The US Cybersecurity and Infrastructure Security Agency (CISA) has added several Linux and Linux-related flaws to its known exploited vulnerabilities (KEV) catalog.
The agency added seven new vulnerabilities to its KEV catalog on Friday: Ruckus AP remote code execution (CVE-2023-25717), Red Hat Polkit privilege escalation (CVE-2021-3560), Linux kernel privilege escalations (CVE-2014-0196 and CVE-2010-3904), Jenkins UI information disclosure (CVE-2015-5317), Apache Tomcat remote code execution (CVE-2016-8735), and an Oracle Java SE and JRockit issue (CVE-2016-3427).
The Ruckus product vulnerability has been exploited by a DDoS botnet named AndoryuBot.
However, there do not appear to be any public reports describing exploitation of the other vulnerabilities added to CISA’s catalog. Technical details and proof-of-concept (PoC) exploits are available, which is not surprising considering that some of them have been known for a decade.
One aspect all the vulnerabilities appear to have in common is their connection to Linux, which indicates that they might have been leveraged in attacks on Linux systems. NIST’s advisories for each security hole include references to advisories posted by various Linux distributions to describe impact of these flaws and the availability of patches.
At least some of these issues may have been exploited in attacks targeting Android devices — Linux kernel vulnerabilities being exploited in Android attacks is not unheard of.
CISA also pointed out a connection between two of the vulnerabilities. The Apache Tomcat flaw exists because a component was “not updated to take account of Oracle’s fix for CVE-2016-3427”.
However, it’s unclear if the weaknesses have been exploited by the same threat actor or whether multiple of these issues have been chained or used as part of the same attack.
The agency only adds a vulnerability to its catalog if it has reliable evidence of exploitation in the wild. It’s possible that it has privately obtained the information about active exploitation for these flaws.
This is not the first time CISA has been the first to sound the alarm regarding the exploitation of a Linux vulnerability. Nearly one year ago, the agency warned organizations about the vulnerability known as PwnKit being exploited.
Related: 557 CVEs Added to CISA’s Known Exploited Vulnerabilities Catalog in 2022
Related: CISA Warns of Attacks Exploiting Oracle WebLogic Vulnerability Patched in January
Related: Three Innocuous Linux Vulnerabilities Chained to Obtain Full Root Privileges