The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 16 new CVE identifiers to its list of known exploited vulnerabilities, including a Windows flaw that federal agencies are required to patch within two weeks.
A majority of the 15 flaws added by CISA to its “Known Exploited Vulnerabilities Catalog” on Thursday are old — they were disclosed in 2014, 2015, 2016, 2017, 2018 and 2020. They impact Windows, Jenkins, Apache Struts and ActiveMQ, Oracle’s WebLogic, Microsoft Office, D-Link routers, and Apple’s OS X operating system.
The most recent vulnerability of the ones added on Thursday is CVE-2021-36934, a Windows local privilege escalation vulnerability that Microsoft patched in August 2021. The tech giant initially released workarounds and mitigations in July 2021, when the issue was disclosed.
The flaw, named HiveNightmare and SeriousSam, can allow a local user with low privileges to achieve SYSTEM privileges. Cybersecurity experts warned at the time of disclosure that the vulnerability could pose a serious risk due to the fact that it’s easy to exploit.
There do not appear to be any recent public reports about active exploitation of CVE-2021–36934. However, CISA recently confirmed for SecurityWeek that it’s aware of real world attacks for each flaw included in the catalog, even if in some cases there do not appear to be any public reports of malicious exploitation. The agency said it does not publicly provide details about exploitation.
Microsoft confirms that details of the vulnerability are public and assigns it an “exploitation more likely” exploitability rating, but the company’s advisory (last updated in August 2021) currently says it’s not aware of attacks. Microsoft told SecurityWeek on Friday that it has nothing to share beyond its advisory and additional guidance.
It’s possible that CISA added CVE-2021–36934 to the list of known exploited vulnerabilities based on information from a blog post published by SentinelOne in early August 2021. The endpoint security firm noted at the time that it had seen several malware samples uploaded to the VirusTotal scanning service that had incorporated the available HiveNightmware exploits. SentinelOne said the vulnerability could help attackers simplify the process of exfiltrating credentials.
SecurityWeek has reached out to SentinelOne to find out if CISA’s warning might be related to its older blog post and if it has actually seen those malware samples being used in the wild. However, the company was not able to share any information on Friday.
When CISA launched the list of known exploited vulnerabilities, it also announced Binding Operational Directive (BOD) 22-01, which requires federal civilian agencies to identify and address known exploited vulnerabilities within defined timeframes — newer flaws need to be patched within two weeks while older issues must be fixed within six months.
As instructed by the BOD, HiveNightmware will need to be patched until February 24, while the other flaws will need to be fixed by August 10.
As for CVE-2022-22620, the WebKit vulnerability that CISA added to its list on Friday, Apple says it has been exploited, but it has not shared any information about the attacks. CISA has given federal agencies until February 25 to patch the flaw.
While the BOD only applies to federal civilian agencies, CISA “strongly urges” all organizations to prioritize the vulnerabilities in its “must patch” list to reduce exposure to attacks.