Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

CISA Adds Recent iOS, SonicWall Vulnerabilities to ‘Must Patch’ List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the addition of eight more vulnerabilities to the list of security flaws known to be exploited in malicious attacks.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the addition of eight more vulnerabilities to the list of security flaws known to be exploited in malicious attacks.

Released in November 2021, CISA’s Known Exploited Vulnerabilities Catalog has more than 350 entries, and the agency is periodically adding new bugs.

On Monday, CISA expanded the list with both new and old security issues, including vulnerabilities recently patched in Apple iOS and SonicWall SMA 100 appliances.

Tracked as CVE-2022-22587, the iOS flaw is a memory corruption security defect impacting the oft-targeted iOS kernel extension IOMobileFrameBuffer that could be exploited to execute arbitrary code with kernel privileges.

Apple patched the vulnerability last week, with the release of iOS 15.3 and iPadOS 15.3. Right from the start, the Cupertino, Calif.-based tech giant warned that it received a report of this bug being exploited in malicious attacks.

[READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes]

The SonicWall Secure Mobile Access (SMA) 100 appliances vulnerability, which is tracked as CVE-2021-20038, was patched in December 2021. It is described as a critical-severity (CVSS score of 9.8) stack-based buffer overflow leading to complete device takeover.

At least one proof-of-concept (PoC) exploit was publicly available when the patch was released, and in-the-wild exploitation attempts were confirmed last week.

Federal agencies have until February 11 to apply the available fixes. As per BOD 22-01, which was published along CISA’s “Must Patch” list, federal agencies have to patch the issues in the catalog within a specific timeframe and to report on the status of the patches.

The remaining six vulnerabilities that CISA added to the list this week are older flaws affecting GNU Bash (CVE-2014-7169 and CVE-2014-6271), Microsoft Windows (CVE-2020-0787), Internet Explorer (CVE-2014-1776), Grandstream UCM6200 series (CVE-2020-5722), and Intel AMT, SBT, and Standard Manageability (CVE-2017-5689).

CISA gave federal organizations until July 11 to address these vulnerabilities within their environments. However, the agency told SecurityWeek that those organizations that fail to meet the established deadlines will not be penalized.

Furthermore, the agency clarified that the catalog was created to help organizations both patch high-risk flaws within their networks and to create and improve their vulnerability management processes.

Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies

Related: CISA Expands ‘Must-Patch’ List With Log4j, FortiOS, Other Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.