CISA Adds Recent iOS, SonicWall Vulnerabilities to ‘Must Patch’ List

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) this week announced the addition of eight more vulnerabilities to the list of security flaws known to be exploited in malicious attacks.

Released in November 2021, CISA’s Known Exploited Vulnerabilities Catalog has more than 350 entries, and the agency is periodically adding new bugs.

On Monday, CISA expanded the list with both new and old security issues, including vulnerabilities recently patched in Apple iOS and SonicWall SMA 100 appliances.

Tracked as CVE-2022-22587, the iOS flaw is a memory corruption security defect impacting the oft-targeted iOS kernel extension IOMobileFrameBuffer that could be exploited to execute arbitrary code with kernel privileges.

Apple patched the vulnerability last week, with the release of iOS 15.3 and iPadOS 15.3. Right from the start, the Cupertino, Calif.-based tech giant warned that it received a report of this bug being exploited in malicious attacks.

[READ: CISA’s ‘Must Patch’ List Puts Spotlight on Vulnerability Management Processes]

The SonicWall Secure Mobile Access (SMA) 100 appliances vulnerability, which is tracked as CVE-2021-20038, was patched in December 2021. It is described as a critical-severity (CVSS score of 9.8) stack-based buffer overflow leading to complete device takeover.

At least one proof-of-concept (PoC) exploit was publicly available when the patch was released, and in-the-wild exploitation attempts were confirmed last week.

Federal agencies have until February 11 to apply the available fixes. As per BOD 22-01, which was published along CISA’s “Must Patch” list, federal agencies have to patch the issues in the catalog within a specific timeframe and to report on the status of the patches.

The remaining six vulnerabilities that CISA added to the list this week are older flaws affecting GNU Bash (CVE-2014-7169 and CVE-2014-6271), Microsoft Windows (CVE-2020-0787), Internet Explorer (CVE-2014-1776), Grandstream UCM6200 series (CVE-2020-5722), and Intel AMT, SBT, and Standard Manageability (CVE-2017-5689).

CISA gave federal organizations until July 11 to address these vulnerabilities within their environments. However, the agency told SecurityWeek that those organizations that fail to meet the established deadlines will not be penalized.

Furthermore, the agency clarified that the catalog was created to help organizations both patch high-risk flaws within their networks and to create and improve their vulnerability management processes.

Related: CISA Releases Final IPv6 Security Guidance for Federal Agencies

Related: CISA Expands ‘Must-Patch’ List With Log4j, FortiOS, Other Vulnerabilities