud without proper cyber security preparedness, inadvertently increasing their attack surface as employees logged in through unsecured networks and home computers... The risk increases exponentially when companies have obvious gaps like passwords that never expire and folders containing sensitive data open to every employee.” Varonis said.

Now, the United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new flaws to its catalog of vulnerabilities that are known to be exploited by cyber criminals. Flaws in Microsoft, Google, Adobe, Cisco, Netgear, QNAP and other products have been added to known exploited vulnerabilities catalog.

“CISA has added 36 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise."

The CISA Alert warns that the vulnerabilities are a frequent attack vector for malicious attackers and pose "significant risk". Organisations, particularly those associated with the US federal government, are urged to apply security updates as soon as possible.

"CISA strongly urges all organisations to reduce their exposure to cyberattacks by prioritising timely remediation of catalog vulnerabilities as part of their vulnerability management practice," said CISA.

Among the 36 vulnerabilities that have been added are vulnerabilities in software and products from Microsoft, Google, Adoble, Cisco, Netgear, QNAP and others. 

  • Microsoft:    Vulnerabilities in Microsoft products include CVE-2012-4969, a vulnerability in Internet Explorer that allows remote execution of code, and CVE-2013-1331, a buffer overflow vulnerability in Microsoft Office that allows cyber criminals to launch remote attacks.

CVE-2012-0151, a flaw in the Authenticode Signature Verification function in Microsoft Windows that allows user-assisted attackers to execute remote code, has also been added to the catalog.

  • Google:   The CISA alert also addresses several vulnerabilities in Google's Chromium V8 Engine, including CVE-2016-1646 and CVE-2016-5198, which allow remote attackers to cause a denial of service, as well as flaws like CVE-2018-17463 and CVE-2017-5070, which, if left unpatched, allow attackers to remotely execute code that they could exploit to access networks.
  • Adobe:   Several vulnerabilities in Adobe software have been added to the catalog, including CVE-2009-4324, a flaw in Adobe Acrobat and Reader, which allows remote attackers to execute code via a crafted PDF file, and CVE-2010-1297, a memory corruption vulnerability in Adobe Flash Player that allows remote attackers to execute code or cause denial of service.
  • Netgear:   Several flaws in routers and other Internet connected devices have also been added to CISA's catalog, including CVE-2017-6862, which is a buffer overflow vulnerability in multiple Netgear devices that allows for authentication bypass and remote code execution, and CVE-2019-15271, a flaw in Cisco RV series routers that could allow an attacker to execute code with root privileges.

CISA also warns about a number of vulnerabilities in QNAP products, including CVE-2019-7192, a flaw in QNAP Network Attached Storage (NAS) devices running Photo Station, which contains an improper access control vulnerability allowing remote attackers to gain unauthorised access to the system. 

The full list of all 36 vulnerabilities is detailed in CISA’s known exploited vulnerabilities catalog.and CISA strongly advise users to promptly apply updated patches as the best ways to stay protected from cyber attacks.

CISA:      CISA:      National Cybersecurity News:     ZDNet:      Varonis:     Forbes:  

You Might Also Read: 

CISA Detect Vulnerabilities In VMWare Products:

 

« Future Phishing Attacks Will Use Generative Machine Learning
Bluetooth Devices Can Covertly Track Mobile Users »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Me Learning

Me Learning

Me Learning provides engaging, informative and clearly explained learning materials for complex and challenging professional environments in areas including GDPR and Information Governance.

CS3STHLM

CS3STHLM

CS3STHLM is the Stockholm international summit on Cyber Security in SCADA and Industrial Control Systems.

GrrCON

GrrCON

GrrCON is an information security and hacking conference that provides the Midwest InfoSec community with a fun atmosphere to come together and engage with like minded people.

Vilnius Tech Park

Vilnius Tech Park

The region‘s most complex and integrated ICT hub, Vilnius Tech Park aims to attract and unite innovative talent from big data, cyber security, smart solutions, fintech and digital design.

Cythereal

Cythereal

Cythereal is the leader in predicting and preventing advanced malware attacks. Security Automation for the Overwhelmed Administrator.

Kordia

Kordia

Kordia is a leading provider of mission-critical technology solutions throughout Australasia. We have the most comprehensive cyber security offering in New Zealand.

BitTrap

BitTrap

BitTrap helps companies worldwide detect attackers and put an early end to breaches, preventing data exfiltration and ransomware altogether.

Nine23

Nine23

Nine23 are a highly focused cyber security solutions company that defines, builds and manages innovative services, enabling end-users to use technology securely in today’s workplace.

inWebo

inWebo

inWebo is the specialist in multi-factor strong authentication (MFA). We guarantee the security of data and identities in a digital world with increasingly important economic and political stakes.

ATHENE National Research Center For Applied Cybersecurity

ATHENE National Research Center For Applied Cybersecurity

ATHENE is the largest research center for cybersecurity and privacy in Europe, conducting application-oriented top-level research for the benefit of the economy, society and the state.

SoftForum

SoftForum

SoftForum is a company specializing in next-generation information security solutions in the Quantum-Resistant-Cryptography (PQC) field.

endpointX

endpointX

endpointX is a preventative cyber security company. We help companies minimize their risk of breach by improving cyber hygiene.

Brunswick Group

Brunswick Group

Brunswick is a critical issues firm. We advise the world’s leading companies on how to navigate the critical issues they face and engage with their critical stakeholders.

Northern Computer

Northern Computer

Northern Computer provides comprehensive IT solutions that streamline your operations and help you achieve your business goals.

Cyber Security Global

Cyber Security Global

Cyber Security Global is a leader in electronic security, consultancy, technology, cybersecurity solutions, training, and specialized products.

NetAlly

NetAlly

NetAlly network test solutions help engineers and technicians better deploy, manage, maintain, and secure today’s complex wired and wireless networks.